Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 3.3.4/3.3.5 Released

This is a quick release to add warnings for CVE-2016-6316 and CVE-2016-6317. There was a bug in 3.3.4 that affected debug output which has been fixed in 3.3.5.

Changes since 3.3.3:

  • Add generic warning for CVE-2016-6316
  • Warn about dangerous use of content_tag with CVE-2016-6316
  • Add warning for CVE-2016-6317
  • Use Minitest

Changes since 3.3.4:

  • Fix bug in reports when using --debug

CVE-2016-6316

Typically Rails will escape attribute values passed to tag helpers like content_tag. If the attribute has already been marked as “safe” with .html_safe or (more likely) a different escaping helper like sanitize, the tag helper will not escape the value again (that is the purpose of .html_safe). However, not all sanitizers/escape methods escape double quotes, which are dangerous inside of tag attributes. In particular, double quotes allow an attacker to close the current attribute and insert new attributes (like onmouseover) that can execute JavaScript.

Brakeman will issue a generic warning about CVE-2016-6316 for affected versions and may generate warnings for potentially dangerous calls to content_tag.

(changes)

CVE-2016-6317

The JSON bug is back. Specially-crafted queries can cause parameters to be interpreted as empty hashes, which may cause unexpected behavior in SQL queries.

Brakeman will generate a generic warning for affected versions (4.2 series).

(changes)

Minitest

Unrelated, Brakeman now uses Minitest instead of test-unit.

(changes)

SHAs

The SHA256 sums for this release are

7231e00bdb4353ee7e91e5f1e60e34cf29b5563e6f7e1e5478223e72568c493a  brakeman-3.3.5.gem
c07e282c2e1733f8d7db4a4ffefe22e7e38a62ddfd750f0866c0b49070cb61c9  brakeman-lib-3.3.5.gem
a7f8e6fa8eb4254b7ad17080180289794a02641b1f2ec362de57cfdb2f1535be  brakeman-min-3.3.5.gem

Reporting Issues

Thank you to everyone who reported bugs.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

Brakeman 3.3.3 Released

This release is mostly bug fixes and internal improvements, although it may find more warnings due to indexing of view helpers.

  • Index calls in view helpers
  • Process inline template renders (#672)
  • Show path when no Rails app found (Neil Matatall)
  • Avoid warning about hashes in link_to hrefs (#897)
  • Improve return value guesses
  • Ignore boolean methods in render paths
  • Reduce open redirect duplicates
  • Fix SymbolDoS error with unknown Rails version

View Helpers

Calls in view helpers are now indexed, which means Brakeman will search them for potential vulnerabilities.

(changes)

Inline Templates

Brakeman will now process inline templates in controllers, if they are using ERB (the default):

render :inline => "<%= params[:x].html_safe %>"

(changes)

Rails App Path

Thanks to Neil Matatall, Brakeman will now display the path it tried to search for a Rails application if it cannot find it:

Please supply the path to a Rails application (looking in /some/path/).

(changes)

Hashes as URLs

Brakeman will no longer warn about obvious hash arguments in the HREF for link_to calls, as well as handling url_for better.

(changes)

Return Values

In some cases, Brakeman attempts to determine the possible return value(s) of a method call. This release includes a number of improvements to those guesses which may make some warnings easier to understand and fix some false positives.

(changes)

Render Path Booleans

The check for dynamic render paths will no longer warn about methods ending in ?.

(changes)

Redirect Duplicates

This release refactored much of the warning duplicate tracking, and as such there should be fewer duplicate warnings about open redirects.

(changes)

SHAs

The SHA256 sums for this release are

490bf7b47d4edbb29fd3f87c5dafa50aec2888d495b64275a635df324a8476e9  brakeman-3.3.3.gem
793f1c69cca2681bdd0c98f11307ace4f1a43ed594dd45cbe5b67f0383e76e2f  brakeman-lib-3.3.3.gem
dcc3a75b12f84cac582d383a375d3b85d033e25ba42af051bedcdc8b5377c2c5  brakeman-min-3.3.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

Brakeman 3.3.2 Released

This is a bug fix release.

