Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 2.6.1 Released

This is a tiny release in response to today’s CVEs.

Changes since 2.6.0:

  • Add check for CVE-2014-3482 and CVE-2014-3483
  • Add support for keyword arguments in blocks (#511)
  • Remove unused warning codes (Bill Fischer)

Check for PostgresSQL Injection CVEs

CVE-2014-3482 and CVE-2014-3483 are SQL injection issues when using the PostgresSQL backend with bitstring and range data types. Brakeman will warn about affected versions of Rails which include the “pg” gem in the Gemfile.

(changes)

Support Keyword Arguments to Blocks

Brakeman now handles keyword arguments to blocks as local variables in the block scope instead of throwing an error.

(changes)

Removal of Warning Codes

Warnings codes for CVE_2013_6415 and CVE_2013_6415_call have been removed, as they are unused. This should not affect anyone.

(changes)

SHAs

The SHA1 sums for this release are

5b7b5572efe769cfa38178e94952be05670e6fd4  brakeman-2.6.1.gem
fecdb07a5e1a83af02843fbd554472f980e04f91  brakeman-min-2.6.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.6.0 Released

This release introduces significant changes to how and when files are parsed, which may introduce changes in existing warnings and errors.

Changes since 2.5.0:

  • Improve default route detection in Rails 3/4 (Jeff Jarmoc)
  • Handle controllers and models split across files (Patrick Toomey)
  • Fix handling of protected_attributes gem in Rails 4 (Geoffrey Hichborn)
  • Add check for CVE-2014-0130
  • Add find_by/find_by! to SQLi check for Rails 4
  • Do not branch values for +=
  • Parse most files upfront instead of on demand
  • Fix CheckRender with nested render calls (#484)
  • Fix detection of :host setting in redirects (#506)
  • Ignore more model methods in redirects
  • Update to use RubyParser 3.5.0 (Patrick Toomey)

Improved Default Route Detection

In addition to Jeff Jarmoc’s awesome research on CVE-2014-0130, he contributed much-needed improvements to detecting use of :action and *action in routes for Rails 3/4. This may result in more default routes warnings.

(changes)

Multiple Files for Controllers and Models

(Patrick Toomey) contributed improvements which allow Brakeman to process controllers and models which may be defined in multiple files. The changes also improve how Brakeman handles controllers and models inside modules. This may alter some warnings and how some files are processed. Also, controllers and models may be associated with multiple files instead of just one.

(changes here and here)

Protected Attributes Gem

Thanks to (Geoffrey Hichborn), Brakeman will now treat Rails 4 apps which use the protected_attributes gem like a Rails 3 app in regards to mass assignment.

(changes)

Check for CVE-2014-0130

Besides warning about more types of default routes in this release, Brakeman will also warn about CVE-2014-0130 explicitly. If the application uses default routes, the warning will be high confidence, otherwise medium. Note Brakeman will categorize this issue as “Remote Code Execution”, since Jeff Jarmoc demonstrated rendering arbitrary files can lead to interpreting those files as ERB.

(changes)

SQL Injection in Find By

Rails 4 added the find_by/find_by! methods which just call where(*args).take and are therefore vulnerable to the same issues as where. This release will check these methods for SQL injection now.

(changes)

No Branching for +=

Code which used += heavily in combination with many branches lead to very poor performance. The resulting information from the branches was rarely useful. However, since += is buidling up a value (as opposed to replacing it), simply ignoring branches does not lose any of the values involved. Thus, the same vulnerabilities should be able to be detected even when losing flow sensitivity for += assignments. For details, see the changes.

This change has improved processing on some files from over 30 minutes to under 1 second. If some files were processing slowly or had to be ignored previously, consider trying again with this release.

(changes)

Parsing Files Upfront

This release changes when files are parsed. Previously, files were read and parsed as they were processed. Now most files are read and parsed near the beginning of the scan instead. This has allowed for some internal cleanup and easier future changes. However, some bugs were fixed regarding sorting files which may cause warnings to change.

(changes)

Nested Renders

CheckRender had a bug when processing a render call which contained another call to render. This has been fixed.

(changes)

Redirects with Chained Calls

The last release added support for checking if a redirect_to argument was setting the :host option. However, it did not work with chained calls like the one reported here. Now it should.

