Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brakeman not detecting force_ssl #1584

Closed
coding-red-panda opened this issue Apr 22, 2021 · 4 comments · Fixed by #1585
Closed

Brakeman not detecting force_ssl #1584

coding-red-panda opened this issue Apr 22, 2021 · 4 comments · Fixed by #1585

Comments

@coding-red-panda
Copy link

Background

Brakeman version: 5.0.0
Rails version: 6.1.3.1
Ruby version: 3.0.0

Link to Rails application code: Private Commercial Project

Issue

Brakeman does not detect that the config.force_ssl feature is enabled.

Other Error

Run Brakeman with --debug to see the full stack trace.

Stack trace:

Loading scanner...
Processing application in /home/coding-bunny/RubymineProjects/customink_international
Processing gems...
Parsing Gemfile
[Notice] Detected Rails 6 application
Processing configuration...
Parsing config/environment.rb
Parsing config/application.rb
Parsing config/environments/production.rb
[Notice] Escaping HTML by default
[Notice] Skipping config setting: ssl_options.hsts.subdomains
Parsing files...
Parsing app/channels/application_cable/channel.rb
Parsing app/channels/application_cable/connection.rb
Parsing app/controllers/admin/api_controller.rb
Parsing app/controllers/admin/errors_controller.rb
Parsing app/controllers/admin/orders_controller.rb
Parsing app/controllers/application_controller.rb
Parsing app/controllers/auth_controller.rb
Parsing app/controllers/braintree_controller.rb
Parsing app/controllers/checkout_controller.rb
Parsing app/controllers/concerns/api_error.rb
Parsing app/controllers/orders_controller.rb
Parsing app/controllers/verification_tokens_controller.rb
Parsing app/helpers/colors_helper.rb
Parsing app/jobs/application_job.rb
Parsing app/jobs/base_job.rb
Parsing app/jobs/fulfillment_track_submission_job.rb
Parsing app/jobs/order_confirmation_job.rb
Parsing app/jobs/order_fulfillment_job.rb
Parsing app/mailboxes/application_mailbox.rb
Parsing app/mailers/application_mailer.rb
Parsing app/mailers/order_mailer.rb
Parsing app/models/address.rb
Parsing app/models/application_record.rb
Parsing app/models/concerns/geo_locateable.rb
Parsing app/models/country_codes.rb
Parsing app/models/fulfillment_track.rb
Parsing app/models/order.rb
Parsing app/models/relation_builders/errors.rb
Parsing app/models/relation_builders/orders.rb
Parsing app/services/address_sanitizer.rb
Parsing app/services/address_sanitizer/strategy/abbreviate_common_words.rb
Parsing app/services/address_sanitizer/strategy/countries_to_state.rb
Parsing app/services/address_sanitizer/strategy/normalize_state.rb
Parsing app/services/address_sanitizer/strategy/normalize_zip.rb
Parsing app/services/address_sanitizer/strategy/remove_notprovided_state.rb
Parsing app/services/address_sanitizer/strategy/replace_ordinal_indicators.rb
Parsing app/services/address_sanitizer/strategy/sanitize_ireland_zip.rb
Parsing app/services/address_sanitizer/strategy/states_to_country.rb
Parsing app/services/address_sanitizer/strategy/strip_dashes.rb
Parsing app/services/address_sanitizer/strategy/strip_whitespace.rb
Parsing app/services/address_sanitizer/strategy/transliteration.rb
Parsing app/services/address_validator/encoding_validator.rb
Parsing app/services/address_validator/us_military_base_validator.rb
Parsing app/services/address_verifier.rb
Parsing app/services/braintree_provider.rb
Parsing app/services/concerns/order_creator_hash_builder.rb
Parsing app/services/custom_ink/customer_payload_builder.rb
Parsing app/services/custom_ink/delivery_estimator.rb
Parsing app/services/custom_ink/design_payload_builder.rb
Parsing app/services/custom_ink/payload_builder.rb
Parsing app/services/custom_ink/product_builder.rb
Parsing app/services/custom_ink/profiles_service.rb
Parsing app/services/custom_ink/sku_service.rb
Parsing app/services/design_quote_service.rb
Parsing app/services/fulfillment_track_pipeline.rb
Parsing app/services/order_creator.rb
Parsing app/services/payment/request.rb
Parsing app/services/quote_service.rb
Parsing app/services/shipping/easy_post_api.rb
Parsing config/application.rb
Parsing config/boot.rb
Parsing config/environment.rb
Parsing config/environments/development.rb
Parsing config/environments/production.rb
Parsing config/environments/staging.rb
Parsing config/environments/test.rb
Parsing config/initializers/application_controller_renderer.rb
Parsing config/initializers/assets.rb
Parsing config/initializers/backtrace_silencers.rb
Parsing config/initializers/braintree.rb
Parsing config/initializers/content_security_policy.rb
Parsing config/initializers/cookies_serializer.rb
Parsing config/initializers/design_client.rb
Parsing config/initializers/dry.rb
Parsing config/initializers/easypost.rb
Parsing config/initializers/filter_parameter_logging.rb
Parsing config/initializers/gdpr_rails.rb
Parsing config/initializers/inflections.rb
Parsing config/initializers/mime_types.rb
Parsing config/initializers/mms_client.rb
Parsing config/initializers/quote_client.rb
Parsing config/initializers/rollbar.rb
Parsing config/initializers/sidekiq.rb
Parsing config/initializers/wrap_parameters.rb
Parsing config/puma.rb
Parsing config/routes.rb
Parsing config/spring.rb
Parsing lib/gdpr/order_collection.rb
Parsing lib/internal_user_constraints.rb
Parsing lib/rounder.rb
Parsing node_modules/node-sass/src/libsass/extconf.rb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/active_storage/blobs/_blob.html.erb
Parsing app/views/active_storage/blobs/_blob.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/application/index.html.erb
Parsing app/views/application/index.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/application.html.erb