Changes since 3.3.2:

  • Fix performance regression in global constant tracking

Brakeman 3.3.0 introduced a new feature to track constant values across the application. This helped reduce false positives, for example when checking a value against a constant array of values. However, the lookup of constant values was very slow for moderate to large numbers of constants. In some test cases it added up to a minute of scan time. This has been resolved along with some changes to how dynamic constant names are handled.

Additionally, the --faster option will turn off global constant tracking entirely.

(changes)

SHAs

The SHA256 sums for this release are

58bb2179de2bd479d32dc2d2018e40caf478916e283ea88089fe0bcb30a55e6c  brakeman-3.3.2.gem
4f72ff02a163d78244554c4a26ea35e88d76dd6b60c3d21573db8518abcba6fc  brakeman-min-3.3.2.gem
c0beeabe95aa693a5273bd48922028f48a190940b18c795813bd0f96068452b4  brakeman-lib-3.3.2.gem

Reporting Issues

Thank you to the reporters of the performance issue in the 3.3.0 release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

For commercial support, please consider Brakeman Pro.

Brakeman 3.3.1 Released

Changes since 3.3.1:

  • Improved line number accuracy in ERB templates (Patrick Toomey)
  • Allow multiple line regex in validates_format_of (Dmitrij Fedorenko)
  • Avoid overwriting instance/class methods with same name (Tim Wade)
  • Add --force-scan option (Neil Matatall)
  • Only consider if branches in templates
  • Support more safe &. operations
  • Avoid warning about SQL injection with quoted_primary_key (#884)
  • Delay loading vendored gems and modifying load path
  • Added brakeman-lib gem

ERB Template Line Numbers

Patrick Toomey contributed a series of patches to bring Brakeman’s handling of ERB/Erubis templates in line with the Rails implementation. This has the effect of correcting some line numbers and fixed processing of case statements in templates.

(changes)

Multiline Regex Validation

Dmitrij Fedorenko added a change to support multiline extended regular expressions for model validations.

(changes)

Class Methods

Tim Wade fixed an issue where class methods and instance methods with the same name on the same class would overwrite each other. This may cause a few warning fingerprints to change, since all method names are now stored as symbols (some were strings before).

(changes)

Force Scan

Neil Matatall added the --force-scan option to force Brakeman to scan an application even if it doesn’t look like a Rails app.

(changes)

Branches in Templates

When looking at template output, Brakeman will no longer treat the conditional as output, just the branches. This helps find more potential instances of cross-site scripting.

For example:

<%= params[:x].html_safe unless this_is_a_bad_idea? %>

Now Brakeman will just consider the params[:x].html_safe value which is clearly dangerous.

(changes)

More Safe Calls

Brakeman can now handle more instances of the “safe call” or “lonely” operator such as a&.b ||= 1 and x&.y += z 1.

(changes)

Quoted Primary Key

Brakeman will no longer warn about use of quoted_primary_key in SQL strings.

(changes)

Delayed Load Path Modification

Brakeman 3.3.0 started vendoring all its dependencies to avoid conflicts with application dependencies. However, if Brakeman is included in a Gemfile without require: false, it will still modify the load path and potentially cause conflicts.

This version delays loading any dependencies until Brakeman actually runs. This is almost like having require: false automatically.

Please keep in mind it is really not recommended to include Brakeman in Gemfiles unless it is actually being used as a library. Otherwise it’s like mixing your browser’s dependencies with your applications. It doesn’t make sense.

(changes)

brakeman-lib

For those who don’t want Brakeman to bundle and vendor its own dependencies, the brakeman-lib gem is identical to the brakeman gem but without the bundling. Consider using it if the bundling and modified load paths are causing issues.

(changes)

RailsConf Security Talks

Justin Collins gave a lightning talk about Brakeman and a regular talk about real-world examples of vulnerabilities Rails won’t save you from.

Mike Milner spoke about the security breaches of 2015.

Jessica Rudder talked through examples of SQL injection in ActiveRecord.

