search

presidentbeef / brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications
https://brakemanscanner.org/
Other
7.01k stars 734 forks source link

Brakeman not detecting force_ssl #1584

Closed coding-bunny closed 3 years ago

coding-bunny commented 3 years ago

Background

Brakeman version: 5.0.0 Rails version: 6.1.3.1 Ruby version: 3.0.0

Link to Rails application code: Private Commercial Project

Issue

Brakeman does not detect that the config.force_ssl feature is enabled.

Other Error

Run Brakeman with --debug to see the full stack trace.

Stack trace:

Loading scanner...
Processing application in /home/coding-bunny/RubymineProjects/customink_international
Processing gems...
Parsing Gemfile
[Notice] Detected Rails 6 application
Processing configuration...
Parsing config/environment.rb
Parsing config/application.rb
Parsing config/environments/production.rb
[Notice] Escaping HTML by default
[Notice] Skipping config setting: ssl_options.hsts.subdomains
Parsing files...
Parsing app/channels/application_cable/channel.rb
Parsing app/channels/application_cable/connection.rb
Parsing app/controllers/admin/api_controller.rb
Parsing app/controllers/admin/errors_controller.rb
Parsing app/controllers/admin/orders_controller.rb
Parsing app/controllers/application_controller.rb
Parsing app/controllers/auth_controller.rb
Parsing app/controllers/braintree_controller.rb
Parsing app/controllers/checkout_controller.rb
Parsing app/controllers/concerns/api_error.rb
Parsing app/controllers/orders_controller.rb
Parsing app/controllers/verification_tokens_controller.rb
Parsing app/helpers/colors_helper.rb
Parsing app/jobs/application_job.rb
Parsing app/jobs/base_job.rb
Parsing app/jobs/fulfillment_track_submission_job.rb
Parsing app/jobs/order_confirmation_job.rb
Parsing app/jobs/order_fulfillment_job.rb
Parsing app/mailboxes/application_mailbox.rb
Parsing app/mailers/application_mailer.rb
Parsing app/mailers/order_mailer.rb
Parsing app/models/address.rb
Parsing app/models/application_record.rb
Parsing app/models/concerns/geo_locateable.rb
Parsing app/models/country_codes.rb
Parsing app/models/fulfillment_track.rb
Parsing app/models/order.rb
Parsing app/models/relation_builders/errors.rb
Parsing app/models/relation_builders/orders.rb
Parsing app/services/address_sanitizer.rb
Parsing app/services/address_sanitizer/strategy/abbreviate_common_words.rb
Parsing app/services/address_sanitizer/strategy/countries_to_state.rb
Parsing app/services/address_sanitizer/strategy/normalize_state.rb
Parsing app/services/address_sanitizer/strategy/normalize_zip.rb
Parsing app/services/address_sanitizer/strategy/remove_notprovided_state.rb
Parsing app/services/address_sanitizer/strategy/replace_ordinal_indicators.rb
Parsing app/services/address_sanitizer/strategy/sanitize_ireland_zip.rb
Parsing app/services/address_sanitizer/strategy/states_to_country.rb
Parsing app/services/address_sanitizer/strategy/strip_dashes.rb
Parsing app/services/address_sanitizer/strategy/strip_whitespace.rb
Parsing app/services/address_sanitizer/strategy/transliteration.rb
Parsing app/services/address_validator/encoding_validator.rb
Parsing app/services/address_validator/us_military_base_validator.rb
Parsing app/services/address_verifier.rb
Parsing app/services/braintree_provider.rb
Parsing app/services/concerns/order_creator_hash_builder.rb
Parsing app/services/custom_ink/customer_payload_builder.rb
Parsing app/services/custom_ink/delivery_estimator.rb
Parsing app/services/custom_ink/design_payload_builder.rb
Parsing app/services/custom_ink/payload_builder.rb
Parsing app/services/custom_ink/product_builder.rb
Parsing app/services/custom_ink/profiles_service.rb
Parsing app/services/custom_ink/sku_service.rb
Parsing app/services/design_quote_service.rb
Parsing app/services/fulfillment_track_pipeline.rb
Parsing app/services/order_creator.rb
Parsing app/services/payment/request.rb
Parsing app/services/quote_service.rb
Parsing app/services/shipping/easy_post_api.rb
Parsing config/application.rb
Parsing config/boot.rb
Parsing config/environment.rb
Parsing config/environments/development.rb
Parsing config/environments/production.rb
Parsing config/environments/staging.rb
Parsing config/environments/test.rb
Parsing config/initializers/application_controller_renderer.rb
Parsing config/initializers/assets.rb
Parsing config/initializers/backtrace_silencers.rb
Parsing config/initializers/braintree.rb
Parsing config/initializers/content_security_policy.rb
Parsing config/initializers/cookies_serializer.rb
Parsing config/initializers/design_client.rb
Parsing config/initializers/dry.rb
Parsing config/initializers/easypost.rb
Parsing config/initializers/filter_parameter_logging.rb
Parsing config/initializers/gdpr_rails.rb
Parsing config/initializers/inflections.rb
Parsing config/initializers/mime_types.rb
Parsing config/initializers/mms_client.rb
Parsing config/initializers/quote_client.rb
Parsing config/initializers/rollbar.rb
Parsing config/initializers/sidekiq.rb
Parsing config/initializers/wrap_parameters.rb
Parsing config/puma.rb
Parsing config/routes.rb
Parsing config/spring.rb
Parsing lib/gdpr/order_collection.rb
Parsing lib/internal_user_constraints.rb
Parsing lib/rounder.rb
Parsing node_modules/node-sass/src/libsass/extconf.rb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/active_storage/blobs/_blob.html.erb
Parsing app/views/active_storage/blobs/_blob.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/application/index.html.erb
Parsing app/views/application/index.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/application.html.erb
