Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 3.1.0 Released

There are several changes in this release which may affect consumers of the JSON report as well as anyone relying on the ignore configuration file. Please try out this script to migrate ignore configurations.

Additionally, some dependencies have been updated to versions no longer supporting Ruby 1.8. As a consequence, Brakeman no longer runs “out of the box” on Ruby 1.8, although you may be able to use the brakeman-min gem. No more attempts will be made to support running on Ruby 1.8 in future releases. Please note that does not mean Ruby 1.8 code cannot be analyzed; that still works fine.

Changes since 3.0.5:

  • Update dependencies to Ruby 1.8 incompatible versions
  • Update render path information in JSON reports
  • Remove renaming of several Sexp nodes
  • Treat html_safe like raw
  • Use railties version if rails gem is missing (Lucas Mazza)
  • Warn about unverified SSL mode in Net::HTTP.start
  • Expand XSS safe methods
  • Avoid warning on path creation methods in link_to
  • Add support for gems.rb/gems.locked (#705)
  • Fix low confidence XSS warning code
  • Avoid duplicate eval warnings
  • Convert YAML config keys to symbols (Karl Glaser)

Ruby 1.8 Incompatibility

Ruby 1.8.7 has been unsupported by the Ruby core team for over a year now (and that was after it had a six month extension). Several libraries Brakeman depends on have stopped supporting Ruby 1.8. Unfortunately, there is no way to specify depending on different gem versions for different Ruby versions. This left Brakeman in a difficult place - use old libraries (and cause conflicts in Gemfiles…), use new libraries (and lose 1.8 support), or don’t declare dependencies (and force users to install dependencies themselves). In the end, it seems most people are okay with dropping Ruby 1.8 support.

That being said, Brakeman 3.1.0 should run fine on Ruby 1.8 if dependencies are set up manually to be compatible.

(changes)

Render Path Improvements

Previously, render paths were arrays of strings. The strings represented the locations of calls to render (implicit or explicit), either in the form <Controller>#<method> or Template:<template/path>. While the information was somewhat useful to humans, it was not easily manipulated by computers and it was difficult to link the strings back to application code.

Now, render paths are arrays of hashes. The hash has a type key with a value of either controller or template. For controllers, the hash includes class, method, line, and file. For templates, the hash includes name, line, and file.

Example:

[
  {
    "type": "controller",
    "class": "ProductsController",
    "method": "create",
    "line": 50,
    "file": "app/controllers/products_controller.rb"
  },
  {
    "type": "template",
    "name": "products/new",
    "line": 2,
    "file": "app/views/products/new.html.erb"
  }
]

Implicit renders from controller actions point to the line at the end of the method.

Rendered templates in JSON reports used to include the render location as well. For example:

"location": {
  "type": "template",
  "template": "home/index (HomeController#index)"
}

Since this information is redundant with the render path, it has been removed.

(changes)

S-Expression Names

Starting a long time ago, Brakeman rewrote several s-expression names for no reason other than clarity (for example, dstr becomes string_interp). However, not all nodes were changed, leading to code that must check for both the original name from RubyParser and Brakeman’s name. This leads to messy code and subtle bugs.

The following node names were removed: string_interp, string_eval, methdef, selfdef, call_with_block.

While this seems like a silly internal change, it will unfortunately change any fingerprints containing these node types. A quick script is available to migrate ignore files without having to manually update the fingerprints.

(changes)

html_safe

As we hopefully all know now, html_safe is not safe, it marks a string so it is not escaped when output in a template. Since this is essentially the same as calling raw on a string, Brakeman will treat them both as unescaped output.

(changes)

Use railties Version

Thanks to Lucas Mazza, if an application depends on railties instead of rails, Brakeman will now use the gem version of railties as the Rails version.

(changes)

SSL Verify Mode

As suggested by Gordon McNaughton, Brakeman now warns when SSL certificate verification is turned off in calls to Net::HTTP.start.

(changes)

Safe Methods

The --safe-methods option (which only applies to XSS warnings) and --url-safe-methods (which applies to values pass to link_to) now work on methods that have a target. For example, --url-safe-methods this_is_safe will ignore link_to util.this_is_safe(params[:x]).