SHAs

The SHA256 sums for this release are

5c22721c8b486fa9d283cabf65c7e77b2f7428056d4d907b7f74a91dd112616a  brakeman-3.3.1.gem
7aa57ed8b42c0cadef09214f5544424659ab3972912137fad37da1a052d8a792  brakeman-lib-3.3.1.gem
95e68202493d8c504ad72276c8bfa46abb1c78c309bc2b80b433a6220f3722eb  brakeman-min-3.3.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.3.0 Released

Brakeman 3.3.0 introduces a new packaging method for Brakeman which vendors all dependencies and does not include any gem dependencies in the gemspec. Please test and provide feedback if it does not work as expected.

Changes since 3.2.1:

  • Bundle all dependencies in gem
  • Return exit code 4 if no Rails application is detected (#869)
  • Add optional check for secrets in source code (#201)
  • Track constants globally
  • Skip if branches with Rails.env.test? (#862)
  • Skip processing obviously false if branches (more broadly)
  • Handle HAML find_and_preserve with a block (#837)
  • Process Array#first
  • Allow non-Hash arguments in protect_from_forgery (Jason Yeo)
  • Avoid warning about u helper (Chad Dollins)
  • Avoid warning about mass assignment and SQL injection with params.slice (#866)
  • Avoid warning about slice in redirect_to and link_to (#832)
  • Avoid warning on popen with array (#851)
  • [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
  • [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
  • [Code Climate engine] Report end lines for issues (Gordon Diggs)

Dependency Bundling

In its gem form, Brakeman no longer declares any external dependencies. Its dependencies are bundled with the gem itself. This should prevent the conflicts which sometimes occur when Brakeman is declared as a dependency of a Rails application. The disadvantage is you will no longer be able to update Brakeman dependencies (like RubyParser) without updating Brakeman itself.

As this is a new way of distributing Brakeman, please report any issues that may arise.

(changes)

New Exit Code

A new exit code has been added for the case when Brakeman does not detect a Rails application.

For reference, these are Brakeman’s current exit codes:

  • 0 - Normal exit
  • 3 - Warnings found (with -z)
  • 4 - No Rails application detected
  • 255 - Error

(changes)

Secrets Check

A new optional check has been added to look for hard-coded secrets in the source code. It will warn when constants like PASSWORD are assigned string literals. To run the new check, use -t Secrets or -A to run all checks including optional ones.

(changes)

Constant Values

This release includes initial support for tracking and matching constants across the application. For example, if a model contains a constant Model::KEYS which is used elsewhere, Brakeman should be able to track this value. This helps prevents false positives when safe values have been declared as constants.

(changes)

Skipping Test Code

Brakeman will now ignore if branches that check Rails.env.test?. Additionally, branch skipping behavior (e.g. if false...) has been expanded to most of Brakeman’s processing instead of just in data flow analysis.

(changes)

HAML find_and_preserve

Brakeman will now handle uses of find_and_preserve in HAML with a block.

(changes)

Array#first

Calls to Array#first will be replaced with the first value in the array when known.

(changes)

Forgery Option

Jason Yeo provided a fix for when Brakeman encounters a non-Hash argument to protect_from_forgery.

(changes)

u Helper

Chad Dollins fixed XSS false positives when the u alias for url_encode is used.

(changes)

Fewer slice False Positives

Brakeman should no longer warn when using params.slice in mass assignment, SQL injection, links, and open redirects.

(changes and other changes)

Safe popen

Brakeman will no longer warn about uses of popen when the argument is an array, in which case the arguments are escaped.

(changes)

Code Climate Engine

Gordon Diggs provided several improvements to the Code Climate Engine in this release:

  • Remove nil entries from the include_paths option
  • Force output to stdout when possible
  • Report end lines to conform with spec

SHAs

The SHA256 sums for this release are

c01ec64d35218887fc5ea2ae8babc88e9e0e7cc3c161b020725d2b17c4189858  brakeman-3.3.0.gem
f1adce1a696799342dc9f50b51975024060360dc9018358c5d8e34c1c4681bd1  brakeman-min-3.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.2.1 Released

Changes since 3.2.0:

  • Remove multi_json dependency from bin/brakeman

As pointed out by Benjamin Fleischer, there was a lingering use of multi_json in bin/brakeman. This only caused a problem when using the --compare option.

