Read more about the different warnings Railroader reports:
- Attribute Restriction
- Authentication
- Basic Authentication
- Command Injection
- Cross-Site Request Forgery
- Cross Site Scripting
- Cross Site Scripting (Content Tag)
- Cross Site Scripting (JSON)
- Dangerous Evaluation
- Dangerous Send
- Default Routes
- Denial of Service
- Dynamic Render Paths
- File Access
- Format Validation
- Information Disclosure
- Mail Link
- Mass Assignment
- Remote Code Execution
- Remote Execution in YAML.load
- Session Manipulation
- Session Settings
- SQL Injection
- SSL Verification Bypass
- Unsafe Deserialization
- Unscoped Find
- Unsafe Redirects
Docs
Cross Site Scripting: link to
In the 2.x versions of Rails, link_to would not escape the body of the HREF.
For example, this will popup an alert box:
link_to "<script>alert(1)</script>", "http://google.com" Railroader warns on cases where the first parameter contains user input.
Back to Warning Types
Docs
Cross Site Scripting: link to HREF
Even though Rails will escape the link provided to link_to, values starting with “javascript:” or “data:” are unescaped and dangerous.
Railroader will warn on if user values are used to provide the HREF value in link_to or if they are interpolated at the beginning of a string.
The --url-safe-methods option can be used to specify methods which make URLs safe.
See here for more details.
Back to Warning Types
Docs
Cross-Site Request Forgery
window.location.replace("http://railroaderscanner.org/docs/warning_types/cross-site_request_forgery/"); Content has moved to Cross-Site Request Forgery
Back to Warning Types
Docs
Cross-Site Scripting
window.location.replace("http://railroaderscanner.org/docs/warning_types/cross_site_scripting/"); Content has moved to Cross-Site Scripting
Back to Warning Types
Docs
Cross-Site Scripting
window.location.replace("http://railroaderscanner.org/docs/warning_types/cross_site_scripting_to_json/"); Content has moved to Cross-Site Scripting
Back to Warning Types
Docs
Dangerous Evaluation
User input in an eval statement is VERY dangerous, so this will always raise a warning. Railroader looks for calls to eval, instance_eval, class_eval, and module_eval.
Back to Warning Types
Docs
Dangerous Evaluation
window.location.replace("http://railroaderscanner.org/docs/warning_types/dangerous_eval/"); Content moved to Dangerous Eval.
Docs
Dangerous Evaluation
window.location.replace("http://railroaderscanner.org/docs/warning_types/dangerous_eval/"); Content moved to Dangerous Eval.
Docs
Dangerous Send
Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
It is much safer to whitelist the desired target or method.
Unsafe use of method:
method = params[:method] @result = User.send(method.to_sym) Safe:
method = params[:method] == 1 ? :method_a : :method_b @result = User.send(method, *args) Unsafe use of target:
table = params[:table] model = table.classify.constantize @result = model.send(:method) Safe:
target = params[:target] == 1 ?
Docs
Default Routes
The general default routes warning means there is a call to
#Rails 2.x map.connect ":controller/:action/:id" or
Rails 3.x match ':controller(/:action(/:id(.:format)))' in config/routes.rb. This allows any public method on any controller to be called as an action.
If this warning is reported for a particular controller, it means there is a route to that controller containing :action.
Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.