Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 2.4.3 Released

A new gem version has been released because the 2.4.2 gem was not signed. No other changes were introduced.

Signed Gems

As a reminder, the Brakeman gems are (supposed to be) signed and can be verified with this certificate.

To verify on installation:

gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)
gem install brakeman -P MediumSecurity

“HighSecurity” requires all dependencies to be signed as well, which is unlikely.

There is some weirdness around -P MediumSecurity currently. The simplest solution seems to be:

gem install brakeman   # Install Brakeman and all dependencies
gem uninstall brakeman # Remove the Brakeman gem
gem install brakeman -P MediumSecurity  # Install Brakeman gem and check signature

SHAs

The SHA1 sums for this release are

16b4890fa8ee6bad1d429a12bf3f0cb8e76cb2d8  brakeman-2.4.3.gem
be5743d77140e64b75eefc53f8697f767ab370d9  brakeman-min-2.4.3.gem 

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.4.2 Released

This release is only internal changes and bug fixes, but some scans may see significant time and memory improvements.

Changes since 2.4.1:

  • Skip identically rendered templates
  • Improve HAML template processing
  • Only track original template output locations
  • Reuse duplicate call location information
  • Fix duplicate warnings about sanitize CVE
  • Remove rescue Exception

Drop Identical Templates

For a long time now Brakeman has skipped processing templates if the template had already been processed with an identical environment. However, there are many times when a template is rendered with different environments but the actual output is the same. Brakeman now drops these templates (they are rendered, then discarded if they are duplicates). This reduces peak memory overhead, sometimes drastically. It can also speed up call indexing and vulnerability checks since fewer templates are searched.

The location and render path of template warnings may change slightly due to this change. Also, the rendered template debug output will no longer include all rendered templates since duplicates will not be tracked.

(changes)

Better HAML Processing

HAML templates will be processed more accurately with this release.

For example, a template like this

#content
  .nav
    = @navigation_menu

used to produce output like

+-------------------------------------------------------------------------------------------------+
| Output                                                                                          |
+-------------------------------------------------------------------------------------------------+
| [Output] "<div id='content'>; <div class='nav'>; #{[Escaped] @navigation_menu}; </div>;</div>;" |
+-------------------------------------------------------------------------------------------------+

but now it will look like this instead

+-----------------------------------+
| Output                            |
+-----------------------------------+
| [Escaped Output] @navigation_menu |
+-----------------------------------+

Besides looking much nicer, this improves warnings and reduces how much code Brakeman has to search. Additionally, these push_text methods can often interpolate multiple values into the output string, which were not being properly detected as output. This is fixed now.

(changes)

Duplicate Template Outputs

Aliased values in templates were being counted multiple times as output. This did not affect warnings generated, but it did create duplicate output values to check and extraneous debug output.

(changes)

Call Location Reuse

For large applications, many calls in the call index actually have the same location (class+method or template). Instead of creating a new location hash for each call, the locations are cached and reused.

(changes)

Sanitize CVE Duplicates

Don’t worry - CVE-2013-1857 is one year old this week. But Brakeman was not properly preventing duplicate warnings for it. Hopefully this was affecting exactly no one.

(changes)

Narrower Exception Handling

All instances of rescue Exception were removed from Brakeman and replaced with bare rescues to catch StandardError and subclasses. Exception has some unfortunate subclasses, such as NoMemoryError and Interrupt which Brakeman should not be rescuing.

This does mean there may be some newly unhandled exceptions. Please report these so they can be rescued properly.

(changes)

SHAs

The SHA1 sums for this release are

02842dc497bf22b5b427cfd02635c005c4fc4fd4  brakeman-2.4.2.gem
4893cedbcb015e96c82f4777b00a49ca8d0ae22f  brakeman-min-2.4.2.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.

Brakeman 2.4.1 Released

This release only adds checks for the latest CVEs, no other changes.

Changes since 2.4.0:

  • Add check for CVE-2014-0080
  • Add check for CVE-2014-0081, replaces CVE-2013-6415
  • Add check for CVE-2014-0082

CVE-2014-0080

CVE-2014-0080 is a SQL injection issue only affects applications using PostgreSQL with Rails 4.x. If Brakeman detects the pg gem and an affected version, it will warn about this CVE.