(changes)

Redirects to Models

More Rails 4 methods have been added and support for chained methods has been improved to prevent false positives when redirecting to a model instance.

(changes)

RubyParser Upgrade

The RubyParser dependency has been upgraded to 3.5.0 for Ruby 2.1 support. There are some issues with newlines and line number accuracy in newer versions (it is better for some code and worse for others) which has prevented further upgrades at the moment.

(changes)

SHAs

The SHA1 sums for this release are

0aae141108d92040f3553557a31ad117ac1c2ea6  brakeman-2.6.0.gem
70c2353f31d4d04ba8d95c871062db31d5c6e981  brakeman-min-2.6.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.5.0 Released

This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output formatting.

Changes since 2.4.3:

  • Add GitHub-flavored Markdown output format (Greg Ose)
  • Add check for regex denial of service (Ben Toews)
  • Fix false positives when sanitize is used in SQL (Jeff Yip)
  • Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
  • Add support for Rails 4 before_actions and friends
  • Add support for RailsLTS 2.3.18.7 and 2.3.18.8
  • Check for protected_attributes gem (#475)
  • Fix SQLi detection in chain calls in scopes (#471)
  • Fix false positive when :host is specified in redirect (#464)
  • Check all arguments in Model.select for SQLi
  • Move SQLi CVE checks to CheckSQLCVEs
  • Handle more non-literals in routes (#461)

Markdown Output Format

Greg Ose added the option to output to GitHub-flavored markdown (-f markdown or -o report.md). Additionally, the --github-repo option can be used to link the files in the report to a specific GitHub repository. See here for details.

(changes)

Regex Denial of Service

A new check for dangerous interpolation in regular expressions was contributed by Ben Toews. This will generate “Denial of Service” warnings if user input is interpolated into regular expressions.

For example, this will generate a warning:

/#{params[:name]}/

(changes)

Avoid Warning on Sanitized SQL

Brakeman should no longer warn about SQL values wrapped in sanitize.

(changes)

More Symbol Denial of Service Methods

String#intern and Hash#symbolize_key were added to the symbol denial of service check by Jan Rusnacko.

(changes)

Rails 4 Before Actions

Rails 4 added a bunch of aliases for before_filter and related methods, and Brakeman now recognizes these methods for adding and skipping filters.

(changes)

Latest RailsLTS Version

This release adds support for the latest RailsLTS 2.3.18.x versions and will not warn on CVE-2012-1099 and CVE-2014-0081 for applications using the appropriate RailsLTS versions.

(changes)

Protected Attributes Gem

Brakeman now treats applications using the protected_attributes gem as if mass assignment is enabled by default and attr_accessible is necessary to protect models.

(changes)

SQL Injection in Scopes

There was a bug which caused Brakeman not warn about SQL injection in chained calls inside scope blocks (example here). Additionally, scope calls were not being handled for Rails 4.

(changes)

Hosts in Redirects

Brakeman should no longer warn about instances of redirect_to when :host is explicitly specified.

(changes)

SQL Injection in All Select Arguments

Brakeman was only checking the first argument to Model.select for SQL injection, but the method can take multiple arguments. This release corrects this to check all of the arguments.

(changes)

SQL Injection CVEs Moved to Separate Check

All the checks for SQL injection CVEs have been moved from CheckSQL to CheckSQLCVEs. This should only have an effect for users explicitly specifying to run or skip CheckSQL.

(changes)

More Routing Fixes

More instances of non-literals in routes will be ignored instead of raising exceptions. In general, information from routes.rb is not used except to warn about default routes (unless --no-assume-routes is used).

(changes)

SHAs

The SHA1 sums for this release are

fc8a7991e9351f8d5e26a59acf54422a638f4866  brakeman-2.5.0.gem
48f974aaf40957a325ee778d3d700fd29aa526bf  brakeman-min-2.5.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.4.3 Released

A new gem version has been released because the 2.4.2 gem was not signed. No other changes were introduced.

Signed Gems

As a reminder, the Brakeman gems are (supposed to be) signed and can be verified with this certificate.

To verify on installation:

gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)
gem install brakeman -P MediumSecurity

“HighSecurity” requires all dependencies to be signed as well, which is unlikely.

