search

lukebrogan-mend / railsgoat

A vulnerable version of Rails that follows the OWASP Top 10
railsgoat.cktricky.com
MIT License
0 stars 0 forks source link

Code Security Report: 20 high severity findings, 30 total findings #107

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago

Code Security Report

Latest Scan: 2022-10-20 08:14pm Total Findings: 30 Tested Project Files: 134 Detected Programming Languages: 2

Language: JavaScript / Node.js

Severity CWE Vulnerability Type Count
Medium CWE-338 Weak Pseudo-Random 2

Details

No high vulnerability findings detected. To view information on the remaining findings, navigate to the Mend SAST Application.

Language: Ruby

Severity CWE Vulnerability Type Count
High CWE-78 Command Injection 4
High CWE-89 SQL Injection 1
High CWE-22 Path/Directory Traversal 3
High CWE-915 Mass Assignment 1
High CWE-79 Dangerous HTML Embedded 10
High CWE-79 Cross-Site Scripting 1
Medium CWE-321 Secret Key In Source 1
Low CWE-916 Weak Hash Strength 5
Low CWE-113 HTTP Response Splitting 1
Low CWE-1004 Cookie Without 'HttpOnly' Flag 1

Details

The below list presents the 20 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

Command Injection (CWE-78) : 4

Findings

models/benefits.rb:15 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L10-L15
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L19 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L4 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L13 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L15
models/benefits.rb:15 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L10-L15
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L19 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L4 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L6 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L15
models/benefits.rb:15 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L10-L15
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L19 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L4 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L6 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L13 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L15
models/benefits.rb:15 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L10-L15
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L19 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L4 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L15

SQL Injection (CWE-89) : 1 #### Findings
controllers/users_controller.rb:29 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/users_controller.rb#L24-L29
Path/Directory Traversal (CWE-22) : 3 #### Findings
controllers/benefit_forms_controller.rb:12 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L7-L12
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L10 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L11 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L12
models/benefits.rb:7 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L2-L7
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L19 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L4 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L6 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/models/benefits.rb#L7
controllers/benefit_forms_controller.rb:12 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L7-L12
Trace https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L11 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/benefit_forms_controller.rb#L12
Mass Assignment (CWE-915) : 1 #### Findings
controllers/users_controller.rb:55 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/users_controller.rb#L50-L55
Dangerous HTML Embedded (CWE-79) : 10 #### Findings
shared/_header.html.erb:82 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/layouts/shared/_header.html.erb#L77-L82
shared/_header.html.erb:31 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/layouts/shared/_header.html.erb#L26-L31
paid_time_off/index.html.erb:192 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/paid_time_off/index.html.erb#L187-L192
admin/get_all_users.html.erb:29 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/admin/get_all_users.html.erb#L24-L29
performance/index.html.erb:63 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/performance/index.html.erb#L58-L63
paid_time_off/index.html.erb:135 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/paid_time_off/index.html.erb#L130-L135
paid_time_off/index.html.erb:158 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/paid_time_off/index.html.erb#L153-L158
controllers/password_resets_controller.rb:36 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/controllers/password_resets_controller.rb#L31-L36
messages/index.html.erb:114 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/messages/index.html.erb#L109-L114
users/account_settings.html.erb:81 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/users/account_settings.html.erb#L76-L81
Cross-Site Scripting (CWE-79) : 1 #### Findings
layouts/application.html.erb:12 https://github.com/lukebrogan-mend/railsgoat/blob/00022ed5aec3237f62189fa8deff9e8fef5c5ff4/app/views/layouts/application.html.erb#L7-L12