Parsing app/views/layouts/application.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/mailer.html.erb
Parsing app/views/layouts/mailer.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_css.html.erb
Parsing app/views/mailers/_css.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_get_support.html.erb
Parsing app/views/mailers/_get_support.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/order_confirmation.html.erb
Parsing app/views/mailers/order_confirmation.html.erb
Detecting file types...
Processing initializers...
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/assets.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/braintree.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/cookies_serializer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/design_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/dry.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/easypost.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/filter_parameter_logging.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/gdpr_rails.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/mms_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/quote_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/rollbar.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/sidekiq.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/wrap_parameters.rb
Processing libs...
Processing /home/coding-bunny/RubymineProjects/customink_international/app/channels/application_cable/channel.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/channels/application_cable/connection.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/helpers/colors_helper.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/application_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/base_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/fulfillment_track_submission_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/order_confirmation_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/order_fulfillment_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailboxes/application_mailbox.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailers/application_mailer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailers/order_mailer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/abbreviate_common_words.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/countries_to_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/normalize_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/normalize_zip.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/remove_notprovided_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/replace_ordinal_indicators.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/sanitize_ireland_zip.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/states_to_country.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/strip_dashes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/strip_whitespace.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/transliteration.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_validator/encoding_validator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_validator/us_military_base_validator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_verifier.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/braintree_provider.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/concerns/order_creator_hash_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/customer_payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/delivery_estimator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/design_payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/product_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/profiles_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/sku_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/design_quote_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/fulfillment_track_pipeline.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/order_creator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/payment/request.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/quote_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/shipping/easy_post_api.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/boot.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environment.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/development.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/staging.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/test.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/puma.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/routes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/spring.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/gdpr/order_collection.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/internal_user_constraints.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/rounder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/node_modules/node-sass/src/libsass/extconf.rb
Processing routes...          
Parsing config/routes.rb
Processing templates...       
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/active_storage/blobs/_blob.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/application/index.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/application.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/mailer.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_css.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_get_support.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/order_confirmation.html.erb