Parsing app/views/layouts/application.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/mailer.html.erb
Parsing app/views/layouts/mailer.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_css.html.erb
Parsing app/views/mailers/_css.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_get_support.html.erb
Parsing app/views/mailers/_get_support.html.erb
Parsing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/order_confirmation.html.erb
Parsing app/views/mailers/order_confirmation.html.erb
Detecting file types...
Processing initializers...
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/assets.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/braintree.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/cookies_serializer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/design_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/dry.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/easypost.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/filter_parameter_logging.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/gdpr_rails.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/mms_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/quote_client.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/rollbar.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/sidekiq.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/initializers/wrap_parameters.rb
Processing libs...
Processing /home/coding-bunny/RubymineProjects/customink_international/app/channels/application_cable/channel.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/channels/application_cable/connection.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/helpers/colors_helper.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/application_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/base_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/fulfillment_track_submission_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/order_confirmation_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/jobs/order_fulfillment_job.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailboxes/application_mailbox.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailers/application_mailer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/mailers/order_mailer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/abbreviate_common_words.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/countries_to_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/normalize_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/normalize_zip.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/remove_notprovided_state.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/replace_ordinal_indicators.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/sanitize_ireland_zip.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/states_to_country.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/strip_dashes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/strip_whitespace.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_sanitizer/strategy/transliteration.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_validator/encoding_validator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_validator/us_military_base_validator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/address_verifier.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/braintree_provider.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/concerns/order_creator_hash_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/customer_payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/delivery_estimator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/design_payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/payload_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/product_builder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/profiles_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/custom_ink/sku_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/design_quote_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/fulfillment_track_pipeline.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/order_creator.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/payment/request.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/quote_service.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/services/shipping/easy_post_api.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/boot.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environment.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/development.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/staging.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/environments/test.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/puma.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/routes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/config/spring.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/gdpr/order_collection.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/internal_user_constraints.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/lib/rounder.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/node_modules/node-sass/src/libsass/extconf.rb
Processing routes...          
Parsing config/routes.rb
Processing templates...       