(changes)

More Safe Methods

Brakeman warns about user input in the href parameter of link_to because it is possible to pass in a string starting with javascript:, which will execute the XSS payload when the victim clicks on it. However, it will no longer warn about methods that look like path helpers or URL generation methods. It will still warn about URL methods on models, since those may be direct user input.

(changes)

gems.rb/gems.locked

gems.rb/gems.locked are alternative names for Gemfile/Gemfile.lock. Brakeman now supports either pair.

(changes)

Weak Confidence XSS Warnings

A small bug caused weak confidence XSS warnings to have a warning code of 5 (which is for unescaped JSON) instead of 2.

(changes)

Duplicate Eval Warnings

There should now be fewer duplicate warnings about dangerous calls to eval.

(changes)

Configuration Keys

Karl Glaser added a change so Brakeman configuration files may use string or symbol keys in the YAML file. However, it is recommended to use brakeman -C to generate configurations automatically, because writing YAML by hand is annoying.

(changes)

Internal Changes

Internally, most of the information Brakeman tracks is kept in hash tables. This is changing, starting with the addition of Controller, Model, Template, and Config classes.

Unfortunately, this will probably break any code that relies on Brakeman’s internals (such as custom checks).

Fortunately, in almost all cases it will simplify code and in many cases it just means changing a hash access (like template[:name]) to a method call (template.name).

See the pull request for examples.

Also note this is just the beginning of these internal changes…sorry! Hopefully this leads to improvements and makes it easier to write Brakeman code.

SHAs

The SHA1 sums for this release are

236af597e5cbcc0e647c02c4087ceb5965510435  brakeman-3.1.0.gem
fe06faf67e781c4c4dc5ee362918ef2dfd8e1ce2  brakeman-min-3.1.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.5 Released

And this is why you don’t rush out releases.

Changes since 3.0.4:

  • Fix check for CVE-2015-3227 (#667)

Fix CVE-2015-3227 Check

Includes information that Rails 3.2.22 is the fix version for anything before Rails 4.0. Fixes warning message when exact Rails version cannot be determined. Fixes link URL to point to the CVE announcement.

(changes)

SHAs

The SHA1 sums for this release are

b78e11b745128ed7f9acd5d0c4f5e0e3a81f4d07  brakeman-min-3.0.5.gem
c62cc782595d4995aa385b6bd96c2485ac932077  brakeman-3.0.5.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.4 Released

This is a small release prompted by Tuesday’s CVE announcements. New checks for the CVEs directly in Rails have been added, and can also test for the suggested workarounds. Please consider using bundler-audit for detecting known vulnerable versions of gems, as Brakeman has only limited coverage.

Note this release also upgrades the RubyParser dependency. The latest RubyParser has several bug fixes and initial support for new Ruby 2.2 syntax.

Changes since 3.0.3:

  • Add check for CVE-2015-3226 (XSS via JSON keys)
  • Add check for CVE-2015-3227 (XML DoS)
  • Treat <%== as unescaped output (#661)
  • Update ruby_parser dependency to 3.7.0

Cross Site Scripting in JSON

CVE-2015-3226 is an issue with converting hashes to JSON. The keys do not properly escape HTML entities, leading to potential cross site scripting vulnerabilities. Brakeman will warn unless the workaround is included in an initializer (essentially verbatim). The warning is high confidence if there is evidence of explicitly converting values to JSON, otherwise medium.

(changes)

XML Denial of Service

CVE-2015-3227 is a potential denial of service when parsing deeply nested XML requests. Brakeman will warn about this unless there is an initializer changing the XML parser as described in the CVE. Currently it looks for either LibXML or Nokogiri.

(changes)

Double Equals is Unescaped Output

Brakeman will now treat <%== x %> in ERB templates as unescaped output.

(changes)

SHAs

The SHA1 sums for this release are

bf6ae72a0b516ecf65b9165d07e86259ef9fa5d3  brakeman-3.0.4.gem
c1c2ea5402d8a89fe4a645947ec324d0603d3976  brakeman-min-3.0.4.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.3 Released

This is mostly a bug fix release, but does introduce a new warning code for when protect_from_forgery is not set to raise exceptions in Rails 4.

