Welcome to Railroader! Railroader is a security static analysis tool for finding vulnerabilities in applications that use Ruby on Rails. It’s easy to install and use. It is open source software (OSS) using the MIT license; we love bug reports and contributions! More documentation is available. You can learn the basics about Railroader, or learn about users of Railroader.
Recent Documentation
Attribute Restriction
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible inside model definitions. If it is not found, this warning will be issued.
Railroader also warns on use of attr_protected - especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected will be reported, but at a lower confidence level.
read more
Authentication
“Authentication” is the act of verifying that a user or client is who they say they are.
Right now, the only Railroader warning in the authentication category is regarding hardcoded passwords. Railroader will warn about constants with literal string values that appear to be passwords.
Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code. Typically source code is available to a wide number of people inside an organization, and there have been many instances of source code leaking to the public.
read more
Authentication Whitelist
When skipping before_filters with security implications, a “whitelist” approach using only should be used instead of except. This ensures actions are protected by default, and unprotected only by exception.
Back to Warning Types
read more