Skip to content

Instantly share code, notes, and snippets.

@philiplambok

philiplambok/report.md

Created May 6, 2020 06:42
Show Gist options
  • Save philiplambok/cb31ffc96a951c802b0ec05f0b637701 to your computer and use it in GitHub Desktop.
Save philiplambok/cb31ffc96a951c802b0ec05f0b637701 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report.md

Before:

$> brakeman --only-files app/models/plugin_mokapos_setting.rb
Loading scanner...
Processing application in /Users/philiplambok/Codes/ruby/quickbook
Processing gems...
[Notice] Detected Rails 4 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
Processing libs...
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCookieSerialization
 - CheckCreateWith
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Filtering warnings...
[Notice] Using '/Users/philiplambok/Codes/ruby/quickbook/config/brakeman.ignore' to filter warnings
Generating report...

== Brakeman Report ==

Application Path: /Users/philiplambok/Codes/ruby/quickbook
Rails Version: 4.2.10
Brakeman Version: 4.8.1
Scan Date: 2020-05-06 09:36:57 +0700
Duration: 0.813131 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 0
Models: 1
Templates: 0
Errors: 0
Security Warnings: 1

== Warning Types ==

SSL Verification Bypass: 1

== Obsolete Ignore Entries ==

10da4c8820dc5f954282cc750a838dde900dfdf0f9a7dc1eac43dda0989f6591
15583e4d2a93ca00e97af75b5d45ae382cefa33ef4c351cf4679a3bb5a556834
1767c339949f85cf19d25bb94466e763c317fbba68c748c101c06acf0ad004fc
221f585091a0cba775e18e99447e22e62c26214da53d835407cd18105cba3fb8
26c198e5f72e88243fa88347af3a7d057fd361f3b34dd1b512c26ec25f9938ae
2a0c5d51912270f5d239818b0ec99ad74928fda316d9b50208aa46d285a23762
2adaef958c111000fe58ca64fd7c4600ab5616a87106e3e89aa569eeeba17b06
34b6e7a8bdf96ccd3c38ee3363ef6eed39c0ad8de69f2b8c97e8f79cf97d264c
3544d674a6c238154cc82ba68b090a343782bc8e730a97d9a1fcda515eac0cd2
3662007eb7eff7817c69adab57d095623517379dd34833a5225f7e5d3f6257f0
436f8e756c012ded5af4a163655194f4a2e0842a719da09ad084d3e04a27544d
441355d22f428a68e0e9928e9103d20e972f214571c7aba8f9f518a04b924a0b
457442bcb71624c125a10abe0c7f2672359b79358ac8b34ee196d7778db06133
4686b57c856085048f7cb60f70f531e5706f227961082bcb6c130c1506324cac
4865c586dbf06c549fee5914a7470e3cdeb995cd504e0553fe5fda43695236da
53b32e8975db6414c87d560eecae0bb9998a6f5a5b5b7cbe885c1ae3bc9c7bfe
543fedbfedb66e26dcf1b5a124f3dfbc18caa90cc34c56e9800d4b2ac0dc9eb9
5da06d6f986d14de4e01bbde25b1c8425072cf8e08d784d6165cc18c07ac8221
5f1a18f928e71d73e82768ddf9f4f6a3721b0fba73eebf3b105be97368d5e9bd
66cbabbf1a8994ee31ef6a79b067d2bfd166c8e17108044b90afaf68844b2636
69c0ad263c5dc405962f9788b5ba1fa6ad5c4b43e4f85fe34a4cead41538fad5
