Hello, I performed security audit report via brakeman gem and reviewed all warnings found. None of these look like exploitable security issue to me, so I am sending it here for further analysis.
The first two warnings really smell tho therefore I created a refactor ticket - we should get rid of this style for the future: http://projects.theforeman.org/issues/21267 Full report follows: == Brakeman Report == Application Path: /home/lzap/work/foreman Rails Version: 4.2.9 Brakeman Version: 4.0.1 Scan Date: 2017-10-10 13:29:23 +0200 Duration: 24.950139702 seconds Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing == Overview == Controllers: 145 Models: 132 Templates: 492 Errors: 0 Security Warnings: 39 == Warning Types == Cross-Site Request Forgery: 2 Cross-Site Scripting: 2 Dangerous Send: 2 Dynamic Render Path: 3 File Access: 2 Mass Assignment: 1 Redirect: 1 Remote Code Execution: 4 SQL Injection: 21 SSL Verification Bypass: 1 == Warnings == Confidence: High Category: Dangerous Send Check: Send Message: User controlled method execution Code: host.power.send(params[:power][:action].to_sym) File: app/controllers/hosts_controller.rb Line: 475 Confidence: High Category: Dangerous Send Check: Send Message: User controlled method execution Code: (resource_base.friendly.find(params[:id]) or resource_base.find_by_mac(params[:host][:mac].to_s)).power.send(params[:power_action].to_sym) File: app/controllers/hosts_controller.rb Line: 266 Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:host].delete(:type).constantize File: app/controllers/hosts_controller.rb Line: 709 Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:host].delete(:type).constantize File: app/controllers/hosts_controller.rb Line: 710 Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:type].constantize File: app/controllers/api/v2/hosts_controller.rb Line: 378 Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:type].constantize File: app/controllers/api/v2/hosts_controller.rb Line: 380 Confidence: High Category: SSL Verification Bypass Check: SSLVerify Message: SSL certificate verification was bypassed Code: Net::HTTP.new(URI.parse(url).host, URI.parse(url).port).verify_mode = OpenSSL::SSL::VERIFY_NONE File: app/models/compute_resources/foreman/model/ovirt.rb Line: 382 Confidence: Medium Category: Cross-Site Request Forgery Check: ForgerySetting Message: protect_from_forgery should be configured with 'with: :exception' File: app/controllers/api/base_controller.rb Confidence: Medium Category: Cross-Site Request Forgery Check: ForgerySetting Message: protect_from_forgery should be configured with 'with: :exception' File: app/controllers/application_controller.rb Confidence: Medium Category: File Access Check: FileAccess Message: Model attribute used in file name Code: File.read(Setting[:ssl_priv_key]) File: lib/proxy_api/resource.rb Line: 111 Confidence: Medium Category: File Access Check: FileAccess Message: Model attribute used in file name Code: File.read(Setting[:ssl_certificate]) File: lib/proxy_api/resource.rb Line: 110 Confidence: Medium Category: Mass Assignment Check: MassAssignment Message: Parameters should be whitelisted for mass assignment Code: params[:vm].permit! File: app/controllers/compute_resources_vms_controller.rb Line: 39 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Host::Managed.reorder("").unscoped.authorized.group("#{resource_name}_id") File: app/helpers/application_helper.rb Line: 508 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: User.current.widgets.where("id = #{id}") File: app/controllers/dashboard_controller.rb Line: 59 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("(host_status.status > 0) and (\n #{HostStatus::ConfigurationStatus.is("failed")} or\n #{HostStatus::ConfigurationStatus.is("failed_restarts")}\n )") File: app/models/host/managed.rb Line: 101 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("(host_status.status > 0) AND (#{HostStatus::ConfigurationStatus.is("pending")})") File: app/models/host/managed.rb Line: 128 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("\n #{HostStatus::ConfigurationStatus.is_not("failed")} and\n #{HostStatus::ConfigurationStatus.is_not("failed_restarts")}\n ") File: app/models/host/managed.rb Line: 108 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("\n #{HostStatus::ConfigurationStatus.is_not("applied")} and\n #{HostStatus::ConfigurationStatus.is_not("restarted")}\n ") File: app/models/host/managed.rb Line: 122 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: group("#{Host.table_name}.