で、紹介されているなかで
を、試してみました。
どちらも使うのはめちゃ簡単です。
Gemfileに次のような記述を追加します。
group :development do gem 'brakeman' gem 'bundler-audit' end
あとは
bundle bundle exec brakeman bundle exec bundle audit
とすれば実行できます。
実行結果
つぎのようにズラズラっと情報が出てきます。 試したRailsアプリケーションのRailsのバージョンが古いために出てきている情報が多いです。 まずはRailsのバージョンを上げてから、再度チェックしてみるのがよさそうです。
brakeman
~ bundle exec brakeman Loading scanner... Processing application in /Users/shigerunakajima/lodqa-db Processing gems... [Notice] Detected Rails 5 application Processing configuration... [Notice] Escaping HTML by default Parsing files... Detecting file types... Processing initializers... Processing libs...ed Processing routes... Processing templates... Processing data flow in templates... Processing models... Processing controllers... Processing data flow in controllers... Indexing call sites... Running checks in parallel... - CheckBasicAuth - CheckBasicAuthTimingAttack - CheckCrossSiteScripting - CheckContentTag - CheckCookieSerialization - CheckCreateWith - CheckCSRFTokenForgeryCVE - CheckDefaultRoutes - CheckDeserialize - CheckDetailedExceptions - CheckDigestDoS - CheckDynamicFinders - CheckEscapeFunction - CheckEvaluation - CheckExecute - CheckFileAccess - CheckFileDisclosure - CheckFilterSkipping - CheckForgerySetting - CheckHeaderDoS - CheckI18nXSS - CheckJRubyXML - CheckJSONEncoding - CheckJSONEntityEscape - CheckJSONParsing - CheckLinkTo - CheckLinkToHref - CheckMailTo - CheckMassAssignment - CheckMimeTypeDoS - CheckModelAttrAccessible - CheckModelAttributes - CheckModelSerialize - CheckNestedAttributes - CheckNestedAttributesBypass - CheckNumberToCurrency - CheckPageCachingCVE - CheckPermitAttributes - CheckQuoteTableName - CheckRedirect - CheckRegexDoS - CheckRender - CheckRenderDoS - CheckRenderInline - CheckResponseSplitting - CheckRouteDoS - CheckSafeBufferManipulation - CheckSanitizeMethods - CheckSelectTag - CheckSelectVulnerability - CheckSend - CheckSendFile - CheckSessionManipulation - CheckSessionSettings - CheckSimpleFormat - CheckSingleQuotes - CheckSkipBeforeFilter - CheckSprocketsPathTraversal - CheckSQL - CheckSQLCVEs - CheckSSLVerify - CheckStripTags - CheckSymbolDoSCVE - CheckTemplateInjection - CheckTranslateBug - CheckUnsafeReflection - CheckUnsafeReflectionMethods - CheckValidationRegex - CheckVerbConfusion - CheckWithoutProtection - CheckXMLDoS - CheckYAMLParsing Checks finished, collecting results... Generating report... == Brakeman Report == Application Path: /Users/shigerunakajima/lodqa-db Rails Version: 5.0.7.2 Brakeman Version: 5.1.1 Scan Date: 2021-10-21 04:40:52 +0900 Duration: 1.512554 seconds Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WithoutProtection, XMLDoS, YAMLParsing == Overview == Controllers: 8 Models: 10 Templates: 25 Errors: 0 Security Warnings: 4 == Warning Types == Cross-Site Request Forgery: 2 Redirect: 1 Remote Code Execution: 1 == Warnings == Confidence: Medium Category: Cross-Site Request Forgery Check: CSRFTokenForgeryCVE Message: Rails 5.0.7.2 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch File: Gemfile.lock Line: 123 Confidence: Medium Category: Cross-Site Request Forgery Check: ForgerySetting Message: `protect_from_forgery` should be configured with `with: :exception` File: app/controllers/application_controller.rb Confidence: Medium Category: Remote Code Execution Check: CookieSerialization Message: Use of unsafe cookie serialization strategy `:marshal` might lead to remote code execution Code: Rails.application.config.action_dispatch.cookies_serializer = :marshal File: config/initializers/cookies_serializer.rb Line: 5 Confidence: Weak Category: Redirect Check: Redirect Message: Possible unprotected redirect Code: redirect_to((targets_path + "?grid[f][users.email]=#{User.find_by!(:username => params[:username]).email}")) File: app/controllers/users_controller.rb Line: 7
bundler audit
~ bundle exec bundler audit Download ruby-advisory-db ... Cloning into '/Users/shigerunakajima/.local/share/ruby-advisory-db'... remote: Enumerating objects: 7123, done. remote: Counting objects: 100% (2007/2007), done. remote: Compressing objects: 100% (1079/1079), done. remote: Total 7123 (delta 731), reused 1348 (delta 565), pack-reused 5116 Receiving objects: 100% (7123/7123), 1.36 MiB | 11.61 MiB/s, done. Resolving deltas: 100% (3215/3215), done. ruby-advisory-db: advisories: 522 advisories last updated: 2021-10-12 11:21:05 -0700 commit: 3d02c5e6a0f4ad9416db2e1474a14f6047d1e432 Insecure Source URI found: git://github.com/KishiKyousuke/facebox-rails.git Name: actionpack Version: 5.0.7.2 CVE: CVE-2021-22885 GHSA: GHSA-hjg4-8q5f-x6fm Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2 Name: actionpack Version: 5.0.7.2 CVE: CVE-2020-8166 GHSA: GHSA-jp5v-5gx4-jmj9 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1 Name: actionpack Version: 5.0.7.2 CVE: CVE-2020-8164 GHSA: GHSA-8727-m6gj-mc37 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1 Name: actionpack Version: 5.0.7.2 CVE: CVE-2021-22904 GHSA: GHSA-7wjx-3g7j-8584 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2 Name: actionview Version: 5.0.7.2 CVE: CVE-2020-15169 GHSA: GHSA-cfjv-5498-mph5 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3 Name: actionview Version: 5.0.7.2 CVE: CVE-2020-5267 GHSA: GHSA-65cv-r6x7-79hv Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2 Name: actionview Version: 5.0.7.2 CVE: CVE-2020-8167 GHSA: GHSA-xq5j-gw7f-jgj8 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1 Name: activerecord Version: 5.0.7.2 CVE: CVE-2021-22880 GHSA: GHSA-8hc4-xxm3-5ppp Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1 Name: activesupport Version: 5.0.7.2 CVE: CVE-2020-8165 GHSA: GHSA-2p68-f74v-9wc6 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1 Name: kaminari Version: 1.1.1 CVE: CVE-2020-11082 GHSA: GHSA-r5jw-62xg-j433 Criticality: Medium URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Vulnerabilities found!