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/active_storage/blobs/_blob.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/application/index.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/application.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/layouts/mailer.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_css.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/_get_support.html.erb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/views/mailers/order_confirmation.html.erb
Processing data flow in templates...
Processing active_storage/blobs/_blob
Processing application/index
Processing layouts/application
Processing layouts/mailer
Rendering mailers/_css (["Template:layouts/mailer"])
Rendering mailers/_get_support (["Template:layouts/mailer"])
Processing mailers/_cssd
Processing mailers/_get_support
Processing mailers/order_confirmation
Processing models...          
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/address.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/application_record.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/concerns/geo_locateable.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/country_codes.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/fulfillment_track.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/order.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/relation_builders/errors.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/models/relation_builders/orders.rb
Processing controllers...     
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/api_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/errors_controller.rb
[Notice] Treating inner class as library: Error
[Notice] Treating inner class as library: UnableToRetry
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/admin/orders_controller.rb
[Notice] Treating inner class as library: Error
[Notice] Treating inner class as library: AlreadyClaimedError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/application_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/auth_controller.rb
[Notice] Treating inner class as library: NonInternalUserError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/braintree_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/checkout_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/concerns/api_error.rb
[Notice] Adding noncontroller as library: ApiError
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/orders_controller.rb
Processing /home/coding-bunny/RubymineProjects/customink_international/app/controllers/verification_tokens_controller.rb
Processing data flow in controllers...
Processing Admin::ApiController
Processing Admin::ApiController#authenticate_user
Processing Admin::ApiController#resolve_user
Rendering layouts/application (["Admin::ApiController#resolve_user"])
Rendering admin/api/resolve_user (["Admin::ApiController#resolve_user"])
[Notice] No such template: admin/api/resolve_user
Processing Admin::ErrorsController
Processing Admin::ErrorsController#index
Rendering layouts/application (["Admin::ErrorsController#index"])
Rendering admin/errors/index (["Admin::ErrorsController#index"])
[Notice] No such template: admin/errors/index
Processing Admin::ErrorsController#retry_fulfillment
Rendering layouts/application (["Admin::ErrorsController#retry_fulfillment"])
Rendering admin/errors/retry_fulfillment (["Admin::ErrorsController#retry_fulfillment"])
[Notice] No such template: admin/errors/retry_fulfillment
Processing Admin::ErrorsController#fulfillment_track
Rendering layouts/application (["Admin::ErrorsController#fulfillment_track"])
Rendering admin/errors/fulfillment_track (["Admin::ErrorsController#fulfillment_track"])
[Notice] No such template: admin/errors/fulfillment_track
Processing Admin::ErrorsController#errors
Rendering layouts/application (["Admin::ErrorsController#errors"])
Rendering admin/errors/errors (["Admin::ErrorsController#errors"])
[Notice] No such template: admin/errors/errors
Processing Admin::OrdersController
Processing Admin::OrdersController#index
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#index"])
Rendering admin/orders/index (["Admin::OrdersController#index"])
[Notice] No such template: admin/orders/index
Processing Admin::OrdersController#show
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#show"])
Rendering admin/orders/show (["Admin::OrdersController#show"])
[Notice] No such template: admin/orders/show
Processing Admin::OrdersController#claim
[Notice] Could not find filter set_paper_trail_whodunnit
Processing Admin::OrdersController#save_note
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#save_note"])
Rendering admin/orders/save_note (["Admin::OrdersController#save_note"])
[Notice] No such template: admin/orders/save_note
Processing Admin::OrdersController#order
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#order"])
Rendering admin/orders/order (["Admin::OrdersController#order"])
[Notice] No such template: admin/orders/order
Processing Admin::OrdersController#orders
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#orders"])
Rendering admin/orders/orders (["Admin::OrdersController#orders"])
[Notice] No such template: admin/orders/orders
Processing Admin::OrdersController#order_search_params
[Notice] Could not find filter set_paper_trail_whodunnit
Rendering layouts/application (["Admin::OrdersController#order_search_params"])
Rendering admin/orders/order_search_params (["Admin::OrdersController#order_search_params"])
[Notice] No such template: admin/orders/order_search_params
Processing ApplicationController
Processing ApplicationController#index
Rendering layouts/application (["ApplicationController#index"])
Rendering application/index (["ApplicationController#index"])
Processing ApplicationController#initialize_environment