#{association}_id") File: app/models/host/managed.rb Line: 434 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("(host_status.status > 0) and (\n #{HostStatus::ConfigurationStatus.is("applied")} or\n #{HostStatus::ConfigurationStatus.is("restarted")}\n )") File: app/models/host/managed.rb Line: 115 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Log.where("report_id IN (#{reports.pluck(:id).join(",")})") File: app/models/host/managed.rb Line: 886 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: where(("reports.created_at < '#{(Time.now.utc - (conditions[:timerange] or 1.week)).to_formatted_s(:db)}'" + " and reports.status = #{conditions[:status]}")) File: app/models/report.rb Line: 75 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: where(("reports.created_at < '#{(Time.now.utc - (conditions[:timerange] or 1.week)).to_formatted_s(:db)}'" + " and reports.status = #{conditions[:status]}")) File: app/models/report.rb Line: 78 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: where("(#{report_status_column} >> #{HostStatus::ConfigurationStatus.bit_mask(arg[0].to_s)}) > #{(arg[(1 << 6)] or 0)}") File: app/models/config_report.rb Line: 19 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: eager_load(:host_statuses).where("host_status.type = '#{status_type}'") File: app/models/host/managed.rb Line: 85 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: where(:puppetclass_lookup_key_id => puppetclass_lookup_key_id).where("id != #{this_environment_class_id}") File: app/models/environment_class.rb Line: 21 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: with_config_status.where("(host_status.status >> #{HostStatus::ConfigurationStatus.bit_mask(arg[0].to_s)}) > #{(arg[1] or 0)}") File: app/models/host/managed.rb Line: 96 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Host::Managed.joins(association.tableize.to_sym).group("#{association.tableize.to_sym}.id") File: app/models/host/managed.rb Line: 451 Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Host::Managed.reorder("").authorized(:view_hosts, Host).eager_load(proxy_connections_tables).joins("LEFT JOIN smart_proxies ON smart_proxies.id IN (#{proxy_connections_columns.join(",")})") File: app/models/concerns/hostext/search.rb Line: 191 Confidence: Weak Category: Cross-Site Scripting Check: CrossSiteScripting Message: Unescaped parameter value Code: auto_complete_search(:search, params[:search].squeeze(" "), :placeholder => (_("Filter") + " ...")) File: app/views/common/_searchbar.html.erb Line: 6 Confidence: Weak Category: Cross-Site Scripting Check: CrossSiteScripting Message: Unescaped model attribute Code: (_("Last update: %s") % date_time_relative(TrendCounter.order(:created_at).last.created_at)) File: app/views/trends/index.html.erb Line: 38 Confidence: Weak Category: Dynamic Render Path Check: Render Message: Render path contains parameter value Code: render(action => case (resource_base.friendly.find(params[:id]) or resource_base.find_by_mac(params[:host][:mac].to_s)).compute_resource.console((resource_base.friendly.find(params[:id]) or resource_base.find_by_mac(params[:host][:mac].to_s)).uuid)[:type] when "spice" then "hosts/console/spice" when "vnc" then "hosts/console/vnc" else "hosts/console/log" end, {}) File: app/controllers/hosts_controller.rb Line: 346 Confidence: Weak Category: Dynamic Render Path Check: Render Message: Render path contains parameter value Code: render(action => "compute_resources_vms/show/#{(resource_base.friendly.find(params[:id]) or resource_base.find_by_mac(params[:host][:mac].to_s)).compute_resource.provider.downcase}", {}) File: app/views/compute_resources_vms/_details.html.erb Line: 1 Confidence: Weak Category: Dynamic Render Path Check: Render Message: Render path contains parameter value Code: render(action => case ComputeResource.authorized(current_permission).find(params[:compute_resource_id]).console(ComputeResource.authorized(current_permission).find(params[:compute_resource_id]).find_vm_by_uuid(params[:id]).identity)[:type] when "spice" then "hosts/console/spice" when "vnc" then "hosts/console/vnc" else "hosts/console/log" end, {}) File: app/controllers/compute_resources_vms_controller.rb Line: 88 Confidence: Weak Category: Redirect Check: Redirect Message: Possible unprotected redirect Code: redirect_to(send("#{Bookmark.new(bookmark_params).controller}_path"), :notice => _("Bookmark was successfully created")) File: app/controllers/bookmarks_controller.rb Line: 26 Confidence: Weak Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Host.authorized(:view_hosts, Host).joins(:primary_interface).where(:nics => ({ :primary => true })).where("nics.#{name}" => attributes) File: app/models/compute_resource.rb Line: 391 Confidence: Weak Category: SQL Injection Check: SQL Message: Possible SQL injection Code: ancestors.where("#{attr} is not NULL") File: app/models/concerns/nested_ancestry_common.rb Line: 77 Confidence: Weak Category: SQL Injection Check: SQL Message: Possible SQL injection Code: @taxonomy.class.completer_scope(nil).where("id NOT IN (#{@taxonomy.subtree_ids.join(",")})") File: app/views/taxonomies/_form.html.erb Line: 56 Confidence: Weak Category: SQL Injection Check: SQL Message: Possible SQL injection Code: scope.where("#{self.table_name}.id IN (#{taxable_ids.join(",")})") File: app/models/concerns/taxonomix.rb Line: 142 -- Later, Lukas @lzap Zapletal -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.