(changes)

SHAs

The SHA256 sums for this release are

4a7e7a6e9ad9fed22f727fb8d471de145f55d97465b4dfb4935e3e8379667425  brakeman-min-3.2.1.gem
901202b04b1cae0a781b5a6bae2db3eecd35e9f0a044fbfaa31cac63ab636449  brakeman-3.2.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.2.0 Released

This release sheds a couple dependencies and adds support for new Ruby 2.3 syntax.

Changes since 3.1.5:

  • Support calls using &. operator (#796)
  • Handle CoffeeScript in HAML (#813)
  • Avoid render warnings about params[:action]/params[:controller] (#812)
  • Only update ignore config file on changes (#824)
  • Sort ignore config file
  • Index calls in class bodies but outside methods (#814)
  • Skip Symbol DoS check on Rails 5
  • Fix finding calls with targets: nil
  • Remove fastercsv dependency
  • Remove multi-json dependecy

Ruby 2.3 Lonely Operator

With the update of RubyParser to 3.8.1 (and Ruby2Ruby to 2.3), Brakeman now supports the new &. operator and should treat it like a regular method call.

(changes)

CoffeeScript in HAML

This release handles CoffeeScript embedded in HAML better and should reduce some false positives.

(changes)

Render Warnings on Safe Parameters

Brakeman will no longer warn on render params[:action] or render params[:controller], as those values are not able to be controlled by an attacker.

(changes)

‘Ignore’ Configuration Changes

The “ignore config” files generated by Brakeman are now sorted and will only update on changes, instead of always writing a new file.

(changes)

Index Calls Outside Methods

Calls that are outside methods (but inside class bodies) can now be found in Brakeman checks.

(changes)

Skip Symbol DoS with Rails 5

Rails 5 requires Ruby >= 2.2.2, which now garbage collects symbols. If the SymbolDoS check is run on a Rails 5 application (it’s already optional), it will no longer warn.

(changes)

Dependency Removal

Since Ruby 1.8 is no longer supported, this release removes the legacy fastercsv and multi-json dependencies.

(fastercsv, multi-json)

SHAs

The SHA256 sums for this release are

d1d1468fcca0ec5dd99c53af2018b781a8efe06483190aef9d13b1abcbb7e2a0  brakeman-min-3.2.0.gem
07023148564668cc39911eec0354ca03774be1f8a03d66162f53a5dde44bb502  brakeman-3.2.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.1.5 Released

This release adds warnings for the latest Rails CVEs.

Changes since 3.1.4:

  • Warn about RCE with render params (CVE-2016-0752)
  • Add check for strip_tags XSS (CVE-2015-7579)
  • Add check for sanitize XSS (CVE-2015-7578/80)
  • Add check for basic auth timing attack (CVE-2015-7576)
  • Add check for reject_if proc bypass (CVE-2015-7577)
  • Add check for denial of service via routes (CVE-2015-7581)
  • Add check for mime-type denial of service (CVE-2016-0751)
  • Check for implicit integer comparison in dynamic finders
  • Support directories better with --only-files and --skip-files (Patrick Toomey)
  • Fix CodeClimate construction of --only-files (Will Fleming)
  • Avoid warning about permit in SQL (669)
  • Avoid warning on user input in comparisons
  • Handle guards using detect (376)
  • Handle module names with self methods (#785)
  • Add session manipulation documentation (#791)
  • Add initial Rails 5 support

Render Remote Code Execution

First up, CVE-2016-0752 allows an attacker to render files outside of the application path as well as execute arbitrary code. Passing in params values directly is especially dangerous. Brakeman has warned about passing user input to render since it was first released as “dynamic render path” warnings. For calls to render that directly pass in params, it has been changed to a remote code execution warning in affected versions.

(changes)

Sanitization XSS

CVE-2015-7579, CVE-2015-7578, and CVE-2015-7580 are vulnerabilities in rails-html-sanitizer affecting the strip_tags and sanitize methods. Brakeman will mark uses of strip_tags and sanitize with raw or html_safe as high confidence warnings. Since these methods might be used in support gems, Brakeman will also generate a generic warning for the CVEs in apps using vulnerable versions of rails-html-sanitizer..