6e6ccf617e4d44c895be93517a632d07f398d8b29a9200f49bb5a5f1c4d72916
6ef19a497f26726e92a1876e0454ae9adf91cbdd18cac92ea3601e00cf4a230d
7067b8a2c54685f8c88a8b5e771ec4a2d3749488cd597790f3d68d9dd7115f8a
73117cb66b1bce337ed74218525fa145ce543023b2a1ec4730ad6cf36c29a45f
77e071782c2f9d00a1c932873a8d7a9c7e5270ff198d6fb5d4c634980e26cd14
810647fae425ccd7872db7c72bb89b7ebaffc2f42695498c25cca3d9eb72c59b
8493f57469f9d6cc48f96a00e636460e4e00f81c4f6bfd326ef4551d998735a8
84c9d486cb3594f27e96bc2bc0345da53ba27baec5866584dd799c622ad22f21
87bb56ddd918e9f8486ed47b1d473cb7a9d4f44f0fcd2edcc3f6d50762dad2bb
89c8eb58df336900bdcef4764ed7e54b8bae52c838437574e31eb20158abe464
9345d71ae92e7aa5f656c3e74a228b76fb9c21de2c9468d34ef9252e29fe295c
93f2fa2b942377eedf59711175346e70debac6b5cf821835e67f42ec0c7abba3
96c1010a13bb4619fce3b4e4d5683be69df35552b3a275a931d48c7e9409bef9
97ed12e4a9a6e7cb14e7d728f415c4019b76b403604bdb03aa0799c0662be075
9bf72fec73afda5f84ff09713bb82da632eb69bec94e349e33ce8d6e788095ef
a271e8e4f7c2fd9cbcf30d91102e63b62a482f60ed6f1c939a9a0f7c0f0a65e9
a8507dbc2dbb3376b8e009221c31ebf5856d7ec64a4380d8150eaab1b8eef9af
ab26c8dc54a5f486cc0cdac86586c20b18d0192081dbef5385832251bd610301
ad5065134c1dda6758e215d35f232cfc4ee13b821590ccad1a9b218b978e159a
ae3e86b23250c1a645d6875c46a8a30c8a78b24f231309b525829d2b30428109
b2a4611827288cbd29edb52f0181bb828f5bf0295f2821846d76695852cbe251
b362751e8c41781a984c1f3bb52e3264a133f29c3c266f263a9f5a25adfd8031
b4cec07389e80bd45110165c3a17607aaeb54bce5bc0b5348ba5bf15cc212d55
b57fd7ff36866bde7f51ac38f7e53f7d9ee6e1be240fdbdd930475a47b81ea1f
bc1213be4d3d89798067d0b851ab50a57b14e4735e6b2bb1f88196a4c2a87109
bc221e0fdcfbc21cbdde144fbcae60416d87217affd3f9359da9fadab404bf91
bd7a2781045acb0b7947a829e7c6aadd3fdcba24918c6ce7a136e2da58a0e477
c03ddb43c2f7359ff7116e50cfc41dc4498acf52d8a0e0c5b748e76192b02bfe
c13b71d489cb15d7a9c43a5f1eeab8510828af41782d57cfdda97a0e235e2bb7
c2e597d7608a1020144e7ee04ff4816272e31deb2dde8a0aa46fcac447aedd86
c4418022f63c721d56eb77a11461666f326358002bc256866e19f65cb6494a29
d2c1bff6c212240ca4f1a5f475e039570510019784e140fb42f068de25c271b9
d50adb7babc0f3756b4baaa26fd4addd7dba511be9079eed078fb19cce0409fa
d9a88a6d86af103776fbe74a665c92bdae61cdf32911f8c7a94a733cb8bf9f2a
db3076c1a774d7767f6b82173c32f863cccfe71884687fec487974a53c02e73a
dd45e177b26288f911fb18d349414d11817c3e395eb393f30b95e2acb31f7f3b
e06e977e8c88a69cca876ce9572139a00fac1ee290c747bbc4663d9fe03b68a7
ef02e33ee1dd20031632edbdacd6a5f741ec8fc63b414a8439c5af532d3ba950
f34d67cda56ff242570b7eacdf80ea26bd307c21d7db383dfc2994637f360bb8
fd413347890765ec5b6526f9ede052ed76c1474afffc757432b4dde7470155ce
feb0357836b362f71b0f94aafdd2f75fbed7533f0cc4dfdbbebf3539c50b832c