Processing data flow in templates...
Processing active_storage/blobs/_blob
Processing application/index
Processing layouts/application
Processing layouts/mailer
Rendering mailers/_css (["Template:layouts/mailer"])
Rendering mailers/_get_support (["Template:layouts/mailer"])
Processing mailers/_cssd
Processing mailers/_get_support
Processing mailers/order_confirmation
Processing models...          
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/address.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/application_record.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/concerns/geo_locateable.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/country_codes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/fulfillment_track.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/order.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/relation_builders/errors.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/relation_builders/orders.rb
Processing controllers...     
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/api_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/errors_controller.rb
[Notice] Treating inner class as library: Error
[Notice] Treating inner class as library: UnableToRetry
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/orders_controller.rb
[Notice] Treating inner class as library: Error
[Notice] Treating inner class as library: AlreadyClaimedError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/application_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/auth_controller.rb
[Notice] Treating inner class as library: NonInternalUserError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/braintree_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/checkout_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/concerns/api_error.rb
[Notice] Adding noncontroller as library: ApiError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/orders_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/verification_tokens_controller.rb
Processing data flow in controllers...
Processing Admin::ApiController
Processing Admin::ApiController#authenticate_user
Processing Admin::ApiController#resolve_user
Rendering layouts/application (["Admin::ApiController#resolve_user"])
Rendering admin/api/resolve_user (["Admin::ApiController#resolve_user"])
[Notice] No such template: admin/api/resolve_user
Processing Admin::ErrorsController
Processing Admin::ErrorsController#index
Rendering layouts/application (["Admin::ErrorsController#index"])
Rendering admin/errors/index (["Admin::ErrorsController#index"])
[Notice] No such template: admin/errors/index
Processing Admin::ErrorsController#retry_fulfillment
Rendering layouts/application (["Admin::ErrorsController#retry_fulfillment"])
Rendering admin/errors/retry_fulfillment (["Admin::ErrorsController#retry_fulfillment"])
[Notice] No such template: admin/errors/retry_fulfillment
Processing Admin::ErrorsController#fulfillment_track
Rendering layouts/application (["Admin::ErrorsController#fulfillment_track"])
Rendering admin/errors/fulfillment_track (["Admin::ErrorsController#fulfillment_track"])
[Notice] No such template: admin/errors/fulfillment_track
Processing Admin::ErrorsController#errors
Rendering layouts/application (["Admin::ErrorsController#errors"])
Rendering admin/errors/errors (["Admin::ErrorsController#errors"])
[Notice] No such template: admin/errors/errors
Processing Admin::OrdersController
Processing Admin::OrdersController#index
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#index"])
Rendering admin/orders/index (["Admin::OrdersController#index"])
[Notice] No such template: admin/orders/index
Processing Admin::OrdersController#show
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#show"])
Rendering admin/orders/show (["Admin::OrdersController#show"])
[Notice] No such template: admin/orders/show
Processing Admin::OrdersController#claim
[Notice] Could not find filter set_paper_trail_whodunnit
Processing Admin::OrdersController#save_note
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#save_note"])
Rendering admin/orders/save_note (["Admin::OrdersController#save_note"])
[Notice] No such template: admin/orders/save_note
Processing Admin::OrdersController#order
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#order"])
Rendering admin/orders/order (["Admin::OrdersController#order"])
[Notice] No such template: admin/orders/order
Processing Admin::OrdersController#orders
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#orders"])
Rendering admin/orders/orders (["Admin::OrdersController#orders"])
[Notice] No such template: admin/orders/orders
Processing Admin::OrdersController#order_search_params
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#order_search_params"])
Rendering admin/orders/order_search_params (["Admin::OrdersController#order_search_params"])
[Notice] No such template: admin/orders/order_search_params
Processing ApplicationController
Processing ApplicationController#index
Rendering layouts/application (["ApplicationController#index"])
Rendering application/index (["ApplicationController#index"])
Processing ApplicationController#initialize_environment
Rendering layouts/application (["ApplicationController#initialize_environment"])
Rendering application/initialize_environment (["ApplicationController#initialize_environment"])
[Notice] No such template: application/initialize_environment