Rendering layouts/application (["ApplicationController#initialize_environment"])
Rendering application/initialize_environment (["ApplicationController#initialize_environment"])
[Notice] No such template: application/initialize_environment
Processing ApplicationController#build_environment_hash
Rendering layouts/application (["ApplicationController#build_environment_hash"])
Rendering application/build_environment_hash (["ApplicationController#build_environment_hash"])
[Notice] No such template: application/build_environment_hash
Processing ApplicationController#address_validation_config
Rendering layouts/application (["ApplicationController#address_validation_config"])
Rendering application/address_validation_config (["ApplicationController#address_validation_config"])
[Notice] No such template: application/address_validation_config
Processing AuthControllerd
Processing AuthController#sign_in_with_google
Processing AuthController#sign_out
Rendering layouts/application (["AuthController#sign_out"])
Rendering auth/sign_out (["AuthController#sign_out"])
[Notice] No such template: auth/sign_out
Processing AuthController#user_info
Processing BraintreeController
Processing BraintreeController#token
Processing CheckoutController
Processing CheckoutController#quote
Processing CheckoutController#validate_address
Processing CheckoutController#checkout_items
Rendering layouts/application (["CheckoutController#checkout_items"])
Rendering checkout/checkout_items (["CheckoutController#checkout_items"])
[Notice] No such template: checkout/checkout_items
Processing CheckoutController#address_params
Rendering layouts/application (["CheckoutController#address_params"])
Rendering checkout/address_params (["CheckoutController#address_params"])
[Notice] No such template: checkout/address_params
Processing CheckoutController#address_attributes
Rendering layouts/application (["CheckoutController#address_attributes"])
Rendering checkout/address_attributes (["CheckoutController#address_attributes"])
[Notice] No such template: checkout/address_attributes
Processing OrdersController
Processing OrdersController#create
Processing OrdersController#log_warning
Rendering layouts/application (["OrdersController#log_warning"])
Rendering orders/log_warning (["OrdersController#log_warning"])
[Notice] No such template: orders/log_warning
Processing OrdersController#create_order
Rendering layouts/application (["OrdersController#create_order"])
Rendering orders/create_order (["OrdersController#create_order"])
[Notice] No such template: orders/create_order
Processing VerificationTokensController
Processing VerificationTokensController#loaderio
Rendering verification_tokens/loaderio (["VerificationTokensController#loaderio"])
[Notice] No such template: verification_tokens/loaderio
Indexing call sites...        
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
Automatic to_json escaping is enabled.
 - CheckCookieSerialization
Checking application/index.["ApplicationController#index"] for XSS
Checking layouts/application.["Admin::ApiController#resolve_user"] for XSS
 - CheckCreateWith
 - CheckCSRFTokenForgeryCVE
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
Checking for XSS in content_tag
Checking layouts/application.["Admin::ErrorsController#index"] for XSS
Checking mailers/_css.["Template:layouts/mailer"] for XSS
Checking mailers/_get_support.["Template:layouts/mailer"] for XSS
Checking active_storage/blobs/_blob for XSS
Checking application/index for XSS
Checking layouts/application for XSS
Checking layouts/mailer for XSS
Checking mailers/_css for XSS
Checking mailers/_get_support for XSS
Checking mailers/order_confirmation for XSS
Checking each controller for default routes
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
Finding eval-like calls
 - CheckFileAccess
Processing eval-like calls
Finding system calls using ``
 - CheckFileDisclosure
Finding other system calls
 - CheckFilterSkipping
Finding possible file access
Processing system calls
 - CheckForgerySetting
Finding calls to load()
Finding calls using FileUtils
Processing found calls
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONEntityEscape
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPageCachingCVE
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
Finding calls to redirect_to()
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
Finding dynamic regexes
Processing dynamic regexes
Automatic to_json escaping is enabled.
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
Finding instances of #send
 - CheckSessionManipulation
Finding all calls to send_file()
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
Finding possible SQL calls on models
 - CheckSSLVerify
Finding possible SQL calls with no target
Finding possible SQL calls using constantized()
Finding calls to named_scope or scope
Processing possible SQL calls
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTemplateInjection
Finding calls to strip_tags()
 - CheckTranslateBug
Finding ERB.new calls
 - CheckUnsafeReflection
Processing ERB.new calls
 - CheckUnsafeReflectionMethods
 - CheckValidationRegex
 - CheckVerbConfusion
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
 - CheckDivideByZero
 - CheckForceSSL
 - CheckReverseTabnabbing
 - CheckSecrets
 - CheckSymbolDoS
 - CheckUnscopedFind
 - CheckWeakHash
Finding instances of #find on models with associations
Checks finished, collecting results...
Generating report...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment,:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, Render:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 9
Models: 6
Templates: 7
:...skipping...