(changes)

CVE-2014-0081

CVE-2014-0081 is a vulnerability in number_to_currency, number_to_percentage, and number_to_human. Values passed in as options may not be properly escaped. It affects all previous versions of Rails.

Brakeman will warn on unsafe uses of these methods. If no unsafe calls are found, it will generate a generic medium confidence warning.

Warnings for CVE-2014-0081 replace warnings for CVE-2013-6415, which was about just number_to_currency.

(changes)

CVE-2014-0082

CVE-2014-0082 is a potential symbol denial of service problem when handling render :text in Rails 3.x.

Brakeman will only warn about this CVE if it detects use of render :text in affected versions.

(changes)

SHAs

The SHA1 sums for this release are

e9fb5439d5a322b4a9c9611d75d994e7df83d4d2  brakeman-2.4.1.gem
b84ad90a7ec9b6e6bbce8fc69c50d1d8b3214d0f  brakeman-min-2.4.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or joining the mailing list.

Brakeman 2.4.0 Released

This is a fairly big release with some significant changes (especially for SQL injection warnings), so please test carefully. Existing warnings and fingerprints may change.

Changes since 2.3.1:

  • Fingerprint attribute warnings individually (Case Taintor)
  • Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
  • Detect SQL injection raw SQL queries using connection(#434)
  • Fix false positives when SQL methods are not called on AR models (#423, Aaron Bedra)
  • Reduce false positives for SQL injection in string building
  • More accurate user input marking for SQL injection warnings
  • Detect SQL injection in delete_all/destroy_all
  • Add support for Rails LTS versions (#422)
  • Parse exact versions from Gemfile.lock for all gems (#431)
  • Ignore generators in lib/ directory
  • No longer raise exceptions if a class name cannot be determined
  • Update to RubyParser 3.4.0

Attribute Warning Fingerprints

Case Taintor noted that ignoring one warning about dangerous mass assignable attributes ignored all such warnings for the same model. Then he fixed it, yay!

Please note this means fingerprints for warnings about “dangerous attributes” in attr_accessible will change. If you are currently ignoring some of these warnings, you will need to re-ignore them.

Also, the messages for these warnings have changed and the attribute name will now be in the “code” value in JSON reports.

(changes)

Check for SSL Verification

Aaron Bedra has contributed a new check for instances of verify_mode on HTTPS connections being set to OpenSSL::SSL::VERIFY_NONE. This bypasses any checks OpenSSL has for verifying the SSL certificate is legitimate, allowing easy man-in-the-middle attacks.

This new check has a new warning type (“SSL Verification Bypass”) and warning code (71).

(changes)

SQL Injection in Raw Queries

ActiveRecord::Core#connection or ActiveRecord::Base.connection or ActiveRecord::Base#connection can be used to send queries directly to the database connection without any protection. There are several ways of doing this, most of which are hopefully now covered by Brakeman.

(changes)

Fewer SQL Injection False Positives

Many changes were made in this release to reduce false positives related to SQL injection warnings and to improve the accuracy of reported issues.

First, Aaron Bedra fixed Brakeman to not warn about query-like methods that were innocently called on non-ActiveRecord objects. (changes)

For example, this:

find_by_sql("SELECT * FROM stuff WHERE thing = " + self.class.sanitize_sql(thing))

would have generated a warning which indicated "SELECT * FROM stuff WHERE thing = " + self.class.sanitize_sql(thing) was a dangerous value. Now it will not warn at all.

As another example, code like this

options = {}

if params[:sort_order] == 'ascending'
  sort_order = 'ASC'
else
  sort_order = 'DESC'
end

options[:order] = 'updated_at ' + sort_order
Test.all(options)

would create a warning about ("updated_at " + ("ASC" or "DESC")). Now Brakeman will recognize that these are all just strings and not warn.

Many warnings will also just be more accurate:

query = "SELECT sum(stuff) " +
      "FROM (SELECT other_stuff FROM #{table} WHERE id = #{id}) " +
      "AS item, bgs " +
      "WHERE ST_Contains(item.geometry, bgs.the_point);"

Test.find_by_sql(query)

This used to warn on the entire query! Now it will just warn about table.

#to_s calls are ignored now and their targets considered instead.

Additionally, Brakeman should no longer warn about method calls ending in _id, since those generally refer to foreign keys. Note, however, that local variables ending in _id will still produce warnings.

