There are several changes in this release which may affect consumers of the JSON report as well as anyone relying on the ignore configuration file. Please try out this script to migrate ignore configurations.
Additionally, some dependencies have been updated to versions no longer supporting Ruby 1.8. As a consequence, Brakeman no longer runs “out of the box” on Ruby 1.8, although you may be able to use the
brakeman-min gem. No more attempts will be made to support running on Ruby 1.8 in future releases. Please note that does not mean Ruby 1.8 code cannot be analyzed; that still works fine.
Changes since 3.0.5:
- Update dependencies to Ruby 1.8 incompatible versions
- Update render path information in JSON reports
- Remove renaming of several
- Use railties version if rails gem is missing (Lucas Mazza)
- Warn about unverified SSL mode in
- Expand XSS safe methods
- Avoid warning on path creation methods in
- Add support for
- Fix low confidence XSS warning code
- Avoid duplicate
- Convert YAML config keys to symbols (Karl Glaser)
Ruby 1.8 Incompatibility
Ruby 1.8.7 has been unsupported by the Ruby core team for over a year now (and that was after it had a six month extension). Several libraries Brakeman depends on have stopped supporting Ruby 1.8. Unfortunately, there is no way to specify depending on different gem versions for different Ruby versions. This left Brakeman in a difficult place - use old libraries (and cause conflicts in Gemfiles…), use new libraries (and lose 1.8 support), or don’t declare dependencies (and force users to install dependencies themselves). In the end, it seems most people are okay with dropping Ruby 1.8 support.
That being said, Brakeman 3.1.0 should run fine on Ruby 1.8 if dependencies are set up manually to be compatible.
Render Path Improvements
Previously, render paths were arrays of strings. The strings represented the locations of calls to
render (implicit or explicit), either in the form
Template:<template/path>. While the information was somewhat useful to humans, it was not easily manipulated by computers and it was difficult to link the strings back to application code.
Now, render paths are arrays of hashes. The hash has a
type key with a value of either
template. For controllers, the hash includes
file. For templates, the hash includes
Implicit renders from controller actions point to the line at the end of the method.
Rendered templates in JSON reports used to include the render location as well. For example:
"template": "home/index (HomeController#index)"
Since this information is redundant with the render path, it has been removed.
Starting a long time ago, Brakeman rewrote several s-expression names for no reason other than clarity (for example,
string_interp). However, not all nodes were changed, leading to code that must check for both the original name from RubyParser and Brakeman’s name. This leads to messy code and subtle bugs.
The following node names were removed:
While this seems like a silly internal change, it will unfortunately change any fingerprints containing these node types. A quick script is available to migrate ignore files without having to manually update the fingerprints.
As we hopefully all know now,
html_safe is not safe, it marks a string so it is not escaped when output in a template. Since this is essentially the same as calling
raw on a string, Brakeman will treat them both as unescaped output.
Use railties Version
Thanks to Lucas Mazza, if an application depends on
railties instead of
rails, Brakeman will now use the gem version of
railties as the Rails version.
SSL Verify Mode
As suggested by Gordon McNaughton, Brakeman now warns when SSL certificate verification is turned off in calls to
--safe-methods option (which only applies to XSS warnings) and
--url-safe-methods (which applies to values pass to
link_to) now work on methods that have a target. For example,
--url-safe-methods this_is_safe will ignore
More Safe Methods
Brakeman warns about user input in the href parameter of
link_to because it is possible to pass in a string starting with
gems.locked are alternative names for
Gemfile.lock. Brakeman now supports either pair.
Weak Confidence XSS Warnings
A small bug caused weak confidence XSS warnings to have a warning code of
5 (which is for unescaped JSON) instead of
Duplicate Eval Warnings
There should now be fewer duplicate warnings about dangerous calls to
Karl Glaser added a change so Brakeman configuration files may use string or symbol keys in the YAML file. However, it is recommended to use
brakeman -C to generate configurations automatically, because writing YAML by hand is annoying.
Internally, most of the information Brakeman tracks is kept in hash tables. This is changing, starting with the addition of
Unfortunately, this will probably break any code that relies on Brakeman’s internals (such as custom checks).
Fortunately, in almost all cases it will simplify code and in many cases it just means changing a hash access (like
template[:name]) to a method call (
See the pull request for examples.
Also note this is just the beginning of these internal changes…sorry! Hopefully this leads to improvements and makes it easier to write Brakeman code.
The SHA1 sums for this release are
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and joining the mailing list.