Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 3.1.5 Released

This release adds warnings for the latest Rails CVEs.

Changes since 3.1.4:

  • Warn about RCE with render params (CVE-2016-0752)
  • Add check for strip_tags XSS (CVE-2015-7579)
  • Add check for sanitize XSS (CVE-2015-7578/80)
  • Add check for basic auth timing attack (CVE-2015-7576)
  • Add check for reject_if proc bypass (CVE-2015-7577)
  • Add check for denial of service via routes (CVE-2015-7581)
  • Add check for mime-type denial of service (CVE-2016-0751)
  • Check for implicit integer comparison in dynamic finders
  • Support directories better with --only-files and --skip-files (Patrick Toomey)
  • Fix CodeClimate construction of --only-files (Will Fleming)
  • Avoid warning about permit in SQL (669)
  • Avoid warning on user input in comparisons
  • Handle guards using detect (376)
  • Handle module names with self methods (#785)
  • Add session manipulation documentation (#791)
  • Add initial Rails 5 support

Render Remote Code Execution

First up, CVE-2016-0752 allows an attacker to render files outside of the application path as well as execute arbitrary code. Passing in params values directly is especially dangerous. Brakeman has warned about passing user input to render since it was first released as “dynamic render path” warnings. For calls to render that directly pass in params, it has been changed to a remote code execution warning in affected versions.

(changes)

Sanitization XSS

CVE-2015-7579, CVE-2015-7578, and CVE-2015-7580 are vulnerabilities in rails-html-sanitizer affecting the strip_tags and sanitize methods. Brakeman will mark uses of strip_tags and sanitize with raw or html_safe as high confidence warnings. Since these methods might be used in support gems, Brakeman will also generate a generic warning for the CVEs in apps using vulnerable versions of rails-html-sanitizer..

(changes plus these)

Basic Auth Timing Attack

The implementation of http_basic_authenticate_with did not use constant-time comparison when checking passwords, allowing timing attacks as described in CVE-2015-7576. Brakeman will warn about affected applications using http_basic_authenticate_with.

(changes)

Bypass Record Deletion Filtering

CVE-2015-7577 is a bug where the reject_if option to accepts_nested_attributes_for will not be called if allow_destroy is set to false. Brakeman will warn on applications which meet all of these criteria and do not include the workaround in an initializer.

(changes)

Wildcard Route Denial of Service

Brakeman will warn about CVE-2015-7581 when it detects routes containing ':controller' wildcards on affected versions of Rails. These routes can be abused to cause a denial of service.

(changes)

Mime-type Denial of Service

Sending many different mime-types via Accept headers can cause a denial of service. Brakeman will warn about CVE-2016-0751 in affected versions of Rails unless the workaround is present.

(changes)

MySQL Implicit Integer Conversion

As described here, MySQL will convert string values to match integer input - often leading to 0=0 comparisons in queries which will always return true. Brakeman will warn when an application uses MySQL and find_by_* dynamic finders on potentially sensitive fields like password.

(changes)

Better Directory Support When Skipping Files

Patrick Toomey provided a patch to better explicitly match directories with --only-files and --skip-files. See the updated options for details.

Please note use of --only-files is strongly discouraged. Brakeman is designed to scan entire applications.

(changes)

CodeClimate File Restriction

The include_paths configuration for the CodeClimate engine has been updated by Will Fleming to handle spaces and other special characters.

(changes)

Permit permit in SQL

Surprisingly, it is safe and effective to use params.permit in SQL queries, as it will always return a hash of values which will be interpreted as parameterized values. Brakeman will no longer warn about uses of permit in SQL queries.

(changes)

User Input in Comparisons

Brakeman will no longer warn about user input in comparisons, such as 'x' == params[:x].

(changes)

Detect detect Guard Statements

Fixing a bug filed almost 2.5 years ago, Brakeman will now recognize Array#detect/Array#find being used to whitelist values.

For example:

if safe_name = [:A, :B, :C].detect { |v| v == params[:v] }
  safe_name.constantize
end

(changes)

Self Methods with Modules

Definitions of self methods inside nested modules was broken and is now fixed.

(changes)

Session Manipulation Documentation

Documentation for session manipulation warnings has now been added to the Brakeman site and for the CodeClimate engine.

(changes)

Rails 5 Support

Initial support for Rails 5 has been added to Brakeman, including a -5 option to force Rails 5 mode. However, no special analysis or warnings specific to Rails 5 have been implemented yet.

(changes)

CVE-2016-0753?

This release does not include a warning for CVE-2016-0753. The vulnerability appears to require using permit! which Brakeman already warns about, or else passing in hashes that are not query parameters which Brakeman would not be able to detect as dangerous or benign.

SHAs

The SHA256 sums for this release are

fa9528859d4baa8cd4fbe67f634cd3741ee85d553bf59c4b2315a5ccb2976835  brakeman-3.1.5.gem
3248084efe71fcbb0c65b36e71ff0c06e65ac6bce1817a6f9d38ae0657a95bde  brakeman-min-3.1.5.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or hanging out on Gitter. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.1.4 Released

Brakeman Pi!

Changes since 3.1.3:

  • Emit Brakeman’s native fingerprints for Code Climate engine (Noah Davis)
  • Ignore secrets.yml if in .gitignore (#777)
  • Work around safe_yaml error (#778)
  • Increase test coverage for option parsing (Zander Mackie)
  • Clean up Ruby warnings (Andy Waite)

Code Climate Fingerprints

The output format for Code Climate has been updated to include warning fingerprints as generated by Brakeman.

Ignored secrets.yml

If secrets.yml is ignored via .gitignore, Brakeman will ignore it, too.

(changes)

Safe YAML Error

For some people, in some cases, date is not loaded prior to loading safe_yaml. This release ensures date is loaded before using SafeYAML and only loads safe_yaml on demand.

(changes)

Test Coverage and Warning Cleanup

Thanks to Zander Mackie for improving test coverage (up to 91.24%) by writing tests for the command line options and thanks to Andy Waite for cleaning up various Ruby warnings.

(test changes, warning fixes)

SHAs

The SHA256 sums for this release are

d53103d40a7ddf6ee2737770ecd0353b945a757d0fab6c50cde1eefba31f6197  brakeman-3.1.4.gem
a67d7c96090bc3b8193cf3b5db7af62ce719b9277d1b818ec6e9f96a52ad0caa  brakeman-min-3.1.4.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.

Brakeman 3.1.3 Released

This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate platform!

Changes since 3.1.2:

  • Add Code Climate output format (Ashley Baldwin-Hunter / Devon Blandin / John Pignata / Michael Bernstein)
  • Restore minimum Highline version (Kevin Glowacz)
  • Depend on safe_yaml 1.0 or later (#753)
  • Check for session secret in secrets.yml (#760)
  • Avoid warning on without_protection: true with hash literal (#769)
  • Respect exit_on_warn in config file (#771)
  • Avoid outputting false for user_input in JSON
  • Iteratively replace variables
  • CallIndex improvements
  • Improved tests for the Brakeman module (Bethany Rentz)
  • Make sure a before_filter with block is a call (#763)

Code Climate Platform

Thanks to the folks at Code Climate, this release adds the ability to run Brakeman as an analysis engine on Code Climate’s platform. You can now run Brakeman as part of Code Climate’s hosted analysis, or on your command line with their open source CLI. Brakeman can be integrated with results from your other favorite static analysis tools, giving you a unified view of issues in your code.

(main changes)

Dependencies

Brakeman 3.1.0 relaxed the Highline dependency (to support Highline 1.7.x and up) and Brakeman 3.1.2 added a dependency on safe_yaml without specifying a minimum version. Both of these changes resulted in some issues if combined with an application that depends on older versions of these libraries.

Highline and safe_yaml now have minimum versions specified.

(changes here and here)

More Secrets

Production session secrets stored in config/secrets.yml will now raise a warning.

(changes

Mass Assignment False Positive

Previously, Brakeman would warn on any mass assignment using without_protection: true. This blog post noted Brakeman would even warn if the values for mass assignment were a hash literal. This has been fixed.

(changes)

Harcode Mode in Config

Brakeman now supports turning on “hardcore mode” (setting :exit_on_warn: true) in a config file. This causes Brakeman return a non-zero exit code if any warnings are found.

(changes)

JSON Output

A refactoring caused some values of user_input in JSON reports to be false instead of nil. This has been corrected.

(changes)

More Variable Replacement

A long time ago, Brakeman used to do two passes for data flow analysis, just in case one substitution could be replaced with yet another value. The second pass was removed when it turned out not to be that helpful in reality. However, there are some cases where it is helpful. Now Brakeman will attempt substitutions if there are more matches, but with a hard limit of 5 replacements to avoid infinite loops. This will reduce false positives in some situations.

(changes)

CallIndex Improvements

Fixed a small bug where params was not a valid target when searching chained methods, as well as making it possible to search for chains beginning with a method call. Additionally, all the tests for CallIndex were broken and not testing anything.

(changes)

Improved Test Coverage

Thanks to Bethany Rentz, test coverage was nudged up over 90%. Plenty of low-hanging fruit remains, see this issue for suggestions of how to contribute!

(changes)

Brakeman Pro

Another small announcement: the first public release of Brakeman Pro (the commercial version of Brakeman) is now available for purchase. If you are looking to financially support development of Brakeman, would like paid support, need a commercial license, or just want a slick GUI, consider checking out Brakeman Pro.

For some clarification regarding the future of Brakeman and Brakeman Pro, please see this email from earlier in the year.

SHAs

The SHA256 sums for this release are

57b0edcc289eb74359d2042a38ea519f96f606c89dc879e5fb53971d3d656707  brakeman-3.1.3.gem
85473af3a55c440959ea91f94fe14177ac58aa35b44fbb007c93cd742803eae6  brakeman-min-3.1.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.

Brakeman 3.1.2 Released

This release is mostly bug fixes and false positive reduction. However, please note fingerprints for inline render warnings will change.

Changes since 3.1.1:

  • Sortable tables in HTML report (David Lanner)
  • Add line numbers to class-level warnings
  • Warn on SQL query keys, not values in hashes (#738)
  • Set user input value for inline renders
  • Avoid warning on inline renders with safe content types
  • Treat current_user like a model (#744)
  • Avoid warning about model find/find_by* in hrefs
  • Handle private def ...
  • Handle empty interpolation in HAML filters (#732)
  • Catch divide-by-zero in alias processing (#729)
  • Ignore filters that are not method names
  • Search for config file relative to application root
  • Use SafeYAML to load configuration files
  • Allow inspection of recursive Sexps
  • Reduce string allocations in Warning#initialize

Sortable Tables

David Lanner added the ability to sort tables in the HTML report by clicking on the column headers.

(changes)

Line Numbers for Class Warnings

When warning about an entire class (like a model missing attr_accessible), the warning line number will point to the beginning of the class.

(changes)

SQL Query Hashes

A long-standing bug in Brakeman caused it to warn about values in query hashes (e.g., User.where(:x => params[:x])) when it was intended to warn about user input in the keys.

(changes)

Inline Renders

Brakeman will now report the render call as the code value and the user input as user_input. Please note the code will look a little different from what Brakeman reports, as render calls are turned into a slightly different AST node internally. This will definitely change fingerprints for these warnings.

(changes)

current_user

In a couple places, Brakeman will treat current_user like a model instance, which it almost always is. This will probably be expanded in future releases.

(changes)

Inline Privates

Calls to private using the return value of def will now work properly:

private def secret_stuff
# ...
end

(changes)

Empty HAML Interpolation

Empty HAML interpolation inside of filters will no longer cause crashes and will be handled properly.

(changes)

Divide-by-Zero

Brakeman sometimes divides by zero when it performs simple arithmetic during constant folding. While this is now reported as an error (and used to be, too), someday it should be a warning instead.

(changes)

Config File Changes

When looking for the config/brakeman.yml configuration file, Brakeman will now look relative to the application path instead of the working directory.

Additionally, the SafeYAML gem is used to prevent code execution for those running Brakeman against untrusted code.