== Warnings ==

Confidence: High
Category: SSL Verification Bypass
Check: SSLVerify
Message: SSL certificate verification was bypassed
Code: Net::HTTP.new(URI.parse("#{ENV["MOKA_HOST_PROVIDER"]}/v1/profile/self?access_token=#{param}").host, URI.parse("#{ENV["MOKA_HOST_PROVIDER"]}/v1/profile/self?access_token=#{param}").port).verify_mode = OpenSSL::SSL::VERIFY_NONE
File: app/models/plugin_mokapos_setting.rb
Line: 89

After:

$> brakeman --only-files app/models/plugin_mokapos_setting.rb
Loading scanner...
Processing application in /Users/philiplambok/Codes/ruby/quickbook
Processing gems...
[Notice] Detected Rails 4 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
Processing libs...
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCookieSerialization
 - CheckCreateWith
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Filtering warnings...
[Notice] Using '/Users/philiplambok/Codes/ruby/quickbook/config/brakeman.ignore' to filter warnings
Generating report...

== Brakeman Report ==

Application Path: /Users/philiplambok/Codes/ruby/quickbook
Rails Version: 4.2.10
Brakeman Version: 4.8.1
Scan Date: 2020-05-06 09:40:16 +0700
Duration: 0.841372 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 0
Models: 1
Templates: 0
Errors: 0
Security Warnings: 0