(changes plus these)

Basic Auth Timing Attack

The implementation of http_basic_authenticate_with did not use constant-time comparison when checking passwords, allowing timing attacks as described in CVE-2015-7576. Brakeman will warn about affected applications using http_basic_authenticate_with.

(changes)

Bypass Record Deletion Filtering

CVE-2015-7577 is a bug where the reject_if option to accepts_nested_attributes_for will not be called if allow_destroy is set to false. Brakeman will warn on applications which meet all of these criteria and do not include the workaround in an initializer.

(changes)

Wildcard Route Denial of Service

Brakeman will warn about CVE-2015-7581 when it detects routes containing ':controller' wildcards on affected versions of Rails. These routes can be abused to cause a denial of service.

(changes)

Mime-type Denial of Service

Sending many different mime-types via Accept headers can cause a denial of service. Brakeman will warn about CVE-2016-0751 in affected versions of Rails unless the workaround is present.

(changes)

MySQL Implicit Integer Conversion

As described here, MySQL will convert string values to match integer input - often leading to 0=0 comparisons in queries which will always return true. Brakeman will warn when an application uses MySQL and find_by_* dynamic finders on potentially sensitive fields like password.

(changes)

Better Directory Support When Skipping Files

Patrick Toomey provided a patch to better explicitly match directories with --only-files and --skip-files. See the updated options for details.

Please note use of --only-files is strongly discouraged. Brakeman is designed to scan entire applications.

(changes)

CodeClimate File Restriction

The include_paths configuration for the CodeClimate engine has been updated by Will Fleming to handle spaces and other special characters.

(changes)

Permit permit in SQL

Surprisingly, it is safe and effective to use params.permit in SQL queries, as it will always return a hash of values which will be interpreted as parameterized values. Brakeman will no longer warn about uses of permit in SQL queries.

(changes)

User Input in Comparisons

Brakeman will no longer warn about user input in comparisons, such as 'x' == params[:x].

(changes)

Detect detect Guard Statements

Fixing a bug filed almost 2.5 years ago, Brakeman will now recognize Array#detect/Array#find being used to whitelist values.

For example:

if safe_name = [:A, :B, :C].detect { |v| v == params[:v] }
  safe_name.constantize
end

(changes)

Self Methods with Modules

Definitions of self methods inside nested modules was broken and is now fixed.

(changes)

Session Manipulation Documentation

Documentation for session manipulation warnings has now been added to the Brakeman site and for the CodeClimate engine.

(changes)

Rails 5 Support

Initial support for Rails 5 has been added to Brakeman, including a -5 option to force Rails 5 mode. However, no special analysis or warnings specific to Rails 5 have been implemented yet.

(changes)

CVE-2016-0753?

This release does not include a warning for CVE-2016-0753. The vulnerability appears to require using permit! which Brakeman already warns about, or else passing in hashes that are not query parameters which Brakeman would not be able to detect as dangerous or benign.

SHAs

The SHA256 sums for this release are

fa9528859d4baa8cd4fbe67f634cd3741ee85d553bf59c4b2315a5ccb2976835  brakeman-3.1.5.gem
3248084efe71fcbb0c65b36e71ff0c06e65ac6bce1817a6f9d38ae0657a95bde  brakeman-min-3.1.5.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or hanging out on Gitter. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.

Brakeman 3.1.4 Released

Brakeman Pi!

Changes since 3.1.3:

  • Emit Brakeman’s native fingerprints for Code Climate engine (Noah Davis)
  • Ignore secrets.yml if in .gitignore (#777)
  • Work around safe_yaml error (#778)
  • Increase test coverage for option parsing (Zander Mackie)
  • Clean up Ruby warnings (Andy Waite)

Code Climate Fingerprints

The output format for Code Climate has been updated to include warning fingerprints as generated by Brakeman.

Ignored secrets.yml

If secrets.yml is ignored via .gitignore, Brakeman will ignore it, too.

(changes)

Safe YAML Error

For some people, in some cases, date is not loaded prior to loading safe_yaml. This release ensures date is loaded before using SafeYAML and only loads safe_yaml on demand.