In general, fingerprints should not change for existing warnings, since the user_input value is not included in the fingerprint.

(changes)

SQL Injection in Deletions

Brakeman will now look for SQL injection in delete_all and destroy_all which allow raw SQL strings.

(changes)

Support for Rails LTS

RailsLTS provides security patch backporting to Rails 2.3.18. They now include an internal version number in Gemfile.lock, which allows Brakeman to avoid warning about fixed vulnerabilities in applications using RailsLTS.

(changes)

Gemfile Parsing

Previously, Brakeman only checked Gemfile.lock for specific gems. Now it “parses” the entire file and can track all gem versions. (bundler-audit is recommended for checking gems for vulnerable versions.) This helps when Brakeman is checking for gem usage but the gem is an indirect dependency.

Also, a minor issue was fixed for those Gemfiles that do weird things and call gem with non-string arguments.

(changes)

Generators are Ignored

Any path in lib/ containing generators will now be ignored. This is mainly because there are .rb files in there that are actually templates, but Brakeman tries to parse them and fails because they aren’t really Ruby.

(changes)

Exceptions for Class Names

Previously, Brakeman actually raised and caught exceptions if a class name could not be determined from a Sexp. Now it just returns nil. This should remove some errors and possibly make some scans faster.

(changes)

RubyParser Update

The RubyParser dependency has been updated to 3.4.0. This release is much faster, along with lots of other good changes.

However, please note that line numbers for warnings involving heredocs may change. They will be slightly closer, but not exactly accurate.

(changes)

SHAs

The SHA1 sums for this release are

c9d840b6fca08f61b3abbd1fa109cf66be19fccc brakeman-2.4.0.gem 5bad89c43f7ab78bd40dfd6f71aac3d034ccaa0a brakeman-min-2.4.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or joining the mailing list.

Brakeman 2.3.1 Released

Two minor bugs were fixed in this release. Please see the 2.3.0 release post if you are upgrading from an earlier version.

(changes)

Changes since 2.3.0:

  • Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  • Fix link for CVE-2013-6415 (number_to_currency)

i18n XSS Workaround

Brakeman 2.3.0 included a check for the official i18n XSS workaround, but it was commented out during testing and unfortunately left that way.

CVE-2013-6415 Link

The link provided for CVE-2013-6415 in Brakeman 2.3.0 was copy-pasted from an older check. This has been fixed.

SHAs

The SHA sums for this release are

469b209a4c72f5a1133d696575caeee1675837e7  brakeman-2.3.1.gem
827e1cdefba543f59ed5070aaa3f587d8c7d9513  brakeman-min-2.3.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.3.0 Released

This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of permit!. Also, this is the first signed gem release of Brakeman; see below for details.

Changes since 2.2.0:

  • Add check for CVE-2013-4491 (i18n XSS)
  • Add check for CVE-2013-6414 (header DoS)
  • Add check for CVE-2013-6415 (number_to_currency)
  • Add check for CVE-2013-6416 (simple_format XSS)
  • Add check for CVE-2013-6417 (query generation)
  • Add check for Parameters#permit! (#281)
  • Fix Slim XSS false positives (Noah Davis)
  • Whitelist Model#create for redirects (#406)
  • Collapse send/try calls
  • Fix scoping issues with instance variables and blocks (#406)
  • Fix typos in reflection and translate bug messages

I18n XSS

CVE-2013-4491 is a possible XSS in the i18n gem. Brakeman will warn unless the i18n gem is updated to the proper version or the workaround is used.

Header DoS

CVE-2013-6414 is a possible denial of service from special headers. Brakeman will warn unless the workaround is used.

Currency XSS

CVE-2013-6415 is an XSS in the second argument of number_to_currency. Brakeman will warn on uses of number_to_currency with dangerous unescaped arguments. If no dangerous uses are found, Brakeman will provide a general warning about the CVE.

Simple Format XSS

CVE-2013-6416 is an XSS in simple_format, which does not escape its output. Brakeman will warn on dangerous uses of simple_format. If no uses are found, it will report a general warning.

Query Generation Vulnerability

CVE-2013-6417 is the continuation of an old problem with SQL queries. The newest issue is caused by Rack middleware freezing the parameters before they can be cleaned up. Brakeman reports a general warning about this.

Check for Permit!

