This warning comes up if a model does not limit what attributes can be set through mass assignment. In particular, this check looks for attr_accessible inside model definitions. If it is not found, this warning will be issued. Railroader also warns on use of attr_protected - especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected will be reported, but at a lower confidence level.

“Authentication” is the act of verifying that a user or client is who they say they are. Right now, the only Railroader warning in the authentication category is regarding hardcoded passwords. Railroader will warn about constants with literal string values that appear to be passwords. Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code. Typically source code is available to a wide number of people inside an organization, and there have been many instances of source code leaking to the public.

When skipping before_filters with security implications, a “whitelist” approach using only should be used instead of except. This ensures actions are protected by default, and unprotected only by exception. Back to Warning Types

window.location.replace("http://railroaderscanner.org/docs/warning_types/basic_authentication/"); Content moved to Basic Authentication.

In Rails 3.1, a new feature was added to simplify basic authentication. The example provided in the official Rails Guide looks like this: class PostsController < ApplicationController http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index #... end This warning will be raised if http_basic_authenticate_with is used and the password is found to be a string (i.e., stored somewhere in the code). Back to Warning Types

Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values. There are many ways to run commands in Ruby: `ls #{params[:file]}` system("ls #{params[:dir]}") exec("md5sum #{params[:input]}") Railroader will warn on any method like these that uses user input or unsafely interpolates variables. See the Ruby Security Guide for details. Back to Warning Types

Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user. This warning is raised when no call to protect_from_forgery is found in ApplicationController. This method prevents CSRF. For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception. This code is inserted into newly generated applications. The default is to nil out the session object, which has been a source of many CSRF bypasses due to session memoization.

Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page. In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). In Rails 3.x, auto-escaping in views is enabled by default.

Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page. content_tag is a view helper which generates an HTML tag with some content: >> content_tag :p, "Hi!" => "<p>Hi!</p>" In Rails 2, this content is unescaped (although attribute values are escaped):

Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page. Calls to Hash#to_json can be used to trigger XSS. Railroader will check to see if there are any calls to Hash#to_json with ActiveSupport#escape_html_entities_in_json set to false (or if you are running Rails < 2.