Changes since 3.0.2:

  • Warn about protect_from_forgery without exceptions (Neil Matatall)
  • Add Rake task to exit with error code on warnings (masarakki)
  • Ignore quoted_table_name in SQL (Gabriel Sobhrinho)
  • Ignore more Arel methods in SQL (#604)
  • Warn about RCE and file access with open
  • Handle Array#include? guard conditionals (#604)
  • Handle lambdas as filters
  • Do not ignore targets of to_s in SQL (#638)

New CSRF Warning

Neil Matatall has added a warning for Rails 4 applications that do not pass the with: :exception option to protect_from_forgery. The default behavior of clearing out the session (but still processing the request) has lead to vulnerabilities in some applications. GitHub recently awarded a bug bounty for a vulnerability caused by this behavior.

(changes)

Additional Rake Task

Masarakki added a Rake task that will exit with an error code if any warnings are found (like brakeman -z). The task can be run with rake brakeman:check.

However, please note the use of Rake tasks to run Brakeman is discouraged, since it loads the entire Rails application which is unnecessary and may cause conflicts with Brakeman dependencies.

(changes)

Reduce SQL Injection False Positives

A patch from Gabriel Sobhrinho removes warnings about quoted_table_name in SQL queries.

(changes)

An additional change was made to ignore more Arel methods nested inside of other queries. This should reduce many of the false positives seen with combining Arel and ActiveRecord queries.

(changes)

Remote Code Execution in open()

As noted in Egor Homakov’s blog post, open can actually be used to spawn new processes by starting the argument with a pipe |. Brakeman will now warn about remote code execution via open.

(changes)

Simple Guard Conditions

Brakeman should now recognize guard conditions that look exactly like this:

if [1, 2, "a", "b"].include? x
  do_something_dangerous_with x
end

This may resolve some false positives. If you have code similar to this, please consider opening an issue and perhaps it can be handled similarly.

(changes)

Lambda Filters

Filters that use lambdas instead of blocks should now be handled correctly.

(changes)

Handle to_s in SQL

Values with to_s called on them were being ignored when checking for SQL injection. This has been fixed.

(changes)

SHAs

The SHA1 sums for this release are

170c3dd6925373b7da2e27fd1decf2957b35dc43  brakeman-3.0.3.gem
f126e305404a61e99f9ddb848996d87325d1485a  brakeman-min-3.0.3.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.2 Released

This is entirely a bugfix release, no new features. However, the fixes may cause line numbers and warning fingerprints to change.

Changes since 3.0.1:

  • Fix HTML reports with GitHub repos (#624)
  • Handle processing of explictly shadowed block arguments (#612)
  • Fix CSV output when there are no warnings (#615)
  • Update ruby_parser to ~> 3.6.2
  • Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
  • Fix using --compare and --add-checks-path together
  • Alias process methods called in class scope on models
  • Avoid warning about mass assignment with string literals
  • Only report original regex DoS locations
  • Report correct file for simple_format usage CVE warning
  • Ignore case value in XSS checks

HTML Reports with GitHub Repo

HTML reports were sometimes causing an error when linking to a GitHub repo.

(changes)

Shadowed Block Arguments

There was an error handling explicitly shadowed block arguments like this:

some_array.each do |item; x, y|
  # Stuff
end

(changes)

CSV Output

Empty tables caused the CSV report to fail.

(changes)

RubyParser Update

Brakeman has been very behind on RubyParser versions due to a line number issue which is nearly always present in HAML templates. As a workaround, Brakeman now strips newline literals from HAML templates. While this does cause some line numbers to be off, but typically newline literals are caused by HAML formatting. Removing them allows Brakeman to use the latest RubyParser.

Brakeman now requires RubyParser 3.6.2 as a minimum.

(HAML changes, dependency change)

More SQL-safe Methods

Brakeman will no longer warn about primary_key, table_name_prefix, and table_name_suffix in SQL.

(changes)

Compare with External Checks

Fix an issue when using --compare and --add-checks-path together.

(changes)

Process Class-Scope Method Calls

Previously, Brakeman would process method calls at the class scope (e.g., belongs_to) in models and then throw away the call. This meant the call never received data flow analysis. This was particularly noticeable when those calls involved blocks. This has been fixed and has improved results, especially where constants are used.

(changes)

Mass Assignment with Literals

Brakeman no longer warns about mass assignment if the arguments are a string or symbol. In those cases it probably isn’t an ActiveRecord subclass in any case.

(changes)

Reduce Regex DoS Duplicates

Duplicate regular expression denial of service warnings were being reported due to data flow analysis.

