Update README.md

[guardrails-test]

No description provided.

[guardrails]

⚠️ We detected 65 security issues in this pull request:

Insecure Use of Language/Framework API (2)

Docs	Details
💡	Title: User Controlled Method Invocation, Severity: Medium railsgoat/app/controllers/dashboard_controller.rb Line 16 in 28edfd0 self.try(params[:graph])
💡	Title: User Controlled Method Invocation, Severity: Medium railsgoat/config/initializers/strong_parameters.rb Line 2 in 28edfd0 ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)

More info on how to fix Insecure Use of Language/Framework API in Ruby.

---

Insecure Use of Dangerous Function (4)

Docs	Details
💡	Title: Unsafe Constantize, Severity: Medium railsgoat/app/controllers/api/v1/mobile_controller.rb Line 17 in 28edfd0 model = params[:class].classify.constantize
💡	Title: Unsafe Constantize, Severity: Medium railsgoat/app/controllers/api/v1/mobile_controller.rb Line 10 in 28edfd0 model = params[:class].classify.constantize
💡	Title: Unsafe Constantize, Severity: Medium railsgoat/app/controllers/benefit_forms_controller.rb Line 11 in 28edfd0 file = params[:type].constantize.new(path)
💡	Title: Potential OS Command Injection, Severity: High railsgoat/app/models/benefits.rb Line 15 in 28edfd0 silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}") }

More info on how to fix Insecure Use of Dangerous Function in Ruby.

---

Insecure Use of Regular Expressions (1)

Docs	Details
💡	Title: Improper Regex Anchors, Severity: Low railsgoat/app/models/user.rb Line 13 in 28edfd0 validates_format_of :email, with: /.+@.+\..+/i

More info on how to fix Insecure Use of Regular Expressions in Ruby.

---

Insecure File Management (1)

Docs	Details
💡	Title: Insecure File Access, Severity: High railsgoat/app/controllers/benefit_forms_controller.rb Line 12 in 28edfd0 send_file file, disposition: "attachment"

More info on how to fix Insecure File Management in Ruby.

---

Insecure Use of SQL Queries (1)

Docs	Details
💡	Title: Potential SQL Injection, Severity: High railsgoat/app/controllers/users_controller.rb Line 29 in 28edfd0 user = User.where("id = '#{params[:user][:id]}'")[0]

More info on how to fix Insecure Use of SQL Queries in Ruby.

---

Hard-Coded Secrets (2)

Docs	Details
💡	Title: Hard-coded Password (Session Secret), Severity: Medium railsgoat/config/initializers/secret_token.rb Line 9 in 28edfd0 Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
💡	Title: Hex High Entropy String, Severity: Medium railsgoat/config/initializers/secret_token.rb Line 8 in 28edfd0 Railsgoat::Application.config.secret_token = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"

More info on how to fix Hard-Coded Secrets in Ruby and General.

---

Insecure Processing of Data (17)

