Sha256: ce9a1b4e8f2c16150280980f0779abefb1f4e21f95cc80a8ea52c0d43903543b
Contents?: true
Size: 890 Bytes
Versions: 20
Compression:
Stored size: 890 Bytes
Contents
<h1>Brakeman</h1>
<h2>Examples</h2>
<p>Run the brakeman command from the root of your rails application</p>
<pre><code>brakeman</code></pre>
<h2>Example code that fails analysis</h2>
<h3>Dangerous Evaluation - User input in an eval statement is VERY dangerous</h3>
<code>app/controllers/posts_controller.rb</code>
<pre><code> def show
message = params[:message] || 'hello world'
eval("echo '#{message}'")
end
</code></pre>
<h3>Dangerous Send - Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.</h3>
<code>app/controllers/home_controller.rb</code>
<pre><code>class HomeController < ApplicationController
def index
xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
puts send(xmen_or_avengers.to_sym)
end
private
def xmen
'Wolverine'
end
def avengers
'Captain America'
end
end
</code></pre>
Version data entries
20 entries across 20 versions & 1 rubygems