Q
Detector Library
Ruby detectors (21/21)
SQL InjectionDivide by ZeroSensitive HTTP ActionInsufficient Protected CredentialsSensitive Information LeakUntrusted DeserializationLog InjectionXML External EntityPath InjectionHttp to File AccessCode InjectionOS Command InjectionResource leakCross Site Scripting (XSS)Untrusted OpenImproper Input ValidationStack Trace ExposureImproper Certificate Validationsend_file InjectionUnsafe File PermissionsTainted Format
Sensitive Information Leak High
Reckless mishandling of sensitive information can have dire consequences, including widespread data leaks, compromised privacy, and financial losses. Implement robust security measures to mitigate this.
Detector ID
ruby/sensitive-information-leak@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
-
Noncompliant example
1def sensitive_information_leak_noncompliant
2 # Noncompliant: User-controlled data is passed in find.
3 @user = User.find(params[:id])
4
5 respond_to do |format|
6 format.html
7 format.json { render :json => @user }
8 end
9endCompliant example
1def sensitive_information_leak_compliant
2 # Compliant: Argument in find is not user-controlled.
3 @user = User.find(session[:id])
4
5 respond_to do |format|
6 format.html
7 format.json { render :json => @user }
8 end
9end