Re: [brakeman] dangerous send

2014-08-15 Thread Justin Collins 
On 08/15/2014 01:54 PM, Dante Avery wrote:
> Does brakeman create a warning for dangerous send if its used to
> dynamically assign attributes based off user input?
>
> For example will the scanner  report send(“#{name}=“,  params[:value])

It does not warn about arguments that are user input, since that's no 
different from passing in the values normally.

In other words,

   x.send(:blah=, params[:value])

is the same as

   x.blah = params[:value]

so Brakeman wouldn't warn about that.

However, if the method name is controlled by user input, it will warn. 
In your example I don't know what "name" is, but this would warn:

   x.send("#{params[:name]}=", params[:value])

Hope that helps.

Please keep in mind Brakeman currently only looks at code in 
models/controllers/views.

-Justin

[brakeman] dangerous send

2014-08-15 Thread Dante Avery 
Does brakeman create a warning for dangerous send if its used to dynamically 
assign attributes based off user input?

For example will the scanner  report send("#{name}=",  params[:value])

Re: [brakeman] Dangerous Send

2014-04-26 Thread Justin 
Hi Benedict,

Brakeman checks `send` because it can allow an attacker to call 
arbitrary methods on an object. It checks `send_file` because that 
method can be used to access arbitrary files on the web server.

I don't immediately see how  `send_data` could be dangerous.

-Justin

On 2014-04-25 21:59, Kwok, Benedict wrote:
> Hi Brakeman Expert,
> 
> Question about the send_data, is it safe?
> 
> We have checks for send and send_file, should we include send_data as
> well?
> 
> https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send.rb
> [1]
> 
> https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send_file.rb
> [2]
> 
> Regards,
> 
> Benedict Kwok
> 
> P&I ACES, Code Analysis
> 
> 
> 
> Links:
> --
> [1]
> https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send.rb
> [2]
> https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send_file.rb

[brakeman] Dangerous Send

2014-04-25 Thread Kwok, Benedict 
Hi Brakeman Expert,


Question about the send_data, is it safe?

We have checks for send and send_file, should we include send_data as well?
https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send.rb
https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send_file.rb

Regards,

Benedict Kwok
P&I ACES, Code Analysis