Processing ApplicationController#build_environment_hash
Rendering layouts/application (["ApplicationController#build_environment_hash"])
Rendering application/build_environment_hash (["ApplicationController#build_environment_hash"])
[Notice] No such template: application/build_environment_hash
Processing ApplicationController#address_validation_config
Rendering layouts/application (["ApplicationController#address_validation_config"])
Rendering application/address_validation_config (["ApplicationController#address_validation_config"])
[Notice] No such template: application/address_validation_config
Processing AuthControllerd
Processing AuthController#sign_in_with_google
Processing AuthController#sign_out
Rendering layouts/application (["AuthController#sign_out"])
Rendering auth/sign_out (["AuthController#sign_out"])
[Notice] No such template: auth/sign_out
Processing AuthController#user_info
Processing BraintreeController
Processing BraintreeController#token
Processing CheckoutController
Processing CheckoutController#quote
Processing CheckoutController#validate_address
Processing CheckoutController#checkout_items
Rendering layouts/application (["CheckoutController#checkout_items"])
Rendering checkout/checkout_items (["CheckoutController#checkout_items"])
[Notice] No such template: checkout/checkout_items
Processing CheckoutController#address_params
Rendering layouts/application (["CheckoutController#address_params"])
Rendering checkout/address_params (["CheckoutController#address_params"])
[Notice] No such template: checkout/address_params
Processing CheckoutController#address_attributes
Rendering layouts/application (["CheckoutController#address_attributes"])
Rendering checkout/address_attributes (["CheckoutController#address_attributes"])
[Notice] No such template: checkout/address_attributes
Processing OrdersController
Processing OrdersController#create
Processing OrdersController#log_warning
Rendering layouts/application (["OrdersController#log_warning"])
Rendering orders/log_warning (["OrdersController#log_warning"])
[Notice] No such template: orders/log_warning
Processing OrdersController#create_order
Rendering layouts/application (["OrdersController#create_order"])
Rendering orders/create_order (["OrdersController#create_order"])
[Notice] No such template: orders/create_order
Processing VerificationTokensController
Processing VerificationTokensController#loaderio
Rendering verification_tokens/loaderio (["VerificationTokensController#loaderio"])
[Notice] No such template: verification_tokens/loaderio
Indexing call sites...        
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
Automatic to_json escaping is enabled.
 - CheckCookieSerialization
Checking application/index.["ApplicationController#index"] for XSS
Checking layouts/application.["Admin::ApiController#resolve_user"] for XSS
 - CheckCreateWith
 - CheckCSRFTokenForgeryCVE
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
Checking for XSS in content_tag
Checking layouts/application.["Admin::ErrorsController#index"] for XSS
Checking mailers/_css.["Template:layouts/mailer"] for XSS
Checking mailers/_get_support.["Template:layouts/mailer"] for XSS
Checking active_storage/blobs/_blob for XSS
Checking application/index for XSS
Checking layouts/application for XSS
Checking layouts/mailer for XSS
Checking mailers/_css for XSS
Checking mailers/_get_support for XSS
Checking mailers/order_confirmation for XSS
Checking each controller for default routes
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
Finding eval-like calls
 - CheckFileAccess
Processing eval-like calls
Finding system calls using ``
 - CheckFileDisclosure
Finding other system calls
 - CheckFilterSkipping
Finding possible file access
Processing system calls
 - CheckForgerySetting
Finding calls to load()
Finding calls using FileUtils
Processing found calls
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONEntityEscape
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPageCachingCVE
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
Finding calls to redirect_to()
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
Finding dynamic regexes
Processing dynamic regexes
Automatic to_json escaping is enabled.
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
Finding instances of #send
 - CheckSessionManipulation
Finding all calls to send_file()
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
Finding possible SQL calls on models
 - CheckSSLVerify
Finding possible SQL calls with no target
Finding possible SQL calls using constantized()
Finding calls to named_scope or scope
Processing possible SQL calls
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTemplateInjection
Finding calls to strip_tags()
 - CheckTranslateBug
Finding ERB.new calls
 - CheckUnsafeReflection
Processing ERB.new calls
 - CheckUnsafeReflectionMethods
 - CheckValidationRegex
 - CheckVerbConfusion
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
 - CheckDivideByZero
 - CheckForceSSL
 - CheckReverseTabnabbing
 - CheckSecrets
 - CheckSymbolDoS
 - CheckUnscopedFind
 - CheckWeakHash
Finding instances of #find on models with associations
Checks finished, collecting results...
Generating report...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment,:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, Render:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 9
Models: 6
Templates: 7
:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 9
Models: 6
Templates: 7
Errors: 0
Security Warnings: 1