(changes)

File for simple_format CVE

Warnings regarding the old simple_format CVE will now point to the file where simple_format was called, not the Gemfile.

(changes)

Ignore Case Value

Do not report about XSS regarding the value used in case expressions.

(changes)

SHAs

The SHA1 sums for this release are

87413b544b5eae0cac9f037e2b62b1fe3f0fee5e  brakeman-3.0.2.gem
cfcf3080a992ca173c64dd98fe239e8bd9bb0eaa  brakeman-min-3.0.2.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.1 Released

This is a small release, but may change some fingerprints of warnings in libraries. Also, the Slim dependency has been removed due to conflicts. See below for details.

  • Remove Slim dependency (Casey West)
  • Properly process libraries (Patrick Toomey)
  • Add --add-libs-path for additional libraries (Patrick Toomey)
  • Allow for controllers/models/templates in directories under app/ (Neal Harris)
  • Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base (#573)
  • Properly format command interpolation (again)

Slim Gem Dependency Removed

Since Rails 4.2 requires Slim 3.0.1 and Slim 3.0 dropped support for Ruby 1.8.7, there is no way to satisfy dependencies for Slim, Rails 4.2, and retain support for Ruby 1.8.7 when Brakeman is added as a dependency in a Gemfile.

The only acceptable solution is to not include Slim as a dependency at all and let users sort it out for themselves. Sorry for the unfortunate situation, but there is no way to add Brakeman to a Gemfile and avoid Bundler attempting to resolve Brakeman’s dependencies against the application’s dependencies, despite there being no relation.

Thanks to Casey West for working through solutions for this issue.

(changes)

Library Processing

Libraries were added to the call index (which meant they were scanned during checks) in the 3.0.0 release, but there were still not being processed like most other code. This led to some checks not finding issues they should have. Patrick Toomey pointed this out and contributed a fix.

This change may affect existing warning fingerprints for warnings in libraries. Apologies for the inconvenience.

(changes)

Allow Additional Library Paths

Patrick Toomey also added a new option --add-libs-path to treat more paths as if they were in lib/.

(changes)

Scan Application Subdirectories

Neal Harris contributed a change to support applications with multiple applications under app/, such as app/cool_team/controllers/.

(changes)

Avoid CSRF Warning for APIs

Brakeman will no longer warn about missing protect_from_forgery if ApplicationController does not inherit from ActionController::Base.

(changes)

Command Interpolation Format Fix

Previous release had an incomplete fix for this. There should be no impact to warning fingerprints.

(changes)

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 3.0.0 Released

This is a major version release of Brakeman which introduces some backwards-incompatible changes. Very likely this release will cause many changes in reports, including fingerprints on existing warnings.

Changes since 2.6.3:

  • --exit-on-warn --compare only returns error code on new warnings (Jeff Yip)
  • Sort warnings by fingerprint in JSON report (Jeff Yip)
  • CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
  • Change --separate-models to be the default
  • Local variables are no longer formatted as (local var)
  • Actually skip skipped before filters
  • Remove “fake filters” from warning fingerpints
  • Index calls in lib/ files
  • Handle symmetric multiple assignment
  • Do not branch for self attribute assignment x = x.y (#552)
  • Move Symbol DoS to optional checks
  • Add check for cross site scripting via inline renders
  • Add check for CVE-2014-7829
  • Fix parsing of <%== in ERB
  • Fix output format of command interpolation
  • Fix CVE for CVE-2011-2932

Exit Code When Comparing

When using --exit-on-warn --compare, Brakeman will only return a non-zero exit code when there are new warnings. Previous behavior was to return non-zero exit code if there were any differences between reports (including fixed warnings).

(changes)

Sort Warnings in JSON Report

Warnings are now sorted by their fingerprint in the JSON report to provide more stable output.

(changes)

Report Line Numbers for CVEs

Previously, CVE warnings typically pointed to Gemfile with no line number information. Now CVEs should point to Gemfile or Gemfile.lock as appropriate and include the line number for the vulnerable gem dependency.

(changes and more changes)

Mass Assignment Warnings Default to per Model

The --separate-models option is now on by default. This means warnings about missing attr_accessible will be reported for each model instead of rolling them into a single warning.

(changes)

Local Variable Format

Local variables are no longer formatted as (local var) in warning output.

