secret_token.rb
code Critical
Session Setting
Discovered over 5 years ago
Source: static code analysis
Category: Session Setting
Confidence level: High

Problem

Session secret should not be included in version control

Location

config/initializers/secret_token.rb:7


Category description: Session cookies should be http-only with the key of at least 30 characters; secret_token shouldn't be included in version control systems.

Solution: fix the issue in config/initializers/secret_token.rb or mark it as false positive.

Gemfile
code Severe
Mass Assignment
Discovered over 5 years ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

create_with is vulnerable to strong params bypass. Upgrade to Rails 4.1.5 or patch

Location

Gemfile


Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in Gemfile or mark it as false positive.