== Warning Types ==

Missing Encryption: 1

== Controller Overview ==

Controller: Admin::ApiController
Parent: ApplicationController
Routes: [None]

Controller: Admin::ErrorsController
Parent: ::Admin::ApiController
Routes: [None]

Controller: Admin::OrdersController
Parent: ::Admin::ApiController
Routes: [None]

Controller: ApplicationController
Parent: ::ActionController::Base
Routes: index

Controller: AuthController
Parent: ::ApplicationController
Routes: [None]

Controller: BraintreeController
Parent: ::ApplicationController
Routes: [None]

Controller: CheckoutController
Parent: ::ApplicationController
Routes: [None]

Controller: OrdersController
Parent: ::ApplicationController
Routes: [None]

Controller: VerificationTokensController
Parent: ::ApplicationController
Routes: loaderio

== Template Output ==

active_storage/blobs/_blob

[Escaped Output] blob.filename.extension
[Escaped Output] image_tag(blob.representation(:resize_to_limit => (local_assigns[:in_gallery] ? ([800, 600]) : ([1024, 768]))))
[Escaped Output] caption
[Escaped Output] blob.filename
[Escaped Output] number_to_human_size(blob.byte_size)

layouts/application

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] @app_config.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/application.["Admin::ApiController#resolve_user"]

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] ::Rails.cache.fetch("application_controller/initialize_environment/config", :expires_in => 1.day) do; build_environment_hash; end.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/application.["Admin::ErrorsController#index"]

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] @app_config.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/mailer

[Escaped Output] render(partial => "mailers/css", {})
[Escaped Output] @data[:preheader]

[Escaped Output] image_url("emails/logo.png")
[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] yield
[Escaped Output] render(partial => "mailers/get_support", {})
[Escaped Output] Date.current.year

mailers/_get_support

[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] image_url("emails/icon-chat.png")
[Escaped Output] image_url("emails/icon-email.png")

mailers/_get_support.["Template:layouts/mailer"]

[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] image_url("emails/icon-chat.png")
[Escaped Output] image_url("emails/icon-email.png")

mailers/order_confirmation

[Escaped Output] image_url("emails/icon-ok.png")
[Escaped Output] @order.customink_id
[Escaped Output] view[:url]
[Escaped Output] product[:product_name]
[Escaped Output] product[:color_name]
[Escaped Output] product[:quantity]
[Escaped Output] product[:quantity_by_size].reject do; qty.zero?; end.map do; "#{size}: #{qty}"; end.join(", ")
[Escaped Output] number_to_currency(@order[:subtotal_price])
[Escaped Output] number_to_currency(@order[:shipping_price])
[Escaped Output] number_to_currency(@order[:total_price])
[Escaped Output] @order.shipping_address.full_name
[Escaped Output] @order.shipping_address.organization
[Escaped Output] @order.shipping_address.shipping1
[Escaped Output] @order.shipping_address.shipping2
[Escaped Output] @order.shipping_address.city
[Escaped Output] @order.shipping_address.state
[Escaped Output] @order.shipping_address.zip
[Escaped Output] @order.shipping_address.country
[Escaped Output] @order.shipping_address.phone_number
[Escaped Output] @order.billing_address.full_name
[Escaped Output] @order.billing_address.shipping1
[Escaped Output] @order.billing_address.shipping2
[Escaped Output] @order.billing_address.city
[Escaped Output] @order.billing_address.state
[Escaped Output] @order.billing_address.zip
[Escaped Output] @order.billing_address.country

== Warnings ==

Confidence: High
Category: Missing Encryption
Check: ForceSSL
Message: The application does not force use of HTTPS: `config.force_ssl` is not enabled
File: config/environments/production.rb
Line: 1

Additional Info

Just running bundle exec brakeman does not perform the check for SSL. Only when using the -A flag. The setting is clearly enabled in my config/production.rb

presidentbeef commented 3 years ago

Hi @coding-bunny - thank you for the details, but what really matters is what production.rb looks like 😄 in order to determine why brakeman isn't picking it up.

coding-bunny commented 3 years ago

Here's the production.rb:


# frozen_string_literal: true

::Rails.application.configure do
  # Prepare the ingress controller used to receive mail
  # config.action_mailbox.ingress = :relay