== Warning Types ==


== Obsolete Ignore Entries ==

10da4c8820dc5f954282cc750a838dde900dfdf0f9a7dc1eac43dda0989f6591
15583e4d2a93ca00e97af75b5d45ae382cefa33ef4c351cf4679a3bb5a556834
1767c339949f85cf19d25bb94466e763c317fbba68c748c101c06acf0ad004fc
221f585091a0cba775e18e99447e22e62c26214da53d835407cd18105cba3fb8
26c198e5f72e88243fa88347af3a7d057fd361f3b34dd1b512c26ec25f9938ae
2a0c5d51912270f5d239818b0ec99ad74928fda316d9b50208aa46d285a23762
2adaef958c111000fe58ca64fd7c4600ab5616a87106e3e89aa569eeeba17b06
34b6e7a8bdf96ccd3c38ee3363ef6eed39c0ad8de69f2b8c97e8f79cf97d264c
3544d674a6c238154cc82ba68b090a343782bc8e730a97d9a1fcda515eac0cd2
3662007eb7eff7817c69adab57d095623517379dd34833a5225f7e5d3f6257f0
436f8e756c012ded5af4a163655194f4a2e0842a719da09ad084d3e04a27544d
441355d22f428a68e0e9928e9103d20e972f214571c7aba8f9f518a04b924a0b
457442bcb71624c125a10abe0c7f2672359b79358ac8b34ee196d7778db06133
4686b57c856085048f7cb60f70f531e5706f227961082bcb6c130c1506324cac
4865c586dbf06c549fee5914a7470e3cdeb995cd504e0553fe5fda43695236da
53b32e8975db6414c87d560eecae0bb9998a6f5a5b5b7cbe885c1ae3bc9c7bfe
543fedbfedb66e26dcf1b5a124f3dfbc18caa90cc34c56e9800d4b2ac0dc9eb9
5da06d6f986d14de4e01bbde25b1c8425072cf8e08d784d6165cc18c07ac8221
5f1a18f928e71d73e82768ddf9f4f6a3721b0fba73eebf3b105be97368d5e9bd
66cbabbf1a8994ee31ef6a79b067d2bfd166c8e17108044b90afaf68844b2636
69c0ad263c5dc405962f9788b5ba1fa6ad5c4b43e4f85fe34a4cead41538fad5
6e6ccf617e4d44c895be93517a632d07f398d8b29a9200f49bb5a5f1c4d72916
6ef19a497f26726e92a1876e0454ae9adf91cbdd18cac92ea3601e00cf4a230d
7067b8a2c54685f8c88a8b5e771ec4a2d3749488cd597790f3d68d9dd7115f8a
73117cb66b1bce337ed74218525fa145ce543023b2a1ec4730ad6cf36c29a45f
77e071782c2f9d00a1c932873a8d7a9c7e5270ff198d6fb5d4c634980e26cd14
810647fae425ccd7872db7c72bb89b7ebaffc2f42695498c25cca3d9eb72c59b
8493f57469f9d6cc48f96a00e636460e4e00f81c4f6bfd326ef4551d998735a8
84c9d486cb3594f27e96bc2bc0345da53ba27baec5866584dd799c622ad22f21
87bb56ddd918e9f8486ed47b1d473cb7a9d4f44f0fcd2edcc3f6d50762dad2bb
89c8eb58df336900bdcef4764ed7e54b8bae52c838437574e31eb20158abe464
9345d71ae92e7aa5f656c3e74a228b76fb9c21de2c9468d34ef9252e29fe295c
93f2fa2b942377eedf59711175346e70debac6b5cf821835e67f42ec0c7abba3
96c1010a13bb4619fce3b4e4d5683be69df35552b3a275a931d48c7e9409bef9
97ed12e4a9a6e7cb14e7d728f415c4019b76b403604bdb03aa0799c0662be075
9bf72fec73afda5f84ff09713bb82da632eb69bec94e349e33ce8d6e788095ef
a271e8e4f7c2fd9cbcf30d91102e63b62a482f60ed6f1c939a9a0f7c0f0a65e9
a8507dbc2dbb3376b8e009221c31ebf5856d7ec64a4380d8150eaab1b8eef9af
ab26c8dc54a5f486cc0cdac86586c20b18d0192081dbef5385832251bd610301
ad5065134c1dda6758e215d35f232cfc4ee13b821590ccad1a9b218b978e159a
ae3e86b23250c1a645d6875c46a8a30c8a78b24f231309b525829d2b30428109
b2a4611827288cbd29edb52f0181bb828f5bf0295f2821846d76695852cbe251
b362751e8c41781a984c1f3bb52e3264a133f29c3c266f263a9f5a25adfd8031
b4cec07389e80bd45110165c3a17607aaeb54bce5bc0b5348ba5bf15cc212d55
b57fd7ff36866bde7f51ac38f7e53f7d9ee6e1be240fdbdd930475a47b81ea1f
bc1213be4d3d89798067d0b851ab50a57b14e4735e6b2bb1f88196a4c2a87109
bc221e0fdcfbc21cbdde144fbcae60416d87217affd3f9359da9fadab404bf91
bd7a2781045acb0b7947a829e7c6aadd3fdcba24918c6ce7a136e2da58a0e477
c03ddb43c2f7359ff7116e50cfc41dc4498acf52d8a0e0c5b748e76192b02bfe
c13b71d489cb15d7a9c43a5f1eeab8510828af41782d57cfdda97a0e235e2bb7
c2e597d7608a1020144e7ee04ff4816272e31deb2dde8a0aa46fcac447aedd86
c4418022f63c721d56eb77a11461666f326358002bc256866e19f65cb6494a29
d2c1bff6c212240ca4f1a5f475e039570510019784e140fb42f068de25c271b9
d50adb7babc0f3756b4baaa26fd4addd7dba511be9079eed078fb19cce0409fa
d9a88a6d86af103776fbe74a665c92bdae61cdf32911f8c7a94a733cb8bf9f2a
db3076c1a774d7767f6b82173c32f863cccfe71884687fec487974a53c02e73a
dd45e177b26288f911fb18d349414d11817c3e395eb393f30b95e2acb31f7f3b
e06e977e8c88a69cca876ce9572139a00fac1ee290c747bbc4663d9fe03b68a7
ef02e33ee1dd20031632edbdacd6a5f741ec8fc63b414a8439c5af532d3ba950
f34d67cda56ff242570b7eacdf80ea26bd307c21d7db383dfc2994637f360bb8
fd413347890765ec5b6526f9ede052ed76c1474afffc757432b4dde7470155ce
feb0357836b362f71b0f94aafdd2f75fbed7533f0cc4dfdbbebf3539c50b832c

No warnings found
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment