Ruby on Rails Static Analysis Security Tool

Information Disclosure

Also known as information leakage or information exposure, this vulnerability refers to system or internal information (such as debugging output, stack traces, error messages, etc.) which is displayed to an end user.

For example, Rails provides detailed exception reports by default in the development environment, but it is turned off by default in production:

# Full error reports are disabled
config.consider_all_requests_local = false

Brakeman warns if this setting is true in production or there is a show_detailed_exceptions? method in a controller which does not return false.

Back to Warning Types