Template Injection

ruby.checktemplateinjection

Severity

low

Resource

Template Injection

Language

Ruby

Description

User input passed into ruby templates that are evaluated is VERY dangerous, so this will always raise a warning. Brakeman looks foir calls of the form:

  ERB.new(user_input).result
[source,ruby]

Rationale

Searches for evaluation of user input through template injection

Remediation

Follow secure coding practices for Ruby on Rails applications. Review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

Brakeman Warning Types