Brakeman 3.3.0 introduces a new packaging method for Brakeman which vendors all dependencies and does not include any gem dependencies in the gemspec. Please test and provide feedback if it does not work as expected.
Changes since 3.2.1:
- Bundle all dependencies in gem
- Return exit code
4 if no Rails application is detected (#869)
- Add optional check for secrets in source code (#201)
- Track constants globally
- Skip if branches with
- Skip processing obviously false if branches (more broadly)
- Handle HAML
find_and_preserve with a block (#837)
- Allow non-Hash arguments in
protect_from_forgery (Jason Yeo)
- Avoid warning about
u helper (Chad Dollins)
- Avoid warning about mass assignment and SQL injection with
- Avoid warning about
- Avoid warning on
popen with array (#851)
- [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
- [Code Climate engine] Remove nil entries from
include_paths (Gordon Diggs)
- [Code Climate engine] Report end lines for issues (Gordon Diggs)
In its gem form, Brakeman no longer declares any external dependencies. Its dependencies are bundled with the gem itself. This should prevent the conflicts which sometimes occur when Brakeman is declared as a dependency of a Rails application. The disadvantage is you will no longer be able to update Brakeman dependencies (like RubyParser) without updating Brakeman itself.
As this is a new way of distributing Brakeman, please report any issues that may arise.
New Exit Code
A new exit code has been added for the case when Brakeman does not detect a Rails application.
For reference, these are Brakeman’s current exit codes:
0 - Normal exit
3 - Warnings found (with
4 - No Rails application detected
255 - Error
A new optional check has been added to look for hard-coded secrets in the source code. It will warn when constants like
PASSWORD are assigned string literals. To run the new check, use
-t Secrets or
-A to run all checks including optional ones.
This release includes initial support for tracking and matching constants across the application. For example, if a model contains a constant
Model::KEYS which is used elsewhere, Brakeman should be able to track this value. This helps prevents false positives when safe values have been declared as constants.
Skipping Test Code
Brakeman will now ignore
if branches that check
Rails.env.test?. Additionally, branch skipping behavior (e.g.
if false...) has been expanded to most of Brakeman’s processing instead of just in data flow analysis.
Brakeman will now handle uses of
find_and_preserve in HAML with a block.
Array#first will be replaced with the first value in the array when known.
Jason Yeo provided a fix for when Brakeman encounters a non-Hash argument to
Chad Dollins fixed XSS false positives when the
u alias for
url_encode is used.
slice False Positives
Brakeman should no longer warn when using
params.slice in mass assignment, SQL injection, links, and open redirects.
(changes and other changes)
Brakeman will no longer warn about uses of
popen when the argument is an array, in which case the arguments are escaped.
Code Climate Engine
Gordon Diggs provided several improvements to the Code Climate Engine in this release:
nil entries from the
- Force output to stdout when possible
- Report end lines to conform with spec
The SHA256 sums for this release are
Thank you to everyone who reported bugs and contributed improvements in this release.
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.