Denial of Service (DoS) is any attack which causes a service to become unavailable for legitimate clients. For issues that Railroader detects, this typically arises in the form of memory leaks. In particular, since Symbols are not garbage collected, creation of large numbers of Symbols could lead to a server running out of memory. Railroader checks for instances of user input which is converted to a Symbol. When this is not restricted, an attacker could create an unlimited number of Symbols.

window.location.replace("http://railroaderscanner.org/docs/warning_types/dynamic_render_paths/"); Content has moved to Dynamic Render Paths

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database. This warning is shown whenever the path to be rendered is not a static string or symbol. These warnings are often false positives, however, because it can be difficult to manipulate Rails’ assumptions about paths to perform malicious behavior.

Using user input when accessing files (local or remote) will raise a warning in Railroader. For example File.open("/tmp/#{cookie[:file]}") will raise an error like Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}") This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd. Back to Warning Types

Calls to validates_format_of ..., :with => // which do not use \A and \z as anchors will cause this warning. Using ^ and $ is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character. See the Ruby Security Guide for details. Back to Warning Types

window.location.replace("http://railroaderscanner.org/docs/warning_types/format_validation/"); Content moved to Format Validation.

Also known as information leakage or information exposure, this vulnerability refers to system or internal information (such as debugging output, stack traces, error messages, etc.) which is displayed to an end user. For example, Rails provides detailed exception reports by default in the development environment, but it is turned off by default in production: # Full error reports are disabled config.consider_all_requests_local = false Railroader warns if this setting is true in production or there is a show_detailed_exceptions?

Certain versions of Rails were vulnerable to a cross-site scripting vulnerability mail_to. Versions of Rails after 2.3.10 or 3.0.3 are not affected. Updating or removing the mail_to links is advised. For more details see CVE-2011-0446. Back to Warning Types

Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash. Example: User.new(params[:user]) Unfortunately, if there is a user field called admin which controls administrator access, now any user can make themselves an administrator with a query like ?user[admin]=true Rails With Strong Parameters In Rails 4 and newer, protection for mass assignment is on by default. Query parameters must be explicitly whitelisted via permit in order to be used in mass assignment:

Rails 2.3.9 and 3.0.0 are vulnerable to an attack on nested attributes wherein a malicious user could alter data in any record in the system. It is recommended to upgrade to at least 2.3.10 or 3.0.1. For more details see CVE-2011-0446. Back to Warning Types