(changes)

Skip Skipped Filters

Before filters which are skipped are now actually skipped during data flow analysis.

(changes)

Fake Filter Change

Before filters defined as blocks (instead of methods) are internally represented as methods with random names prepended by fake_filter. Since the method names were not stable, any warnings inside the filters would have inconsistent fingerprints. Now warnings inside of before filters will always be reported with before_filter as the method name.

(changes)

Index Calls in Libraries

Classes defined in lib/ files will now be included in the method call index and searched for vulnerabilities. As these files were already being processed, this has not added any significant overhead in testing.

(changes)

Handle Multiple Assignment

Simple symmetric multiple assignments (also called “parallel assignment”) like x, y = 1, 2 are now handled like normal assignments.

(changes)

Avoid Branching on Self Assignment

Brakeman no longer creates new union values for self assignment of attributes.

(changes)

Symbol DoS is an Optional Check

In this release the check for denial of service via symbol creation has been changed to an optional check. Memory exhaustion by creating lots of new symbols is an unlikely attack and easily mitigated by having at least two web servers. Additionally

(changes)

Warn on Inline XSS

Unescaped user input in render :text or render :inline should now generate warnings.

(changes)

CVE-2014-7829

Brakeman will warn about CVE-2014-7829 (file existence disclosure) for applications using affected versions of Rails and setting config.serve_static_assets = true.

(changes)

ERB Parsing Fix

Parsing <%== in ERB templates no longer causes errors.

(changes)

Command Interpolation Format Fix

Brakeman was formatting

`#{x}`

as

`x`

This has been fixed.

(changes)

CVE-2011-2932

The ancient CVE-2011-2932 was being mis-reported as CVE-2011-2931. Hopefully this affects no one.

(changes)

Certificate Update

The certificate used to sign the Brakeman gem expired in December. A new certificate is available here.

This command can be used to add the new certificate:

gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)

SHAs

The SHA1 sums for this release are

4180238f8de503e7ad0f2ca952ea38ccc1c6530b  brakeman-3.0.0.gem
b5cefd6f14edb57f12d1fe9fcc0fb24e05a05aaf  brakeman-min-3.0.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.6.3 Released

This is mostly a bug fix release, but does include new support for optional checks along with an optional check for unscoped calls to find.

Changes since 2.6.2:

  • Add framework for optional checks
  • Add optional check for unscoped find queries (Ben Toews)
  • Fix stack overflow for cycles in class ancestors (Jeff Rafter)
  • Fix stack overflow in ProcessHelper#class_name (#553)
  • Whitelist exists arel method from SQL injection check
  • Avoid warning about Symbol DoS on safe parameters as method targets

Optional Checks

Brakeman now supports loading checks that are not run by default. These “nondefault” checks may have high false positive rates or introduce significant slowdowns. Optional checks should be treated as experimental and may experience more breaking changes than default checks.

To run all checks, use -A. To list only the optional checks, try --optional-checks. Optional checks are also listed in --checks. As usual, checks may be specified using -t or --test. At this time there is no way to easily run the default checks plus some optional checks.

On the code side, optional checks are the same except Brakeman::Checks.add self becomes Brakeman::Checks.add_optional self.

(changes)

Unscoped Queries

The first optional check to be added to Brakeman comes from Ben Toews. This check looks for calls to find (or similar methods) directly on models that have a belongs_to relationship.

As this is an optional check, use -A to include it in a scan or -t UnscopedFind to run it by itself.

(changes)

Fix Loops in Class Ancestors

Jeff Rafter added a fix for stack overflows (infinite loops) when a class has (or appears to have) a cycle in its superclasses.

(changes)

Fix Stack Overflow

This release fixes an issue with another infinite loop when looking up the class name in a self-referential variable name, which comes up in some situations. Fixing this bug also fixed some XSS false positives for safe model attribute methods (like id) but unfortunately also revealed some dynamic render false positives.

(changes)

Whitelist Arel Method

Brakeman does not warn on most uses of Arel, but was warning about SQL injection from the exists method.

(changes)

Less Symbol DoS

Brakeman should no longer warn about Symbol DoS when symbolizing params[:controller] and params[:action] even when there are intermediate method calls, like params[:action].to_s.to_sym.