(changes)

Test Coverage and Warning Cleanup

Thanks to Zander Mackie for improving test coverage (up to 91.24%) by writing tests for the command line options and thanks to Andy Waite for cleaning up various Ruby warnings.

(test changes, warning fixes)

SHAs

The SHA256 sums for this release are

d53103d40a7ddf6ee2737770ecd0353b945a757d0fab6c50cde1eefba31f6197  brakeman-3.1.4.gem
a67d7c96090bc3b8193cf3b5db7af62ce719b9277d1b818ec6e9f96a52ad0caa  brakeman-min-3.1.4.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.

Brakeman 3.1.3 Released

This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate platform!

Changes since 3.1.2:

  • Add Code Climate output format (Ashley Baldwin-Hunter / Devon Blandin / John Pignata / Michael Bernstein)
  • Restore minimum Highline version (Kevin Glowacz)
  • Depend on safe_yaml 1.0 or later (#753)
  • Check for session secret in secrets.yml (#760)
  • Avoid warning on without_protection: true with hash literal (#769)
  • Respect exit_on_warn in config file (#771)
  • Avoid outputting false for user_input in JSON
  • Iteratively replace variables
  • CallIndex improvements
  • Improved tests for the Brakeman module (Bethany Rentz)
  • Make sure a before_filter with block is a call (#763)

Code Climate Platform

Thanks to the folks at Code Climate, this release adds the ability to run Brakeman as an analysis engine on Code Climate’s platform. You can now run Brakeman as part of Code Climate’s hosted analysis, or on your command line with their open source CLI. Brakeman can be integrated with results from your other favorite static analysis tools, giving you a unified view of issues in your code.

(main changes)

Dependencies

Brakeman 3.1.0 relaxed the Highline dependency (to support Highline 1.7.x and up) and Brakeman 3.1.2 added a dependency on safe_yaml without specifying a minimum version. Both of these changes resulted in some issues if combined with an application that depends on older versions of these libraries.

Highline and safe_yaml now have minimum versions specified.

(changes here and here)

More Secrets

Production session secrets stored in config/secrets.yml will now raise a warning.

(changes

Mass Assignment False Positive

Previously, Brakeman would warn on any mass assignment using without_protection: true. This blog post noted Brakeman would even warn if the values for mass assignment were a hash literal. This has been fixed.

(changes)

Harcode Mode in Config

Brakeman now supports turning on “hardcore mode” (setting :exit_on_warn: true) in a config file. This causes Brakeman return a non-zero exit code if any warnings are found.

(changes)

JSON Output

A refactoring caused some values of user_input in JSON reports to be false instead of nil. This has been corrected.

(changes)

More Variable Replacement

A long time ago, Brakeman used to do two passes for data flow analysis, just in case one substitution could be replaced with yet another value. The second pass was removed when it turned out not to be that helpful in reality. However, there are some cases where it is helpful. Now Brakeman will attempt substitutions if there are more matches, but with a hard limit of 5 replacements to avoid infinite loops. This will reduce false positives in some situations.

(changes)

CallIndex Improvements

Fixed a small bug where params was not a valid target when searching chained methods, as well as making it possible to search for chains beginning with a method call. Additionally, all the tests for CallIndex were broken and not testing anything.

(changes)

Improved Test Coverage

Thanks to Bethany Rentz, test coverage was nudged up over 90%. Plenty of low-hanging fruit remains, see this issue for suggestions of how to contribute!

(changes)

Brakeman Pro

Another small announcement: the first public release of Brakeman Pro (the commercial version of Brakeman) is now available for purchase. If you are looking to financially support development of Brakeman, would like paid support, need a commercial license, or just want a slick GUI, consider checking out Brakeman Pro.

For some clarification regarding the future of Brakeman and Brakeman Pro, please see this email from earlier in the year.

SHAs

The SHA256 sums for this release are

57b0edcc289eb74359d2042a38ea519f96f606c89dc879e5fb53971d3d656707  brakeman-3.1.3.gem
85473af3a55c440959ea91f94fe14177ac58aa35b44fbb007c93cd742803eae6  brakeman-min-3.1.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.