{ "scan_info": { "app_path": "/test_app", "rails_version": "4.2.7.1", "security_warnings": 5, "start_time": "2018-10-23 19:32:28 +0300", "end_time": "2018-10-23 19:32:42 +0300", "duration": 3.723474664, "checks_performed": [ "BasicAuth", "BasicAuthTimingAttack", "ContentTag", "CreateWith", "CrossSiteScripting", "DefaultRoutes", "Deserialize", "DetailedExceptions", "DigestDoS", "DynamicFinders", "EscapeFunction", "Evaluation", "Execute", "FileAccess", "FileDisclosure", "FilterSkipping", "ForgerySetting", "HeaderDoS", "I18nXSS", "JRubyXML", "JSONEncoding", "JSONParsing", "LinkTo", "LinkToHref", "MailTo", "MassAssignment", "MimeTypeDoS", "ModelAttrAccessible", "ModelAttributes", "ModelSerialize", "NestedAttributes", "NestedAttributesBypass", "NumberToCurrency", "PermitAttributes", "QuoteTableName", "Redirect", "RegexDoS", "Render", "RenderDoS", "RenderInline", "ResponseSplitting", "RouteDoS", "SQL", "SQLCVEs", "SSLVerify", "SafeBufferManipulation", "SanitizeMethods", "SelectTag", "SelectVulnerability", "Send", "SendFile", "SessionManipulation", "SessionSettings", "SimpleFormat", "SingleQuotes", "SkipBeforeFilter", "StripTags", "SymbolDoSCVE", "TranslateBug", "UnsafeReflection", "ValidationRegex", "WithoutProtection", "XMLDoS", "YAMLParsing" ], "number_of_controllers": 5, "number_of_models": 12, "number_of_templates": 25, "ruby_version": "2.5.1", "brakeman_version": "4.3.1" }, "warnings": [ { "warning_type": "Mass Assignment", "warning_code": 60, "fingerprint": "00a38ca07fd6d6058d0b8664aae5b0ec1e2fd89c59d8d74ee95babab02f6fbdf", "check_name": "ModelAttrAccessible", "message": "Potentially dangerous attribute available for mass assignment", "file": "app/models/test1.rb", "line": null, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": ":test_id", "render_path": null, "location": { "type": "model", "model": "Test1" }, "user_input": null, "confidence": "Weak" }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "00ac2b92111049e24c28fa4f315d962c4e81c21a7bb28d7b205c8a32e99f643d", "check_name": "CrossSiteScripting", "message": "Unescaped model attribute", "file": "app/views/test1.html.erb", "line": 88, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "Test::Test.find(params[:id]).name(:test)", "render_path": [{"type":"controller","class":"TestController","method":"test_access","line":6,"file":"app/controllers/test1.rb"}], "location": { "type": "template", "template": "test1" }, "user_input": null, "confidence": "High" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "0c8be6f7618c44181ab46aa9108a3e3624df7f89146349e4de884f5ae2d35a77", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/test2.rb", "line": 260, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{column_name} IS NOT NULL\")", "render_path": null, "location": { "type": "method", "class": "Test", "method": "Test.test_retrieve" }, "user_input": "column_name", "confidence": "Medium" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "0c8be6f7618c44181ab46aa9108a3e3624df7f89146349e4de884f5ae2d35a77", "check_name": "SQL", "message": "SQL injection", "file": "app/models/test2.rb", "line": 260, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{column_name} IS NOT NULL\")", "render_path": null, "location": { "type": "method", "class": "Test", "method": "Test.test_retrieve" }, "user_input": "column_name", "confidence": "Critical" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, "fingerprint": "1c1e1a42a8b8bb0ad2b74bd3b91db2dd48f21062b3fe7e96e45be3ea1faa7c43", "check_name": "Render", "message": "Render path contains parameter value", "file": "app/controllers/test_controller.rb", "line": 5, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => { :json => (...)})", "render_path": null, "location": { "type": "method", "class": "TestController", "method": "index" }, "user_input": "params[:fields].split(\",\")", "confidence": "Weak" }, { "warning_type": "Attribute Restriction", "warning_code": 19, "fingerprint": "29e2c701f167599ce572ead7c3ff377aac1bc0e71834fe5867f10660e9a42de7", "check_name": "ModelAttributes", "message": "Mass assignment is not restricted using attr_accessible", "file": "app/models/test2.rb", "line": 2, "link": "https://brakemanscanner.org/docs/warning_types/attribute_restriction/", "code": null, "render_path": null, "location": { "type": "method", "model": "Test2::TestParameter" }, "user_input": null, "confidence": "High" } ], "ignored_warnings": [ ], "errors": [ ], "obsolete": [ ] }