Brakeman now warns on uses of Parameters#permit!, which bypasses mass assignment protections. If a permit! is used without a subsequent mass assignment in the same method, the confidence will be medium.

(changes)

Slim XSS False Positives

(Noah Davis) provided a fix for XSS false positives in Slim templates when ActiveSupport is loaded. While Brakeman itself does not depend on ActiveSupport, it might be loaded if Brakeman is run with Bundler or as part of a Rake task.

(changes)

Whitelist Record Creation in Redirects

Redirects to Model#create and Model#create! should no longer warn.

(changes)

Collapse try/send

The effect of using try(:something) or send(:something) are essentially the same as calling something, so Brakeman now converts calls to try/send directly to the method being called.

For example:

User.find(1).try(:name)

is changed to

User.find(1).name

This can help find more vulnerabilities as well as prevent some false positives if the method name is actually something safe like id.

(changes)

Block Scoping

Several issues with blocks were fixed in this release. First, no calls with blocks were being processed correctly inside controllers. Secondly, instance variable assignments inside blocks were treated like local assignments. They are now treated as “method level” assignments (i.e. every method has its own “global” scope). Finally, local assignments inside blocks to existing variables were also being treated as block-local assignments.

(changes)

Warning Typos

Two tiny changes have been made to warning messages. The “translate bug” from ages ago had an extra } in the message, and the message for unsafe reflection no longer capitalizes “Reflection”. But since everyone is using warning fingerprints and not relying on matching messages, you should be okay, right?

(changes)

Signed Gems

The Brakeman gems are now signed and can be verified with this certificate.

To verify on installation:

gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)
gem install brakeman -P MediumSecurity

“HighSecurity” requires all dependencies to be signed as well, which is unlikely.

Additionally, here are the SHA sums for this release:

2ae503781c51a69a1123d37d46b4813ea91f01e8  brakeman-2.3.0.gem
77d39eaf0e2663af526dcbf6e3b5bac16173fed1  brakeman-min-2.3.0.gem

Brakeman Users

We have a new page on this website listing companies which use Brakeman.

Please contact us (see bottom of page) to have your company listed!

Stickers

Brakeman stickers are still available!

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.2.0 Released

This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions.

Changes since 2.2.0:

  • Support scanning Rails engines (Geoffrey Hichborn)
  • Ignore redirects to models using friendly_id (AJ Ostrow)
  • Add check for detailed exceptions in production (#391)
  • Use Rails version from Gemfile if it is available (#398)
  • Only add routes with actual names (#395)
  • Reduce command injection false positives

Rails Engines

Geoffrey Hichborn added support for checking Rails engines paths when searching for controllers, models, and views. Please let us know if there are any issues or files missed with this change.

(changes)

Redirects with Friendly ID

Thanks to AJ Ostrow, Brakeman should no longer warn on redirects to models using friendly_id.

(changes)

Detailed Exceptions

Nathaniel Talbott suggested checking that detailed exceptions (treating requests as local) are not enabled in production.

Brakeman now generates a warning in a new category called ”Information Disclosure” if config.consider_all_requests_local is set to true in production or a controller overrides show_detailed_exceptions? to return something other than false.

Please see the changes regarding the new category and two new warning codes associated with these warnings.

Better Version Detection

Brakeman now uses the Rails version found in Gemfile or Gemfile.lock to determine when to enable Rails 3/4 mode, which seems obvious in retrospect. This required swapping when the Gemfile and the configuration files are processed.

(changes)

Rails 3 Routes

A small fix prevents Brakeman from raising an error when a route is a redirect or any value other than a string or symbol.

(changes)

Command Injection False Positives

There should be fewer false positives for command injection when interpolated values are literals. The check also now ignores commonly used values RAILS_ROOT, Rails.env, and Rails.root.

Additionally, reported “dangerous” values (user_input in JSON reports) for command injection are more specific. For example:

system "rm -rf #{some_var}"

used to report the entire string "rm -rf #{some_var}" as dangerous, even though it’s really warning about the interpolation of some_var. Now Brakeman will report the first potentially dangerous interpolated value. Note that this does not change fingerprints for existing warnings.

(changes)

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Verification

The SHA-1 for the Brakeman 2.2.0 gem is:

f3a2b369bda79c677a913cdb2350cbda8bce8a90  brakeman-2.2.0.gem

Brakeman 2.1.2 Released - Important Security Update

Important: Contrary to the “Brakeman Philosophy,” there is one situation in which Brakeman attempts to load files from an application. This is a security risk since the code in the files would be executed (typical require behavior). Note that this is only a real problem if running Brakeman against code outside one’s control. Since most users are scanning their own code, this should not be a concern for the majority of Brakeman users.

Changes since 2.1.1:

  • Do not attempt to load custom Haml filters
  • Do not warn about to_json XSS in Rails 4
  • Remove fuzzy matching on dangerous attr_accessible values
  • Add –table-width option to set width of text reports (ssendev)

Custom Haml Filters

Brakeman no longer attempts to load custom Haml filters. This was a hack (from nearly three years ago) to help compile some Haml templates. It was recently noted that this introduces a security risk when scanning untrusted code.

For now, custom Haml filters will cause a Brakeman error and the Haml templates using them will not be scanned.

(changes)

JSON Output in Rails 4

As of Rails 4, the output of to_json is now safe by default. Brakeman should no longer warn about cross-site scripting with to_json in Rails 4 applications.

(changes)

Less Fuzzy Mass Assignment

Brakeman no longer uses fuzzy matching for potentially dangerous model attributes allowed for mass assignment, such as any value containing admin.

(changes)

Text Report Width Option

The width of text reports can now be controlled with the --table-width option. For example, this can be useful when capturing text output to a file.

(changes)

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.1.1 Released

This is a small bug fix release. The only expected changes in warnings are for dangerous attributes in attr_accessible and cross site scripting involving model attributes. Some warning fingerprints may change as a result of this update.

Changes since 2.1.0:

  • More accurate results for model attribute warnings (#385)
  • Do not warn on attr_accessible using roles (#372)
  • New warning code for dangerous attributes in attr_accessible
  • Fix infinite loop when run as rake task (Matthew Shanley)
  • Use exit code zero with -z if all warnings ignored (#381)
  • Respect ignored warnings in rescans (#382)
  • Respect ignored warnings in tabs format reports
  • Ignore dynamic controller names in routes

More Accurate Model Matching

Model attributes which are reported as user input should now be reported more accurately. For example, instead of reporting Model.find(1) as user input, the entire attribute will be reported. For example: Model.find(1).name

As a side effect, several methods which were already intended to be ignored (such as count) will actually be ignored for XSS warnings.

(changes)

attr_accessible Check Updates

The check for potentially dangerous attributes whitelisted in attr_accessible has been updated to ignore attributes protected by roles. Additionally, it now has its own warning code to separate it from regular mass assignment warnings.

(warning code change, role change)

Rake Task Fix

The last release included a method named load_dependency which handles calling require for optional dependencies. Unfortunately, Rails overrides require to call its own method called load_dependency. Rails is loaded when any rake command is used, so when Brakeman is run with Rake it causes an infinite loop between load_dependency and require.

Thanks to Matthew Shanley for reporting the issue and providing a fix.

(changes)

Exit Code Fixed When Warnings Ignored

Brakeman will now return 0 when using -z and all reported warnings are ignored.

(changes)

Ignore Warnings in Rescans

Ignored warnings should now be ignored during rescans (for use with guard-brakeman).

(changes)

Remove Ignored Warnings in Tabs Report

Ignoring warnings should now work for those using the Jenkins plugin.

(changes)

Ignore Dynamic Controller Name in Routes

Instead of completely aborting route processing, dynamic controller names are just ignored.

(changes)

Report Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman 2.1.0 Released

Brakeman recently passed 250,000 downloads on RubyGems.org! Thanks to everyone who has contributed!

With this release, the most requested and most controversional feature has been added: it is now possible to ignore warnings based on a configuration file.

Also, the brakeman-min gem has been updated to provide a minimal-dependency version of Brakeman.