There is some weirdness around -P MediumSecurity currently. The simplest solution seems to be:

gem install brakeman   # Install Brakeman and all dependencies
gem uninstall brakeman # Remove the Brakeman gem
gem install brakeman -P MediumSecurity  # Install Brakeman gem and check signature

SHAs

The SHA1 sums for this release are

16b4890fa8ee6bad1d429a12bf3f0cb8e76cb2d8  brakeman-2.4.3.gem
be5743d77140e64b75eefc53f8697f767ab370d9  brakeman-min-2.4.3.gem 

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.4.2 Released

This release is only internal changes and bug fixes, but some scans may see significant time and memory improvements.

Changes since 2.4.1:

  • Skip identically rendered templates
  • Improve HAML template processing
  • Only track original template output locations
  • Reuse duplicate call location information
  • Fix duplicate warnings about sanitize CVE
  • Remove rescue Exception

Drop Identical Templates

For a long time now Brakeman has skipped processing templates if the template had already been processed with an identical environment. However, there are many times when a template is rendered with different environments but the actual output is the same. Brakeman now drops these templates (they are rendered, then discarded if they are duplicates). This reduces peak memory overhead, sometimes drastically. It can also speed up call indexing and vulnerability checks since fewer templates are searched.

The location and render path of template warnings may change slightly due to this change. Also, the rendered template debug output will no longer include all rendered templates since duplicates will not be tracked.

(changes)

Better HAML Processing

HAML templates will be processed more accurately with this release.

For example, a template like this

#content
  .nav
    = @navigation_menu

used to produce output like

+-------------------------------------------------------------------------------------------------+
| Output                                                                                          |
+-------------------------------------------------------------------------------------------------+
| [Output] "<div id='content'>; <div class='nav'>; #{[Escaped] @navigation_menu}; </div>;</div>;" |
+-------------------------------------------------------------------------------------------------+

but now it will look like this instead

+-----------------------------------+
| Output                            |
+-----------------------------------+
| [Escaped Output] @navigation_menu |
+-----------------------------------+

Besides looking much nicer, this improves warnings and reduces how much code Brakeman has to search. Additionally, these push_text methods can often interpolate multiple values into the output string, which were not being properly detected as output. This is fixed now.

(changes)

Duplicate Template Outputs

Aliased values in templates were being counted multiple times as output. This did not affect warnings generated, but it did create duplicate output values to check and extraneous debug output.

(changes)

Call Location Reuse

For large applications, many calls in the call index actually have the same location (class+method or template). Instead of creating a new location hash for each call, the locations are cached and reused.

(changes)

Sanitize CVE Duplicates

Don’t worry - CVE-2013-1857 is one year old this week. But Brakeman was not properly preventing duplicate warnings for it. Hopefully this was affecting exactly no one.

(changes)

Narrower Exception Handling

All instances of rescue Exception were removed from Brakeman and replaced with bare rescues to catch StandardError and subclasses. Exception has some unfortunate subclasses, such as NoMemoryError and Interrupt which Brakeman should not be rescuing.

This does mean there may be some newly unhandled exceptions. Please report these so they can be rescued properly.

(changes)

SHAs

The SHA1 sums for this release are

02842dc497bf22b5b427cfd02635c005c4fc4fd4  brakeman-2.4.2.gem
4893cedbcb015e96c82f4777b00a49ca8d0ae22f  brakeman-min-2.4.2.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.4.1 Released

This release only adds checks for the latest CVEs, no other changes.

Changes since 2.4.0:

  • Add check for CVE-2014-0080
  • Add check for CVE-2014-0081, replaces CVE-2013-6415
  • Add check for CVE-2014-0082

CVE-2014-0080

CVE-2014-0080 is a SQL injection issue only affects applications using PostgreSQL with Rails 4.x. If Brakeman detects the pg gem and an affected version, it will warn about this CVE.

(changes)

CVE-2014-0081

CVE-2014-0081 is a vulnerability in number_to_currency, number_to_percentage, and number_to_human. Values passed in as options may not be properly escaped. It affects all previous versions of Rails.

Brakeman will warn on unsafe uses of these methods. If no unsafe calls are found, it will generate a generic medium confidence warning.

Warnings for CVE-2014-0081 replace warnings for CVE-2013-6415, which was about just number_to_currency.

(changes)

CVE-2014-0082

CVE-2014-0082 is a potential symbol denial of service problem when handling render :text in Rails 3.x.

Brakeman will only warn about this CVE if it detects use of render :text in affected versions.

(changes)

SHAs

The SHA1 sums for this release are

e9fb5439d5a322b4a9c9611d75d994e7df83d4d2  brakeman-2.4.1.gem
b84ad90a7ec9b6e6bbce8fc69c50d1d8b3214d0f  brakeman-min-2.4.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or joining the mailing list.

Brakeman 2.4.0 Released

This is a fairly big release with some significant changes (especially for SQL injection warnings), so please test carefully. Existing warnings and fingerprints may change.

Changes since 2.3.1:

  • Fingerprint attribute warnings individually (Case Taintor)
  • Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
  • Detect SQL injection raw SQL queries using connection(#434)
  • Fix false positives when SQL methods are not called on AR models (#423, Aaron Bedra)
  • Reduce false positives for SQL injection in string building
  • More accurate user input marking for SQL injection warnings
  • Detect SQL injection in delete_all/destroy_all
  • Add support for Rails LTS versions (#422)
  • Parse exact versions from Gemfile.lock for all gems (#431)
  • Ignore generators in lib/ directory
  • No longer raise exceptions if a class name cannot be determined
  • Update to RubyParser 3.4.0

Attribute Warning Fingerprints

Case Taintor noted that ignoring one warning about dangerous mass assignable attributes ignored all such warnings for the same model. Then he fixed it, yay!

Please note this means fingerprints for warnings about “dangerous attributes” in attr_accessible will change. If you are currently ignoring some of these warnings, you will need to re-ignore them.

Also, the messages for these warnings have changed and the attribute name will now be in the “code” value in JSON reports.

(changes)

Check for SSL Verification

Aaron Bedra has contributed a new check for instances of verify_mode on HTTPS connections being set to OpenSSL::SSL::VERIFY_NONE. This bypasses any checks OpenSSL has for verifying the SSL certificate is legitimate, allowing easy man-in-the-middle attacks.

This new check has a new warning type (“SSL Verification Bypass”) and warning code (71).

(changes)

SQL Injection in Raw Queries

ActiveRecord::Core#connection or ActiveRecord::Base.connection or ActiveRecord::Base#connection can be used to send queries directly to the database connection without any protection. There are several ways of doing this, most of which are hopefully now covered by Brakeman.

(changes)

Fewer SQL Injection False Positives

Many changes were made in this release to reduce false positives related to SQL injection warnings and to improve the accuracy of reported issues.

First, Aaron Bedra fixed Brakeman to not warn about query-like methods that were innocently called on non-ActiveRecord objects. (changes)

For example, this:

find_by_sql("SELECT * FROM stuff WHERE thing = " + self.class.sanitize_sql(thing))

would have generated a warning which indicated "SELECT * FROM stuff WHERE thing = " + self.class.sanitize_sql(thing) was a dangerous value. Now it will not warn at all.

As another example, code like this

options = {}

if params[:sort_order] == 'ascending'
  sort_order = 'ASC'
else
  sort_order = 'DESC'
end

options[:order] = 'updated_at ' + sort_order
Test.all(options)

would create a warning about ("updated_at " + ("ASC" or "DESC")). Now Brakeman will recognize that these are all just strings and not warn.

Many warnings will also just be more accurate:

query = "SELECT sum(stuff) " +
      "FROM (SELECT other_stuff FROM #{table} WHERE id = #{id}) " +
      "AS item, bgs " +
      "WHERE ST_Contains(item.geometry, bgs.the_point);"

Test.find_by_sql(query)

This used to warn on the entire query! Now it will just warn about table.

#to_s calls are ignored now and their targets considered instead.

Additionally, Brakeman should no longer warn about method calls ending in _id, since those generally refer to foreign keys. Note, however, that local variables ending in _id will still produce warnings.

In general, fingerprints should not change for existing warnings, since the user_input value is not included in the fingerprint.

(changes)

SQL Injection in Deletions

Brakeman will now look for SQL injection in delete_all and destroy_all which allow raw SQL strings.

