Rules | Description | Example | KPI | |
---|---|---|---|---|
Authentication | Warn about constants with literal string values that appear to be passwords. | Security | high | |
Basic Authentication | Warning will be raised if http_basic_authenticate_with is used and the password is found to be a string (i.e., stored somewhere in the code). | Security | high | |
Mass Assignment | Allows an application to create a record from the values of a hash. | Security | high | |
Remote Execution in YAML.load | Upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe. | Security | high | |
Session Manipulation | Sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. | Security | high | |
Session Settings | If the key length for the session cookies is less than 30 characters. | Security | high | |
Weak Hash | uses of hashing algorithms that should not be used for security-sensitive contexts such as hashing passwords or generating signatures. | Security | high | |
UUIDs as Safe Attributes | #uuid will be treated as a safe value, particular in SQL. | Security | high | |
Tempfile Paths in Shell Commands | Tempfile#path will be considered as safe value for command injection. | Security | high | |
Ignore Development Environment | Brakeman will ignore code that is guarded | Security | high |
Showing 1 to 10 of 12 entries