(changes here and here)

SHAs

The SHA256 sums for this release are

c01f07ccc2490d0421e5974499c57f519aa371bfab5d25ba3b224e7ae9e2c415  brakeman-3.1.2.gem
d820c872cbe7bc8452c9bd8bd46d990ff1c0d53ee621c09f1997270fc978f783  brakeman-min-3.1.2.gem

Reporting Issues

Thank you to everyone who reported bugs fixed in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.

Brakeman 3.1.1 Released

This release includes two new checks and a number of bug fixes.

Changes since 3.1.0:

  • Add check for user input in session keys
  • Add optional check for use of MD5 and SHA1
  • Fix absolute paths for Windows (Cody Frederick)
  • Allow searching call index methods by regex (Alex Ianus)
  • Consider j/escape_javascript safe inside Haml JavaScript blocks (#708)
  • Better Haml processing of find_and_preserve calls
  • Fix chained assignment
  • Treat a.try(&:b) like a.b()
  • Add more Arel methods to be ignored in SQL (#711)
  • Avoid warning when linking to decorated models (#683)
  • Support newer terminal-table releases (#709)

Session Manipulation Check

As suggested by Joernchen, Brakeman will now look for user input in session keys which can lead to session manipulation.

(changes)

Optional Check for Weak Hashes

An optional check to look for use of MD5 and SHA1 has been added to this release. Run with -t WeakHash to use just this optional check or -A to run all checks.

(changes)

Windows Paths

Cody Frederick fixed an issue with determining absolute paths on Windows.

(changes)

Search for Methods by Regex

Alex Ianus re-introduced the ability to search the CallIndex with regular expressions for methods:

tracker.find_call(method: /_something$/)

(changes)

Haml Processing

Haml users may have noticed warnings with find_and_preserve(Haml::Filters::Javascript.render_with_options(...)) in them. This has been fixed so find_and_preserve is treated as though it just passes through its arguments. Calls to render_with_options will be treated as unescaped output.

Along with this change, j and escape_javascript will be considered safe inside :javascript filters in Haml.

(changes)

Chained Assignment

Chained assignments like a = b = c = 1 will now be handled correctly. This fixes a very old issue from 2012.

(changes)

Trying More

While Brakeman already treated a.try(:b) like a.b(), there is a surprising amount of code which does a.try(&:b). This is totally unncessary, but Brakeman now handles it as well.

(changes)

More Arel Whitelisting

A number of Arel methods have been whitelisted to avoid warning about them inside SQL query building.

(changes)

Decorated Models in Links

If the Draper gem is used, Brakeman will ignore calls to decorate in link_to.

(changes)

terminal-table

Newer terminal-table releases are supported now and the dependency has been relaxed.

(changes)

SHAs

The SHA1 sums for this release are

cfd1840116c20b0b8932720fdaac09dd4e47091a  brakeman-3.1.1.gem
603389da732d307a014af445a1f312415b65a682  brakeman-min-3.1.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.

Brakeman 3.1.0 Released

There are several changes in this release which may affect consumers of the JSON report as well as anyone relying on the ignore configuration file. Please try out this script to migrate ignore configurations.

Additionally, some dependencies have been updated to versions no longer supporting Ruby 1.8. As a consequence, Brakeman no longer runs “out of the box” on Ruby 1.8, although you may be able to use the brakeman-min gem. No more attempts will be made to support running on Ruby 1.8 in future releases. Please note that does not mean Ruby 1.8 code cannot be analyzed; that still works fine.

Changes since 3.0.5:

  • Update dependencies to Ruby 1.8 incompatible versions
  • Update render path information in JSON reports
  • Remove renaming of several Sexp nodes
  • Treat html_safe like raw
  • Use railties version if rails gem is missing (Lucas Mazza)
  • Warn about unverified SSL mode in Net::HTTP.start
  • Expand XSS safe methods
  • Avoid warning on path creation methods in link_to
  • Add support for gems.rb/gems.locked (#705)
  • Fix low confidence XSS warning code
  • Avoid duplicate eval warnings
  • Convert YAML config keys to symbols (Karl Glaser)

Ruby 1.8 Incompatibility

Ruby 1.8.7 has been unsupported by the Ruby core team for over a year now (and that was after it had a six month extension). Several libraries Brakeman depends on have stopped supporting Ruby 1.8. Unfortunately, there is no way to specify depending on different gem versions for different Ruby versions. This left Brakeman in a difficult place - use old libraries (and cause conflicts in Gemfiles…), use new libraries (and lose 1.8 support), or don’t declare dependencies (and force users to install dependencies themselves). In the end, it seems most people are okay with dropping Ruby 1.8 support.