(changes)

SHAs

The SHA1 sums for this release are

ceb689e3a6efd7e28483828de3441ec1fad501c1  brakeman-2.6.3.gem
334a7820c05bfeb31e0e9d8123f45daef64eb102  brakeman-min-2.6.3.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman Is Four Years Old!

Brakeman was first publicly released four years ago today!

In those four years, Brakeman has gradually become a widely-used static analysis security tool for Ruby on Rails, leaving other web frameworks jealous.

Brakeman is used in all kinds of organizations, from hobby projects to open source applications to start-ups to large corporations. If your organization uses Brakeman, please consider being listed!

Brakeman also helps power several SaaS offerings!

Did you know Brakeman even won a Ruby award?

Because Brakeman is so old, it still supports Rails 2.3 (2009!) and Ruby 1.8.7 (2008!) while usually adding support for new releases fairly quickly, making it useful for nearly any Rails application. If it doesn’t work for you - please file an issue!

Many thanks to the many people who have contributed to Brakeman. All contributions - patches, bug reports, documentation updates, promoting Brakeman, or even just asking questions - are sincerely appreciated. Lots of gratitude to the open source projects underlying Brakeman and their maintainers, especially Ryan Davis. And a big thank you to the companies who have funded Brakeman’s development!

  • 4 years
  • 39 contributors
  • 69 releases
  • 181 closed issues
  • 2,043 commits
  • 700,000+ gem downloads

Here’s to four more years?

By the way - stickers have returned! Send your name and address (yes, international is fine) to stickers@brakeman.org.

Brakeman 2.6.2 Released

This release is mostly bug fixes and updates, but does include two new options.

Changes since 2.6.1:

  • Add check for CVE-2014-3514
  • Add --add-checks-path option for external checks (Clint Gibler)
  • Add -4 option to force Rails 4 mode
  • Fix SQL injection detection in deep nested string building
  • Check entire call for send (#523)
  • Check for .gitignore of secrets in subdirectories (#519)
  • Avoid warning about symbolizing safe parameters (#536)
  • Fix block statment endings in Erubis (#518)
  • Update ruby2ruby dependency to 2.1.1
  • Expand app path in one place instead of all over (Jeff Rafter)
  • Fix undefined variable in controller processing error (Jason Barnabe)

Mass Assignment Bypass (CVE-2014-3514)

CVE-2014-3514 describes an issue where create_with does not implement strong parameters, allowing mass assignment in Rails 4.x. For vulnerable versions, Brakeman warns about instances of create_with or a generic warning if no uses are found.

(changes)

External Check Option

Clint Gibler has added the --add-checks-path option to provide an path to search for additional checks. This is useful if you wish to write your own custom rules for Brakeman to run.

(changes)

Option to Force Rails 4

If the Rails version for an application cannot be determined automatically for some reason, the -4 option will force Brakeman to treat it like a Rails 4 application.

Included with this change are some fixes when a Rails 4 app is detected but the exact version number cannot be determined. This may change the output for some scans.

(changes)

SQL Injection in Nested Strings

This release fixes some SQL injection detection when there is lots of string building mixing concatenation and interpolation. These changes may also affect which value Brakeman warns about within the string.

(changes)

Better Send Call Detection

Previously, Brakeman was ignored calls to send when they were nested inside a chain of calls. This has been fixed.

(changes)

Ignored Secrets

Brakeman now checks subdirectories for .gitignore files which determing if the secrets configuration is being ignored.

(changes)

Symbolizing Safe Paramaters

Since params[:controller] and params[:action] are quite difficult (possibly impossible) to DoS, Brakeman will not warn about symbolizing them.

(changes)

Erubis Fixes

Some ERB templates were not parsing correctly due to how Brakeman was handling the end of blocks. This should be resolved now.

(changes)

Ruby2Ruby Dependency Updated

Brakeman now depends on the latest version of Ruby2Ruby due to the fix here.

(changes)

Expand App Path Once

Jeff Rafter refactored a bunch of code which was converting the application path to an absolute path and instead moved it to one (okay, maybe two) spots. This should not affect any reports.

(changes)

Error in Controller Processing

Jason Barnabe fixed an error…in the error handling when processing controllers.

(changes)

SHAs

The SHA1 sums for this release are

f225541559d2fbe5374d481b6105b66053f9710a  brakeman-2.6.2.gem
67882d467b6a8fc6e504b6dcb9605f79a0c6a22c  brakeman-min-2.6.2.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.