Brakeman

Examples

Run the brakeman command from the root of your rails application

brakeman

Example code that fails analysis

Dangerous Evaluation - User input in an eval statement is VERY dangerous

  def show
    message = params[:message] || 'hello world'

    eval("echo '#{message}'")
  end

Dangerous Send - Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

class HomeController < ApplicationController
  def index
    xmen_or_avengers = params[:xmen_or_avengers] || 'xmen'
    puts send(xmen_or_avengers.to_sym)
  end

  private

  def xmen
    'Wolverine'
  end

  def avengers
    'Captain America'
  end
end