Railroader assigns each warning a confidence level. This rating is intended to indicate how certain Railroader is that the given warning is a real problem. The following guidelines are used: High - Either this is a simple warning or user input is very likely being used in unsafe ways. Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.

The simplest way to contribute to the improvement of Railroader is to run it against your own applications and then report any issues here. Suggestions are welcome, too! See contributing for the basics on contributing. Testing on Different Platforms Railroader should work on most platforms without a problem. It is typically tested against MRI 1.8.7 and 1.9.3, so any problems outside those two should definitely be reported. Contributing Features New feature implementations should be submitted as a pull request on GitHub.

Railroader hangs while processing my app. What do I do? Sorry about that! Please follow these instructions. Railroader is reporting parsing errors, but my app runs fine. What’s going on? Railroader relies on ruby_parser for parsing Ruby code. Support for Ruby 1.9 syntax is still in development, so Railroader cannot handle all the new 1.9 syntax changes. Unfortunately, the next version of ruby_parser (3.0) makes some large, incompatible changes which will also require major changes in Railroader.

False positives (warnings about potential vulnerabilities which are not actual vulnerabilities) are present in any security tool. Before ignoring a false positive, be certain it is actually a false positive and also consider reporting it in case changes can be made to Railroader to prevent the false positive in the future. The ignore configuration is a JSON file containing a list of warnings. This is essentially the same as the JSON report, except the warnings can also have a note field.

gem install Railroader is best installed via RubyGems: gem install railroader This will provide the railroader executable. bundler Railroader can be added to a Gemfile: gem "railroader" It is recommended to always use the latest version of Railroader. git clone If you must have the latest and greatest, then you can build the gem yourself: git clone git://github.com/david-a-wheeler/railroader.git cd railroader gem build railroader.gemspec gem install railroader-*.gem Running Railroader

Railroader is a security scanner for Ruby on Rails applications. Unlike many web security scanners, Railroader looks at the source code of your application. This means you do not need to set up your whole application stack to use it. Once Railroader scans the application code, it produces a report of all security issues it has found. Advantages No Configuration Necessary Railroader requires zero setup or configuration once it is installed.

This page may or may not be entirely up-to-date. For best results but less information, run railroader --help. Please note some options below are shown as the short (-) or long (--) forms, but all options have long forms. Scanning Options There are some checks which are not run by default. To run all checks, use: railroader -A Each check will be run in a separate thread by default.

Railroader was initially designed to be used a command-line application. Recently, there have been some changes to allow it to be used as a library as well. Future releases will likely make it even easier to use. Simple Example Here is a simple example: require 'railroader' tracker = Railroader.run "my/app" puts tracker.report This runs Railroader against the Rails application in my/app and prints out the report. This is essentially equivalent to running Railroader with no options.

Running Railroader via Rake is discouraged because it loads the entire Rails application Railroader can generate and install a basic Rake task for a Rails application. To do so, just run this at the root directory of the Rails application: railroader --rake This will create a task in lib/tasks/railroader.rake that looks like this: namespace :railroader do desc "Run Railroader" task :run, :output_files do |t, args| require 'railroader' files = args[:output_files].

By default, Railroader reports as much as possible. Because there is no way for Railroader to know if certain items are actually safe or not, it errs on the side of reporting too much rather than possibly not reporting a real problem. Sometimes, though, these false positives can become overwhelming. Railroader does provides many options for customizing reports. It is also possible to ignore specific warnings. It is recommended to always run Railroader with the default settings first (and then periodically after that), but it is possible to narrow down the results to make them less annoying.