That being said, Brakeman 3.1.0 should run fine on Ruby 1.8 if dependencies are set up manually to be compatible.

(changes)

Render Path Improvements

Previously, render paths were arrays of strings. The strings represented the locations of calls to render (implicit or explicit), either in the form <Controller>#<method> or Template:<template/path>. While the information was somewhat useful to humans, it was not easily manipulated by computers and it was difficult to link the strings back to application code.

Now, render paths are arrays of hashes. The hash has a type key with a value of either controller or template. For controllers, the hash includes class, method, line, and file. For templates, the hash includes name, line, and file.

Example:

[
  {
    "type": "controller",
    "class": "ProductsController",
    "method": "create",
    "line": 50,
    "file": "app/controllers/products_controller.rb"
  },
  {
    "type": "template",
    "name": "products/new",
    "line": 2,
    "file": "app/views/products/new.html.erb"
  }
]

Implicit renders from controller actions point to the line at the end of the method.

Rendered templates in JSON reports used to include the render location as well. For example:

"location": {
  "type": "template",
  "template": "home/index (HomeController#index)"
}

Since this information is redundant with the render path, it has been removed.

(changes)

S-Expression Names

Starting a long time ago, Brakeman rewrote several s-expression names for no reason other than clarity (for example, dstr becomes string_interp). However, not all nodes were changed, leading to code that must check for both the original name from RubyParser and Brakeman’s name. This leads to messy code and subtle bugs.

The following node names were removed: string_interp, string_eval, methdef, selfdef, call_with_block.

While this seems like a silly internal change, it will unfortunately change any fingerprints containing these node types. A quick script is available to migrate ignore files without having to manually update the fingerprints.

(changes)

html_safe

As we hopefully all know now, html_safe is not safe, it marks a string so it is not escaped when output in a template. Since this is essentially the same as calling raw on a string, Brakeman will treat them both as unescaped output.

(changes)

Use railties Version

Thanks to Lucas Mazza, if an application depends on railties instead of rails, Brakeman will now use the gem version of railties as the Rails version.

(changes)

SSL Verify Mode

As suggested by Gordon McNaughton, Brakeman now warns when SSL certificate verification is turned off in calls to Net::HTTP.start.

(changes)

Safe Methods

The --safe-methods option (which only applies to XSS warnings) and --url-safe-methods (which applies to values pass to link_to) now work on methods that have a target. For example, --url-safe-methods this_is_safe will ignore link_to util.this_is_safe(params[:x]).

(changes)

More Safe Methods

Brakeman warns about user input in the href parameter of link_to because it is possible to pass in a string starting with javascript:, which will execute the XSS payload when the victim clicks on it. However, it will no longer warn about methods that look like path helpers or URL generation methods. It will still warn about URL methods on models, since those may be direct user input.

(changes)

gems.rb/gems.locked

gems.rb/gems.locked are alternative names for Gemfile/Gemfile.lock. Brakeman now supports either pair.

(changes)

Weak Confidence XSS Warnings

A small bug caused weak confidence XSS warnings to have a warning code of 5 (which is for unescaped JSON) instead of 2.

(changes)

Duplicate Eval Warnings

There should now be fewer duplicate warnings about dangerous calls to eval.

(changes)

Configuration Keys

Karl Glaser added a change so Brakeman configuration files may use string or symbol keys in the YAML file. However, it is recommended to use brakeman -C to generate configurations automatically, because writing YAML by hand is annoying.

(changes)

Internal Changes

Internally, most of the information Brakeman tracks is kept in hash tables. This is changing, starting with the addition of Controller, Model, Template, and Config classes.

Unfortunately, this will probably break any code that relies on Brakeman’s internals (such as custom checks).

Fortunately, in almost all cases it will simplify code and in many cases it just means changing a hash access (like template[:name]) to a method call (template.name).

See the pull request for examples.

Also note this is just the beginning of these internal changes…sorry! Hopefully this leads to improvements and makes it easier to write Brakeman code.

SHAs

The SHA1 sums for this release are

236af597e5cbcc0e647c02c4087ceb5965510435  brakeman-3.1.0.gem
fe06faf67e781c4c4dc5ee362918ef2dfd8e1ce2  brakeman-min-3.1.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.5 Released

And this is why you don’t rush out releases.

Changes since 3.0.4:

  • Fix check for CVE-2015-3227 (#667)

Fix CVE-2015-3227 Check

Includes information that Rails 3.2.22 is the fix version for anything before Rails 4.0. Fixes warning message when exact Rails version cannot be determined. Fixes link URL to point to the CVE announcement.

(changes)

SHAs

The SHA1 sums for this release are

b78e11b745128ed7f9acd5d0c4f5e0e3a81f4d07  brakeman-min-3.0.5.gem
c62cc782595d4995aa385b6bd96c2485ac932077  brakeman-3.0.5.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.4 Released

This is a small release prompted by Tuesday’s CVE announcements. New checks for the CVEs directly in Rails have been added, and can also test for the suggested workarounds. Please consider using bundler-audit for detecting known vulnerable versions of gems, as Brakeman has only limited coverage.

Note this release also upgrades the RubyParser dependency. The latest RubyParser has several bug fixes and initial support for new Ruby 2.2 syntax.

Changes since 3.0.3:

  • Add check for CVE-2015-3226 (XSS via JSON keys)
  • Add check for CVE-2015-3227 (XML DoS)
  • Treat <%== as unescaped output (#661)
  • Update ruby_parser dependency to 3.7.0

Cross Site Scripting in JSON

CVE-2015-3226 is an issue with converting hashes to JSON. The keys do not properly escape HTML entities, leading to potential cross site scripting vulnerabilities. Brakeman will warn unless the workaround is included in an initializer (essentially verbatim). The warning is high confidence if there is evidence of explicitly converting values to JSON, otherwise medium.

(changes)

XML Denial of Service

CVE-2015-3227 is a potential denial of service when parsing deeply nested XML requests. Brakeman will warn about this unless there is an initializer changing the XML parser as described in the CVE. Currently it looks for either LibXML or Nokogiri.

(changes)

Double Equals is Unescaped Output

Brakeman will now treat <%== x %> in ERB templates as unescaped output.

(changes)

SHAs

The SHA1 sums for this release are

bf6ae72a0b516ecf65b9165d07e86259ef9fa5d3  brakeman-3.0.4.gem
c1c2ea5402d8a89fe4a645947ec324d0603d3976  brakeman-min-3.0.4.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.3 Released

This is mostly a bug fix release, but does introduce a new warning code for when protect_from_forgery is not set to raise exceptions in Rails 4.

Changes since 3.0.2:

  • Warn about protect_from_forgery without exceptions (Neil Matatall)
  • Add Rake task to exit with error code on warnings (masarakki)
  • Ignore quoted_table_name in SQL (Gabriel Sobhrinho)
  • Ignore more Arel methods in SQL (#604)
  • Warn about RCE and file access with open
  • Handle Array#include? guard conditionals (#604)
  • Handle lambdas as filters
  • Do not ignore targets of to_s in SQL (#638)

New CSRF Warning

Neil Matatall has added a warning for Rails 4 applications that do not pass the with: :exception option to protect_from_forgery. The default behavior of clearing out the session (but still processing the request) has lead to vulnerabilities in some applications. GitHub recently awarded a bug bounty for a vulnerability caused by this behavior.

(changes)

Additional Rake Task

Masarakki added a Rake task that will exit with an error code if any warnings are found (like brakeman -z). The task can be run with rake brakeman:check.

