| Application path | Rails version | Brakeman version | Started at | Duration |
|---|---|---|---|---|
| /code | 4.2.11 | 4.4.0 | 2019-02-14 20:49:41 +0000 | 23.34582464 seconds |
| Checks performed |
|---|
| BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing |
| Scanned/Reported | Total |
|---|---|
| Controllers | 156 |
| Models | 99 |
| Templates | 693 |
| Errors | 0 |
| Security Warnings | 36 (26) |
| Warning Type | Total |
|---|---|
| Cross-Site Request Forgery | 2 |
| Cross-Site Scripting | 4 |
| Dangerous Send | 1 |
| Dynamic Render Path | 5 |
| Format Validation | 1 |
| Redirect | 19 |
| Remote Code Execution | 3 |
| SQL Injection | 1 |
| Confidence | Class | Method | Warning Type | Message |
|---|---|---|---|---|
| CommunitiesController | load_topics | Dangerous Send | User controlled method execution near line 25: Community.find(params[:id]).topics.send("sort_by_#{(params[:order] or "newest")}") |
|
| PagesController | show | Dynamic Render Path | Render path contains parameter value near line 15: render(action => params[:id], {}) |
|
| SandboxController | show | Dynamic Render Path | Render path contains parameter value near line 22: render(action => "sandbox/#{params[:template]}", {}) |
|
| SandboxController | show | Dynamic Render Path | Render path contains parameter value near line 26: render(action => "sandbox/#{params[:template]}/index", {}) |
|
| Admin::CommentsController | confirm_hide | Redirect | Possible unprotected redirect near line 13: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::CommentsController | restore | Redirect | Possible unprotected redirect near line 20: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::DebatesController | confirm_hide | Redirect | Possible unprotected redirect near line 16: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::DebatesController | restore | Redirect | Possible unprotected redirect near line 23: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenBudgetInvestmentsController | confirm_hide | Redirect | Possible unprotected redirect near line 18: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenBudgetInvestmentsController | restore | Redirect | Possible unprotected redirect near line 25: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenProposalsController | confirm_hide | Redirect | Possible unprotected redirect near line 17: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenProposalsController | restore | Redirect | Possible unprotected redirect near line 24: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenUsersController | confirm_hide | Redirect | Possible unprotected redirect near line 18: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::HiddenUsersController | restore | Redirect | Possible unprotected redirect near line 24: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::OrganizationsController | verify | Redirect | Possible unprotected redirect near line 22: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::OrganizationsController | reject | Redirect | Possible unprotected redirect near line 27: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::ProposalNotificationsController | confirm_hide | Redirect | Possible unprotected redirect near line 16: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Admin::ProposalNotificationsController | restore | Redirect | Possible unprotected redirect near line 23: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| DebatesController | unmark_featured | Redirect | Possible unprotected redirect near line 39: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| DebatesController | mark_featured | Redirect | Possible unprotected redirect near line 44: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| ImagesController | destroy | Redirect | Possible unprotected redirect near line 14: redirect_to(params[:from]) |
|
| ModerateActions | moderate | Redirect | Possible unprotected redirect near line 32: redirect_to(request.query_parameters.merge(:action => :index)) |
|
| Moderation::UsersController | hide_in_moderation_screen | Redirect | Possible unprotected redirect near line 13: redirect_to(request.query_parameters.merge(:action => :index), :notice => I18n.t("moderation.users.notice_hide")) |
|
| FollowsController | find_followable | Remote Code Execution | Unsafe reflection method constantize called with parameter value near line 21: params[:followable_type].constantize |
|
| RelatedContentsController | relationable_object | Remote Code Execution | Unsafe reflection method constantize called with parameter value near line 45: params[:relationable_klass].singularize.camelize.constantize |
|
| RelatedContentsController | related_object | Remote Code Execution | Unsafe reflection method constantize called with parameter value near line 56: `params[:url].scan(//(#{"proposals |
|
| SearchCache | calculate_tsvector | SQL Injection | Possible SQL injection near line 10: ActiveRecord::Base.connection.execute("\n UPDATE #{self.class.table_name} SET tsv = (#{searchable_values_sql}) WHERE id = #{id}") |
| Confidence | Controller | Warning Type | Message |
|---|---|---|---|
| Management::BaseController | Cross-Site Request Forgery | protect_from_forgery should be called in Management::BaseController near line 1 |
|
| Management::SessionsController | Cross-Site Request Forgery | protect_from_forgery should be called in Management::SessionsController near line 3 |
| Confidence | Model | Warning Type | Message |
|---|---|---|---|
| Newsletter | Format Validation | Insufficient validation for from using /@/. Use \A and \z as anchors near line 10 |
| Confidence | Template | Warning Type | Message |
|---|---|---|---|
| budgets/investments/_ballot (Template:budgets/ballot/lines/create) | Cross-Site Scripting | Unescaped model attribute near line 62: t("budgets.ballots.reasons_for_not_balloting.#{investment.reason_for_not_being_ballotable_by(current_user, ballot)}", :verify_account => link_to(t("votes.verify_account"), verification_path), :signin => link_to(t("votes.signin"), new_user_session_path), :signup => link_to(t("votes.signup"), new_user_registration_path), :my_heading => link_to(investment.heading.name, budget_investments_path(:budget_id => investment.budget_id, :heading_id => investment.heading_id)), :change_ballot => link_to(t("budgets.ballots.reasons_for_not_balloting.change_ballot"), budget_ballot_path(Budget.find(params[:budget_id]))), :heading_link => heading_link(@assigned_heading, Budget.find(params[:budget_id]))) |
|
| budgets/investments/_votes (Template:budgets/investments/_investment) | Cross-Site Scripting | Unescaped model attribute near line 39: t("votes.budget_investments.#{investment.reason_for_not_being_selectable_by(current_user)}", :count => investment.group.max_votable_headings, :verify_account => link_to(t("votes.verify_account"), verification_path), :signin => link_to(t("votes.signin"), new_user_session_path), :signup => link_to(t("votes.signup"), new_user_registration_path), :supported_headings => ((current_user and current_user.headings_voted_within_group(investment.group).map(&:name).to_sentence))) |
|
| legislation/draft_versions/show (Legislation::DraftVersionsController#show) | Cross-Site Scripting | Unescaped parameter value near line 52: visible_draft_versions.find(params[:id]).toc_html |
|
| legislation/draft_versions/show (Legislation::DraftVersionsController#show) | Cross-Site Scripting | Unescaped parameter value near line 70: visible_draft_versions.find(params[:id]).body_html |
|
| legislation/processes/index (Legislation::ProcessesController#index) | Dynamic Render Path | Render path contains parameter value near line 14: render(action => ::Legislation::Process.open.published.not_in_draft.order(:start_date => :desc).page(params[:page]), {}) |
|
| management/spending_proposals/index (Management::SpendingProposalsController#index) | Dynamic Render Path | Render path contains parameter value near line 21: render(action => apply_filters_and_search(SpendingProposal).order(:cached_votes_up => :desc).page(params[:page]).for_render, {}) |