== Brakeman Report ==

Application Path: /home/coding-bunny/RubymineProjects/customink_international
Rails Version: 6.1.3.1
Brakeman Version: 5.0.0
Scan Date: 2021-04-22 15:30:50 +0200
Duration: 1.246224233 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DivideByZero, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForceSSL, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, ReverseTabnabbing, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, Secrets, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoS, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, UnscopedFind, ValidationRegex, VerbConfusion, WeakHash, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 9
Models: 6
Templates: 7
Errors: 0
Security Warnings: 1

== Warning Types ==

Missing Encryption: 1

== Controller Overview ==

Controller: Admin::ApiController
Parent: ApplicationController
Routes: [None]

Controller: Admin::ErrorsController
Parent: ::Admin::ApiController
Routes: [None]

Controller: Admin::OrdersController
Parent: ::Admin::ApiController
Routes: [None]

Controller: ApplicationController
Parent: ::ActionController::Base
Routes: index

Controller: AuthController
Parent: ::ApplicationController
Routes: [None]

Controller: BraintreeController
Parent: ::ApplicationController
Routes: [None]

Controller: CheckoutController
Parent: ::ApplicationController
Routes: [None]

Controller: OrdersController
Parent: ::ApplicationController
Routes: [None]

Controller: VerificationTokensController
Parent: ::ApplicationController
Routes: loaderio

== Template Output ==

active_storage/blobs/_blob



[Escaped Output] blob.filename.extension
[Escaped Output] image_tag(blob.representation(:resize_to_limit => (local_assigns[:in_gallery] ? ([800, 600]) : ([1024, 768]))))
[Escaped Output] caption
[Escaped Output] blob.filename
[Escaped Output] number_to_human_size(blob.byte_size)

layouts/application

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] @app_config.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/application.["Admin::ApiController#resolve_user"]

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] ::Rails.cache.fetch("application_controller/initialize_environment/config", :expires_in => 1.day) do; build_environment_hash; end.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/application.["Admin::ErrorsController#index"]

[Escaped Output] csrf_meta_tags
[Escaped Output] csp_meta_tag
[Escaped Output] stylesheet_pack_tag("application", :media => "all")
[Escaped Output] @app_config.to_json.html_safe
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] ENV.fetch("GOOGLE_TAG_MANAGER_ID")
[Escaped Output] javascript_pack_tag("application")
[Escaped Output] yield

layouts/mailer

[Escaped Output] render(partial => "mailers/css", {})
[Escaped Output] @data[:preheader]

[Escaped Output] image_url("emails/logo.png")
[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] yield
[Escaped Output] render(partial => "mailers/get_support", {})
[Escaped Output] Date.current.year

mailers/_get_support

[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] image_url("emails/icon-chat.png")
[Escaped Output] image_url("emails/icon-email.png")

mailers/_get_support.["Template:layouts/mailer"]

[Escaped Output] image_url("emails/icon-phone.png")
[Escaped Output] image_url("emails/icon-chat.png")
[Escaped Output] image_url("emails/icon-email.png")

mailers/order_confirmation

[Escaped Output] image_url("emails/icon-ok.png")
[Escaped Output] @order.customink_id
[Escaped Output] view[:url]
[Escaped Output] product[:product_name]
[Escaped Output] product[:color_name]
[Escaped Output] product[:quantity]
[Escaped Output] product[:quantity_by_size].reject do; qty.zero?; end.map do; "#{size}: #{qty}"; end.join(", ")
[Escaped Output] number_to_currency(@order[:subtotal_price])
[Escaped Output] number_to_currency(@order[:shipping_price])
[Escaped Output] number_to_currency(@order[:total_price])
[Escaped Output] @order.shipping_address.full_name
[Escaped Output] @order.shipping_address.organization
[Escaped Output] @order.shipping_address.shipping1
[Escaped Output] @order.shipping_address.shipping2
[Escaped Output] @order.shipping_address.city
[Escaped Output] @order.shipping_address.state
[Escaped Output] @order.shipping_address.zip
[Escaped Output] @order.shipping_address.country
[Escaped Output] @order.shipping_address.phone_number
[Escaped Output] @order.billing_address.full_name
[Escaped Output] @order.billing_address.shipping1
[Escaped Output] @order.billing_address.shipping2
[Escaped Output] @order.billing_address.city
[Escaped Output] @order.billing_address.state
[Escaped Output] @order.billing_address.zip
[Escaped Output] @order.billing_address.country

== Warnings ==

Confidence: High
Category: Missing Encryption
Check: ForceSSL
Message: The application does not force use of HTTPS: `config.force_ssl` is not enabled
File: config/environments/production.rb
Line: 1

Additional Info

Just running bundle exec brakeman does not perform the check for SSL.
Only when using the -A flag.
The setting is clearly enabled in my config/production.rb
@presidentbeef
Copy link
Owner

Hi @coding-bunny - thank you for the details, but what really matters is what production.rb looks like 😄 in order to determine why brakeman isn't picking it up.