However, please note the use of Rake tasks to run Brakeman is discouraged, since it loads the entire Rails application which is unnecessary and may cause conflicts with Brakeman dependencies.

(changes)

Reduce SQL Injection False Positives

A patch from Gabriel Sobhrinho removes warnings about quoted_table_name in SQL queries.

(changes)

An additional change was made to ignore more Arel methods nested inside of other queries. This should reduce many of the false positives seen with combining Arel and ActiveRecord queries.

(changes)

Remote Code Execution in open()

As noted in Egor Homakov’s blog post, open can actually be used to spawn new processes by starting the argument with a pipe |. Brakeman will now warn about remote code execution via open.

(changes)

Simple Guard Conditions

Brakeman should now recognize guard conditions that look exactly like this:

if [1, 2, "a", "b"].include? x
  do_something_dangerous_with x
end

This may resolve some false positives. If you have code similar to this, please consider opening an issue and perhaps it can be handled similarly.

(changes)

Lambda Filters

Filters that use lambdas instead of blocks should now be handled correctly.

(changes)

Handle to_s in SQL

Values with to_s called on them were being ignored when checking for SQL injection. This has been fixed.

(changes)

SHAs

The SHA1 sums for this release are

170c3dd6925373b7da2e27fd1decf2957b35dc43  brakeman-3.0.3.gem
f126e305404a61e99f9ddb848996d87325d1485a  brakeman-min-3.0.3.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.2 Released

This is entirely a bugfix release, no new features. However, the fixes may cause line numbers and warning fingerprints to change.

Changes since 3.0.1:

  • Fix HTML reports with GitHub repos (#624)
  • Handle processing of explictly shadowed block arguments (#612)
  • Fix CSV output when there are no warnings (#615)
  • Update ruby_parser to ~> 3.6.2
  • Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
  • Fix using --compare and --add-checks-path together
  • Alias process methods called in class scope on models
  • Avoid warning about mass assignment with string literals
  • Only report original regex DoS locations
  • Report correct file for simple_format usage CVE warning
  • Ignore case value in XSS checks

HTML Reports with GitHub Repo

HTML reports were sometimes causing an error when linking to a GitHub repo.

(changes)

Shadowed Block Arguments

There was an error handling explicitly shadowed block arguments like this:

some_array.each do |item; x, y|
  # Stuff
end

(changes)

CSV Output

Empty tables caused the CSV report to fail.

(changes)

RubyParser Update

Brakeman has been very behind on RubyParser versions due to a line number issue which is nearly always present in HAML templates. As a workaround, Brakeman now strips newline literals from HAML templates. While this does cause some line numbers to be off, but typically newline literals are caused by HAML formatting. Removing them allows Brakeman to use the latest RubyParser.

Brakeman now requires RubyParser 3.6.2 as a minimum.

(HAML changes, dependency change)

More SQL-safe Methods

Brakeman will no longer warn about primary_key, table_name_prefix, and table_name_suffix in SQL.

(changes)

Compare with External Checks

Fix an issue when using --compare and --add-checks-path together.

(changes)

Process Class-Scope Method Calls

Previously, Brakeman would process method calls at the class scope (e.g., belongs_to) in models and then throw away the call. This meant the call never received data flow analysis. This was particularly noticeable when those calls involved blocks. This has been fixed and has improved results, especially where constants are used.

(changes)

Mass Assignment with Literals

Brakeman no longer warns about mass assignment if the arguments are a string or symbol. In those cases it probably isn’t an ActiveRecord subclass in any case.

(changes)

Reduce Regex DoS Duplicates

Duplicate regular expression denial of service warnings were being reported due to data flow analysis.

(changes)

File for simple_format CVE

Warnings regarding the old simple_format CVE will now point to the file where simple_format was called, not the Gemfile.

(changes)

Ignore Case Value

Do not report about XSS regarding the value used in case expressions.

(changes)

SHAs

The SHA1 sums for this release are

87413b544b5eae0cac9f037e2b62b1fe3f0fee5e  brakeman-3.0.2.gem
cfcf3080a992ca173c64dd98fe239e8bd9bb0eaa  brakeman-min-3.0.2.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.