  # Settings specified here will take precedence over those in config/application.rb.

  # Code is not reloaded between requests.
  config.cache_classes = true

  # Eager load code on boot. This eager loads most of Rails and
  # your application in memory, allowing both threaded web servers
  # and those relying on copy on write to perform better.
  # Rake tasks automatically ignore this option for performance.
  config.eager_load = true

  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
  # config.require_master_key = true

  # Disable serving static files from the `/public` folder by default since
  # Apache or NGINX already handles this.
  config.public_file_server.enabled = ::ENV['RAILS_SERVE_STATIC_FILES'].present?

  if ::ENV['RAILS_SERVE_STATIC_FILES'].present?
    config.public_file_server.headers = { 'Cache-Control' => "public, max-age=#{1.year.to_i}" }
  end

  # Compress CSS using a preprocessor.
  # config.assets.css_compressor = :sass

  # Do not fallback to assets pipeline if a precompiled asset is missed.
  config.assets.compile = false

  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
  # config.action_controller.asset_host = 'http://assets.example.com'

  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX

  # Store uploaded files on the local file system (see config/storage.yml for options).
  config.active_storage.service = :local

  # Mount Action Cable outside main process or domain.
  # config.action_cable.mount_path = nil
  # config.action_cable.url = 'wss://example.com/cable'
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true

  # Use the lowest log level to ensure availability of diagnostic information
  # when problems arise.
  config.log_level = :debug

  # Prepend all log lines with the following tags.
  config.log_tags = [:request_id]

  # Use a different cache store in production.
  # config.cache_store = :mem_cache_store

  # Use a real queuing backend for Active Job (and separate queues per environment).
  # config.active_job.queue_adapter     = :resque
  # config.active_job.queue_name_prefix = "custom_ink_international_production"

  config.action_mailer.perform_caching = false
  config.action_mailer.asset_host = 'https://checkout.customink.com'
  config.action_mailer.default_url_options = { host: 'https://checkout.customink.com' }

  config.action_mailer.delivery_method = :smtp
  config.action_mailer.smtp_settings = {
    user_name: 'apikey',
    password: ::ENV.fetch('SENDGRID_API_KEY', ''),
    address: 'smtp.sendgrid.net',
    domain: 'checkout.customink.com',
    port: '587',
    authentication: :plain
  }

  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  # config.action_mailer.raise_delivery_errors = false

  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  # the I18n.default_locale when a translation cannot be found).
  config.i18n.fallbacks = true

  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify

  # Use default logging formatter so that PID and timestamp are not suppressed.
  config.log_formatter = ::Logger::Formatter.new

  # Use a different logger for distributed setups.
  # require 'syslog/logger'
  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')

  if ::ENV['RAILS_LOG_TO_STDOUT'].present?
    logger           = ::ActiveSupport::Logger.new($stdout)
    logger.formatter = config.log_formatter
    config.logger    = ::ActiveSupport::TaggedLogging.new(logger)
  end

  # Do not dump schema after migrations.
  config.active_record.dump_schema_after_migration = false

  # Inserts middleware to perform automatic connection switching.
  # The `database_selector` hash is used to pass options to the DatabaseSelector
  # middleware. The `delay` is used to determine how long to wait after a write
  # to send a subsequent read to the primary.
  #
  # The `database_resolver` class is used by the middleware to determine which
  # database is appropriate to use based on the time delay.
  #
  # The `database_resolver_context` class is used by the middleware to set
  # timestamps for the last write to the primary. The resolver uses the context
  # class timestamps to determine how long to wait before reading from the
  # replica.
  #
  # By default Rails will store a last write timestamp in the session. The
  # DatabaseSelector middleware is designed as such you can define your own
  # strategy for connection switching and pass that into the middleware through
  # these configuration options.
  # config.active_record.database_selector = { delay: 2.seconds }
  # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
  # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
end
coding-bunny commented 3 years ago

Also it only seems to be happening for this specific file, because it works just fine in another project I have.... So I'm wondering if it's getting confused somewhere by a specific line or something.

presidentbeef commented 3 years ago

Thank you for providing that!

The issue was the use of ::Rails instead of Rails.