@coding-red-panda
Copy link
Author

Here's the production.rb:

# frozen_string_literal: true

::Rails.application.configure do
  # Prepare the ingress controller used to receive mail
  # config.action_mailbox.ingress = :relay

  # Settings specified here will take precedence over those in config/application.rb.

  # Code is not reloaded between requests.
  config.cache_classes = true

  # Eager load code on boot. This eager loads most of Rails and
  # your application in memory, allowing both threaded web servers
  # and those relying on copy on write to perform better.
  # Rake tasks automatically ignore this option for performance.
  config.eager_load = true

  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
  # config.require_master_key = true

  # Disable serving static files from the `/public` folder by default since
  # Apache or NGINX already handles this.
  config.public_file_server.enabled = ::ENV['RAILS_SERVE_STATIC_FILES'].present?

  if ::ENV['RAILS_SERVE_STATIC_FILES'].present?
    config.public_file_server.headers = { 'Cache-Control' => "public, max-age=#{1.year.to_i}" }
  end

  # Compress CSS using a preprocessor.
  # config.assets.css_compressor = :sass

  # Do not fallback to assets pipeline if a precompiled asset is missed.
  config.assets.compile = false

  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
  # config.action_controller.asset_host = 'http://assets.example.com'

  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX

  # Store uploaded files on the local file system (see config/storage.yml for options).
  config.active_storage.service = :local

  # Mount Action Cable outside main process or domain.
  # config.action_cable.mount_path = nil
  # config.action_cable.url = 'wss://example.com/cable'
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true

  # Use the lowest log level to ensure availability of diagnostic information
  # when problems arise.
  config.log_level = :debug

  # Prepend all log lines with the following tags.
  config.log_tags = [:request_id]

  # Use a different cache store in production.
  # config.cache_store = :mem_cache_store

  # Use a real queuing backend for Active Job (and separate queues per environment).
  # config.active_job.queue_adapter     = :resque
  # config.active_job.queue_name_prefix = "custom_ink_international_production"

  config.action_mailer.perform_caching = false
  config.action_mailer.asset_host = 'https://checkout.customink.com'
  config.action_mailer.default_url_options = { host: 'https://checkout.customink.com' }

  config.action_mailer.delivery_method = :smtp
  config.action_mailer.smtp_settings = {
    user_name: 'apikey',
    password: ::ENV.fetch('SENDGRID_API_KEY', ''),
    address: 'smtp.sendgrid.net',
    domain: 'checkout.customink.com',
    port: '587',
    authentication: :plain
  }

  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  # config.action_mailer.raise_delivery_errors = false

  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  # the I18n.default_locale when a translation cannot be found).
  config.i18n.fallbacks = true

  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify

  # Use default logging formatter so that PID and timestamp are not suppressed.
  config.log_formatter = ::Logger::Formatter.new

  # Use a different logger for distributed setups.
  # require 'syslog/logger'
  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')

  if ::ENV['RAILS_LOG_TO_STDOUT'].present?
    logger           = ::ActiveSupport::Logger.new($stdout)
    logger.formatter = config.log_formatter
    config.logger    = ::ActiveSupport::TaggedLogging.new(logger)
  end

  # Do not dump schema after migrations.
  config.active_record.dump_schema_after_migration = false

  # Inserts middleware to perform automatic connection switching.
  # The `database_selector` hash is used to pass options to the DatabaseSelector
  # middleware. The `delay` is used to determine how long to wait after a write
  # to send a subsequent read to the primary.
  #
  # The `database_resolver` class is used by the middleware to determine which
  # database is appropriate to use based on the time delay.
  #
  # The `database_resolver_context` class is used by the middleware to set
  # timestamps for the last write to the primary. The resolver uses the context
  # class timestamps to determine how long to wait before reading from the
  # replica.
  #
  # By default Rails will store a last write timestamp in the session. The
  # DatabaseSelector middleware is designed as such you can define your own
  # strategy for connection switching and pass that into the middleware through
  # these configuration options.
  # config.active_record.database_selector = { delay: 2.seconds }
  # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
  # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
end

@coding-red-panda
Copy link
Author

Also it only seems to be happening for this specific file, because it works just fine in another project I have....
So I'm wondering if it's getting confused somewhere by a specific line or something.

presidentbeef added a commit that referenced this issue Apr 26, 2021
@presidentbeef
Detect ::Rails.application.configure too
04fd02b 
Fixes #1584
@presidentbeef presidentbeef mentioned this issue Apr 26, 2021
Merged
@presidentbeef
Copy link
Owner

Thank you for providing that!

The issue was the use of ::Rails instead of Rails.

Repository owner locked and limited conversation to collaborators Jan 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Detect ::Rails.application.configure too presidentbeef/brakeman
2 participants
@presidentbeef @coding-red-panda