(changes)

Support for Rails LTS

RailsLTS provides security patch backporting to Rails 2.3.18. They now include an internal version number in Gemfile.lock, which allows Brakeman to avoid warning about fixed vulnerabilities in applications using RailsLTS.

(changes)

Gemfile Parsing

Previously, Brakeman only checked Gemfile.lock for specific gems. Now it “parses” the entire file and can track all gem versions. (bundler-audit is recommended for checking gems for vulnerable versions.) This helps when Brakeman is checking for gem usage but the gem is an indirect dependency.

Also, a minor issue was fixed for those Gemfiles that do weird things and call gem with non-string arguments.

(changes)

Generators are Ignored

Any path in lib/ containing generators will now be ignored. This is mainly because there are .rb files in there that are actually templates, but Brakeman tries to parse them and fails because they aren’t really Ruby.

(changes)

Exceptions for Class Names

Previously, Brakeman actually raised and caught exceptions if a class name could not be determined from a Sexp. Now it just returns nil. This should remove some errors and possibly make some scans faster.

(changes)

RubyParser Update

The RubyParser dependency has been updated to 3.4.0. This release is much faster, along with lots of other good changes.

However, please note that line numbers for warnings involving heredocs may change. They will be slightly closer, but not exactly accurate.

(changes)

SHAs

The SHA1 sums for this release are

c9d840b6fca08f61b3abbd1fa109cf66be19fccc brakeman-2.4.0.gem 5bad89c43f7ab78bd40dfd6f71aac3d034ccaa0a brakeman-min-2.4.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or joining the mailing list.

Brakeman 2.3.1 Released

Two minor bugs were fixed in this release. Please see the 2.3.0 release post if you are upgrading from an earlier version.

(changes)

Changes since 2.3.0:

  • Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  • Fix link for CVE-2013-6415 (number_to_currency)

i18n XSS Workaround

Brakeman 2.3.0 included a check for the official i18n XSS workaround, but it was commented out during testing and unfortunately left that way.

CVE-2013-6415 Link

The link provided for CVE-2013-6415 in Brakeman 2.3.0 was copy-pasted from an older check. This has been fixed.

SHAs

The SHA sums for this release are

469b209a4c72f5a1133d696575caeee1675837e7  brakeman-2.3.1.gem
827e1cdefba543f59ed5070aaa3f587d8c7d9513  brakeman-min-2.3.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.3.0 Released

This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of permit!. Also, this is the first signed gem release of Brakeman; see below for details.

Changes since 2.2.0:

  • Add check for CVE-2013-4491 (i18n XSS)
  • Add check for CVE-2013-6414 (header DoS)
  • Add check for CVE-2013-6415 (number_to_currency)
  • Add check for CVE-2013-6416 (simple_format XSS)
  • Add check for CVE-2013-6417 (query generation)
  • Add check for Parameters#permit! (#281)
  • Fix Slim XSS false positives (Noah Davis)
  • Whitelist Model#create for redirects (#406)
  • Collapse send/try calls
  • Fix scoping issues with instance variables and blocks (#406)
  • Fix typos in reflection and translate bug messages

I18n XSS

CVE-2013-4491 is a possible XSS in the i18n gem. Brakeman will warn unless the i18n gem is updated to the proper version or the workaround is used.

Header DoS

CVE-2013-6414 is a possible denial of service from special headers. Brakeman will warn unless the workaround is used.

Currency XSS

CVE-2013-6415 is an XSS in the second argument of number_to_currency. Brakeman will warn on uses of number_to_currency with dangerous unescaped arguments. If no dangerous uses are found, Brakeman will provide a general warning about the CVE.

Simple Format XSS

CVE-2013-6416 is an XSS in simple_format, which does not escape its output. Brakeman will warn on dangerous uses of simple_format. If no uses are found, it will report a general warning.

Query Generation Vulnerability

CVE-2013-6417 is the continuation of an old problem with SQL queries. The newest issue is caused by Rack middleware freezing the parameters before they can be cleaned up. Brakeman reports a general warning about this.

Check for Permit!

Brakeman now warns on uses of Parameters#permit!, which bypasses mass assignment protections. If a permit! is used without a subsequent mass assignment in the same method, the confidence will be medium.

