Ruby

Ruby

Made by DeepSource
rails version is susceptible to DOS attack via Mime type caching RB-A1008
Security
Critical

Selected versions of Rails till version 4.2.5 do not properly restrict the use of the MIME type caches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. Upgrading to newer versions of Rails can help fix this issue.

Skipping CRRF or authentication checks by default RB-S1005
Security
Major

While skipping CSRF or authentication callbacks on certain methods in a controller, it is recommended to pass the method names explicitly using the only option instead if the except option.

sprockets gem version is susceptible to path traversal vulnerability RB-A1009
Security
Critical

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory when the Sprockets server is used in production. Upgrading to newer versions of the gem can help fix this issue.

rails version specified in Gemfile does not encode JSON keys RB-A1010
Security
Critical

When a Hash containing user-controlled data is encode as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. Upgrading to newer versions of Rails can help fix this issue.

Rails version with CSRF token forgery vulnerability detected RB-A1001
Security
Critical

All versions of Rails below 5.2.4.2, and some versions of Rails 6 till 6.0.3 make it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

Rails version with XML DOS vulnerability detected RB-A1002
Security
Critical

Selected versions of Rails 2, 3 & 4 are vulnerable to denial of service attacks via XML. Upgrading to newer versions of Rails can help fix this issue.

Rails version with file disclosure vulnerability detected RB-A1003
Security
Critical

Selected versions of Rails 2, 3 & 4 are vulnerable to file disclosures. Upgrading to newer versions of Rails or disabling serving of static assets, if enabled, can help fix this issue.

Rails version with ActiveRecord symbol DOS vulnerability detected RB-A1004
Security
Critical

Selected versions of Rails 2 & 3 are vulnerable to ActiveRecord symbol denial of service attacks. Upgrading to newer versions of Rails can help fix this issue.

Rails version vulnerable to timing attack in basic auth detected RB-A1006
Security
Critical

Selected versions of Rails till version 4.2.5 are susceptible to timing attack in basic auth. Upgrading to newer versions of Rails can help fix this issue.

Project's rails & i18n gem versions are vulnerable to cross-site scripting (XSS) RB-A1007
Security
Critical

The internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. Upgrading to newer versions of Rails & i18n gem can help fix this issue.

Project's rails version is vulnerable to DoS on using render :text RB-A1011
Security
Critical

Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the render: :text option, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. Upgrading to newer versions of Rails can help fix this issue.

Audit: Calls to methods in IO class must be avoided RB-A1012
Security
Critical

Calls to methods in the IO class must be avoided unless a command needs to be invoked intentionally.

link_to has _blank, but no rel: 'noopener' RB-RL1033
Security
Major
Autofix

Calls to link_to that contain a target: '_blank' but no rel: 'noopener' can be a security risk, as the loaded page will have control over the previous page and could change its location for phishing purposes. The option rel: 'noreferrer' also blocks this behavior and removes the http-referrer header.

Usage of weak hashing algorithm RB-S1002
Security
Major

Avoid usage of weak cryptographic keys like MD5, SHA1 and HMAC.

Plaintext password found in callback RB-S1003
Security
Major

Rails 3.1 introduced a callback http_basic_authenticate_with to simplify basic authentication. You can simply pass a username and password in plaintext to have a basic form of authentication. This especially is a big problem when the password is passed as plaintext, as it can be leaked.

Rails version with SafeBuffer manipulation bug detected RB-A1005
Security
Critical

Selected versions of Rails 3 contain the SafeBuffer bug. Upgrading to newer versions of Rails can help fix this issue.

Potential SSL verification bypass detected RB-DS1011
Security
Major

Requests to secure endpoints must not be made without verifying the SSL certificate. It can be fixed by setting use_ssl in the Net::HTTP object to true.

Using insecure network protocol source RB-S1000
Security
Major
Autofix

Passing symbol arguments to source (e.g. source :rubygems) is deprecated because they default to using HTTP requests. Instead, specify 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.

Use of eval detected RB-SC1001
Security
Critical

Kernel#eval and Binding#eval must never be used against untrusted user input.

Insecure JSON method detected RB-SC1002
Security
Critical

These methods are meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it.