Docs	Details
💡	Title: Potential XSS, Severity: Medium railsgoat/app/views/layouts/application.html.erb Line 12 in 28edfd0 <style>body { font-size:<%= raw cookies[:font] %> !important;}</style>
💡	Title: Potential XSS (Rails), Severity: Medium railsgoat/app/controllers/password_resets_controller.rb Line 36 in 28edfd0 flash[:error] = "There was an issue sending password reset email to #{params[:email]}".html_safe unless params[:email].nil?
💡	Title: Insecure Deserialization (Marshal), Severity: High railsgoat/app/controllers/password_resets_controller.rb Line 6 in 28edfd0 user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
💡	Title: Potential XSS (unquoted template variable), Severity: Medium railsgoat/app/views/admin/analytics.html.erb Line 9 in 28edfd0 <table class="table table-striped table-hover table-bordered pull-left <%= "custom" if params[:field] %>" id="data-table">
💡	Title: Potential XSS (link_to), Severity: Medium railsgoat/app/views/messages/show.html.erb Line 26 in 28edfd0 <td><%= link_to "Delete", user_message_path, {:id => "@message.id", :method => 'delete', :class => "btn btn-danger pull-left"}%></td>
💡	Title: Potential XSS (link_to), Severity: Medium railsgoat/app/views/user_mailer/forgot_password.html.erb Line 16 in 28edfd0 <%= link_to "Click here to reset your password", @url %><br>
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/layouts/shared/_header.html.erb Line 31 in 28edfd0 Welcome, <%= current_user.first_name.html_safe %>
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/layouts/shared/_header.html.erb Line 82 in 28edfd0 $("#modal_div").load(<%= credentials_tutorials_path.inspect.html_safe %>);
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/messages/index.html.erb Line 114 in 28edfd0 url: <%= "/users/#{current_user.id}/messages.json".inspect.html_safe %>,
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/paid_time_off/index.html.erb Line 135 in 28edfd0 events: <%= get_pto_schedule_schedule_index_path(:format => "json").inspect.html_safe %>,
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/paid_time_off/index.html.erb Line 160 in 28edfd0 [ <%= "As of today: #{Date.today}".inspect.html_safe %>, <%= @pto.sick_days_earned %>, <%= @pto.sick_days_taken %>, <%= @pto.sick_days_remaining %> ], ]);
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/paid_time_off/index.html.erb Line 194 in 28edfd0 [ <%= "As of today: #{Date.today}".inspect.html_safe %>, <%= @pto.pto_earned %>, <%= @pto.pto_taken %>, <%= @pto.pto_days_remaining %> ], ]);
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/performance/index.html.erb Line 63 in 28edfd0 [ <%= "#{p.date_submitted}".inspect.html_safe %>, <%= p.score %> ],
💡	Title: Potential XSS (html_safe) in ERB template, Severity: Medium railsgoat/app/views/users/account_settings.html.erb Line 87 in 28edfd0 url: <%= "/users/#{current_user.id}.json".inspect.html_safe %>,
💡	Title: Potential XSS (content_tag) in ERB template, Severity: Medium railsgoat/app/views/layouts/shared/_messages.html.erb Line 6 in 28edfd0 <%= content_tag :div, msg, :id => "flash_notice" %>
💡	Title: Potential XSS (content_tag) in ERB template, Severity: Medium railsgoat/app/views/layouts/shared/_messages.html.erb Line 11 in 28edfd0 <%= content_tag :div, msg, :id => "flash_notice" %>
💡	Title: Potential XSS (content_tag) in ERB template, Severity: Medium railsgoat/app/views/layouts/shared/_messages.html.erb Line 16 in 28edfd0 <%= content_tag :div, msg, :id => "flash_notice" %>

More info on how to fix Insecure Processing of Data in Ruby.

---

Vulnerable Libraries (37)

Severity	Details
High	actionpack@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	actionview@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	activerecord@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	activesupport@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	json@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	nokogiri@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	rack@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	rails-html-sanitizer@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	tzinfo@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	rake@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
High	websocket-extensions@5.1.7 upgrade to: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Medium	jquery-ui@1.8.23 upgrade to: >1.13.2
Medium	jquery@1.8.3 upgrade to: >3.5.0
Medium	jquery-validation@1.17.0 upgrade to: >1.19.3
High	moment.js@2.19.0 upgrade to: >2.29.4
High	pkg:gem/tzinfo@1.2.5@1.2.5 upgrade to: 0.3.61,1.2.10
Medium	pkg:gem/loofah@2.2.3@2.2.3 - no patch available
Medium	pkg:gem/actionview@5.1.7@5.1.7 upgrade to: 5.2.4.2,6.0.2.2
High	pkg:gem/better_errors@2.5.1@2.5.1 - no patch available
Low	pkg:gem/actioncable@5.1.7@5.1.7 - no patch available
High	pkg:gem/i18n@1.6.0@1.6.0 - no patch available
Medium	pkg:gem/cucumber@3.1.2@3.1.2 - no patch available
Medium	pkg:gem/rails-html-sanitizer@1.0.4@1.0.4 - no patch available
High	pkg:gem/websocket-extensions@0.1.3@0.1.3 upgrade to: 0.1.5
Medium	pkg:gem/puma@3.12.1@3.12.1 upgrade to: 3.12.4,4.3.3
Medium	pkg:gem/thor@0.19.4@0.19.4 - no patch available
Medium	pkg:gem/jquery-rails@4.3.3@4.3.3 - no patch available
High	pkg:gem/addressable@2.6.0@2.6.0 upgrade to: 2.8.0
Critical	pkg:gem/railties@5.1.7@5.1.7 - no patch available
Medium	pkg:gem/eventmachine@1.2.7@1.2.7 - no patch available
High	pkg:gem/json@2.2.0@2.2.0 upgrade to: 2.3.0
Medium	pkg:gem/rake@12.3.2@12.3.2 - no patch available
Critical	pkg:gem/nokogiri@1.10.2@1.10.2 upgrade to: 1.10.4,1.0.7
Medium	pkg:gem/rack@2.0.7@2.0.7 upgrade to: 1.6.12,2.0.8
Medium	pkg:gem/rails@5.1.7@5.1.7 - no patch available
Low	pkg:gem/actionpack@5.1.7@5.1.7 - no patch available
Medium	pkg:gem/activesupport@5.1.7@5.1.7 - no patch available

More info on how to fix Vulnerable Libraries in Ruby and JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.