(changes)

Slim XSS False Positives

(Noah Davis) provided a fix for XSS false positives in Slim templates when ActiveSupport is loaded. While Brakeman itself does not depend on ActiveSupport, it might be loaded if Brakeman is run with Bundler or as part of a Rake task.

(changes)

Whitelist Record Creation in Redirects

Redirects to Model#create and Model#create! should no longer warn.

(changes)

Collapse try/send

The effect of using try(:something) or send(:something) are essentially the same as calling something, so Brakeman now converts calls to try/send directly to the method being called.

For example:

User.find(1).try(:name)

is changed to

User.find(1).name

This can help find more vulnerabilities as well as prevent some false positives if the method name is actually something safe like id.

(changes)

Block Scoping

Several issues with blocks were fixed in this release. First, no calls with blocks were being processed correctly inside controllers. Secondly, instance variable assignments inside blocks were treated like local assignments. They are now treated as “method level” assignments (i.e. every method has its own “global” scope). Finally, local assignments inside blocks to existing variables were also being treated as block-local assignments.

(changes)

Warning Typos

Two tiny changes have been made to warning messages. The “translate bug” from ages ago had an extra } in the message, and the message for unsafe reflection no longer capitalizes “Reflection”. But since everyone is using warning fingerprints and not relying on matching messages, you should be okay, right?

(changes)

Signed Gems

The Brakeman gems are now signed and can be verified with this certificate.

To verify on installation:

gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)
gem install brakeman -P MediumSecurity

“HighSecurity” requires all dependencies to be signed as well, which is unlikely.

Additionally, here are the SHA sums for this release:

2ae503781c51a69a1123d37d46b4813ea91f01e8  brakeman-2.3.0.gem
77d39eaf0e2663af526dcbf6e3b5bac16173fed1  brakeman-min-2.3.0.gem

Brakeman Users

We have a new page on this website listing companies which use Brakeman.

Please contact us (see bottom of page) to have your company listed!

Stickers

Brakeman stickers are still available!

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.2.0 Released

This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions.

Changes since 2.2.0:

  • Support scanning Rails engines (Geoffrey Hichborn)
  • Ignore redirects to models using friendly_id (AJ Ostrow)
  • Add check for detailed exceptions in production (#391)
  • Use Rails version from Gemfile if it is available (#398)
  • Only add routes with actual names (#395)
  • Reduce command injection false positives

Rails Engines

Geoffrey Hichborn added support for checking Rails engines paths when searching for controllers, models, and views. Please let us know if there are any issues or files missed with this change.

(changes)

Redirects with Friendly ID

Thanks to AJ Ostrow, Brakeman should no longer warn on redirects to models using friendly_id.

(changes)

Detailed Exceptions

Nathaniel Talbott suggested checking that detailed exceptions (treating requests as local) are not enabled in production.

Brakeman now generates a warning in a new category called ”Information Disclosure” if config.consider_all_requests_local is set to true in production or a controller overrides show_detailed_exceptions? to return something other than false.

Please see the changes regarding the new category and two new warning codes associated with these warnings.

Better Version Detection

Brakeman now uses the Rails version found in Gemfile or Gemfile.lock to determine when to enable Rails 3/4 mode, which seems obvious in retrospect. This required swapping when the Gemfile and the configuration files are processed.

(changes)

Rails 3 Routes

A small fix prevents Brakeman from raising an error when a route is a redirect or any value other than a string or symbol.

(changes)

Command Injection False Positives

There should be fewer false positives for command injection when interpolated values are literals. The check also now ignores commonly used values RAILS_ROOT, Rails.env, and Rails.root.

Additionally, reported “dangerous” values (user_input in JSON reports) for command injection are more specific. For example:

system "rm -rf #{some_var}"

used to report the entire string "rm -rf #{some_var}" as dangerous, even though it’s really warning about the interpolation of some_var. Now Brakeman will report the first potentially dangerous interpolated value. Note that this does not change fingerprints for existing warnings.

(changes)

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Verification

The SHA-1 for the Brakeman 2.2.0 gem is:

f3a2b369bda79c677a913cdb2350cbda8bce8a90  brakeman-2.2.0.gem