This is mostly a bug fix release, but does introduce a new warning code for when
protect_from_forgery is not set to raise exceptions in Rails 4.
- Warn about
protect_from_forgerywithout exceptions (Neil Matatall)
- Add Rake task to exit with error code on warnings (masarakki)
quoted_table_namein SQL (Gabriel Sobhrinho)
- Ignore more Arel methods in SQL (#604)
- Warn about RCE and file access with
Array#include?guard conditionals (#604)
- Handle lambdas as filters
- Do not ignore targets of
to_sin SQL (#638)
New CSRF Warning
Neil Matatall has added a warning for Rails 4 applications that do not pass the
with: :exception option to
protect_from_forgery. The default behavior of clearing out the session (but still processing the request) has lead to vulnerabilities in some applications. GitHub recently awarded a bug bounty for a vulnerability caused by this behavior.
Additional Rake Task
Masarakki added a Rake task that will exit with an error code if any warnings are found (like
brakeman -z). The task can be run with
However, please note the use of Rake tasks to run Brakeman is discouraged, since it loads the entire Rails application which is unnecessary and may cause conflicts with Brakeman dependencies.
Reduce SQL Injection False Positives
A patch from Gabriel Sobhrinho removes warnings about
quoted_table_name in SQL queries.
An additional change was made to ignore more Arel methods nested inside of other queries. This should reduce many of the false positives seen with combining Arel and ActiveRecord queries.
Remote Code Execution in open()
As noted in Egor Homakov’s blog post,
open can actually be used to spawn new processes by starting the argument with a pipe
|. Brakeman will now warn about remote code execution via
Simple Guard Conditions
Brakeman should now recognize guard conditions that look exactly like this:
if [1, 2, "a", "b"].include? x do_something_dangerous_with x end
This may resolve some false positives. If you have code similar to this, please consider opening an issue and perhaps it can be handled similarly.
Filters that use lambdas instead of blocks should now be handled correctly.
Handle to_s in SQL
to_s called on them were being ignored when checking for SQL injection. This has been fixed.
The SHA1 sums for this release are
170c3dd6925373b7da2e27fd1decf2957b35dc43 brakeman-3.0.3.gem f126e305404a61e99f9ddb848996d87325d1485a brakeman-min-3.0.3.gem