Changes since 2.0.0:

  • Add support for ignoring warnings
  • Add brakeman-min gem
  • Add check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
  • Add check for authenticate_or_request_with_http_basic (#301)
  • Add --branch-limit option, limit to 5 by default
  • Add more methods to check for command injection (#206)
  • Allow use of Slim 2.x (Ian Zabel)
  • Load gem dependencies on-demand
  • Output JSON diff to file if -o option is used
  • Refactor of SQL injection check code (Bart ten Brinke)
  • Return error exit code when application path is not found
  • Fix detection of duplicate XSS warnings
  • Fix output format detection to be more strict again
  • Fix Gemfile.lock parsing for non-native line endings (#359)
  • Allow empty Brakeman configuration file (#343)
  • Update to ruby_parser 3.2.2

Ignoring Warnings

It should be stressed that warnings should only be ignored when it is absolutely certain they are false positives and the false positive cannot be fixed on Brakeman’s side. If there is uncertainty, please open an issue so we have the opportunity to improve Brakeman.

The ignore configuration is a JSON file containing a list of warnings and some metadata. Right now the metadata is not actually used, but it might be useful in the future. The only warning information which is actually used is the fingerprint.

By default Brakeman will look for a brakeman.ignore file in the config directory of the application. This can be changed with the -i option.

Since creating and managing the file by hand would be a pain, the -I provides interactive management of the ignore configuration.

brakeman -I

JSON reports now include an array of ignored_warnings, HTML reports have a table of ignored warnings which is hidden by default, and the basic text output will include the number of warnings ignored, if any.

Again, please use this power responsibly.

(changes)

brakeman-min Gem Updated

You may have noticed the ancient (0.5.2) version of brakeman-min hanging around and hopefully you ignored it.

In order to work “out of the box”, Brakeman includes dependencies on HAML, Slim, and Erubis, and depends on several gems for different report types. The brakeman-min gem strips out all optional dependencies, which reduces the gems required from 13 to just 4. This allows you to just install the gems you actually need.

Since the minimal version also removes terminal-table and HighLine, the default output for brakeman-min is JSON. Install those two gems to get the familiar text table report.

The version for brakeman-min will match the regular gem and there are no changes in functionality between the gems.

(changes)

Mass Assignment to Dangerous Attributes

Paul Deardorff has added a new check which warns on model attributes included in attr_accessible which perhaps should not have been.

More Basic Auth Warnings

Brakeman will now warn on use of password strings used directly in authenticate_or_request_with_http_basic.

(changes)

Branch Limiting

When dealing with conditional branches, Brakeman generates basically “union” values of possible values for a given variable. (See one of the many other issues dealing with this for more info, like #297).

In some situations (lots of assignments to the same variable inside different branches), however, these values can grow to be unreasonably large. In most useful cases, the values aren’t that large.

This change introduces a limit on these union values. The default is 5, which means a given variable should only have five alternative values. If a sixth alternative is encountered (i.e. assignment inside another branch), the old values get kicked out, the new value is saved and the process starts over. This seems like a decent compromise between being flow insensitive (like --no-branching) and the current state of affairs (track everything, causing massive slowdowns and memory usage).

To turn off the limiting, use --branch-limit -1.

--branch-limit 0 is almost like --no-branching except slower because it’s still trying to track stuff.

In testing, a value of 5 did not show any difference in detected vulnerabilities, although it is entirely possible (though empirical evidence points towards unlikely) that some vulnerabilities would be hidden because of this.

(Description copied from the pull request.)

More Command Injection Methods

Several more Ruby methods for launching processes have been added to the command injection check, including a bunch from Open3.

(changes)

Support for Slim 2.x

No real changes here, but the gem has been updated to allow Slim 2.x.

(changes)

Gems Loaded On-Demand

Gem dependencies which Brakeman does not need for its core functionality are now loaded as-needed instead of everything being loaded at start time. Besides maybe wasting less time and memory, this enabled the brakeman-min gem discussed above.

(changes)

Output JSON Compare to File

The -o option can now be used with --compare to output the JSON diff to a file.

If multiple -o options are given, the first one will be used for the JSON diff, and the other -o files will be used to output a regular report.

(changes)

Error Exit Code When Application Not Found

The last version of Brakeman had a bug where the program would exit with return code 0 when no Rails application was found. It will now return 1 like it did before.

(changes)

Fewer Cross Site Scripting Duplicates

Some cross site scripting warnings were being reported with both high and low confidence. This has been fixed.

(changes)

Stricter Report Format Detection

For a while, Brakeman would match -o file names like blah.jsonness and assume you wanted JSON output. This is fixed.

(changes)

Parse Gemfile.lock with Non-Native Line Endings

Thanks to Paul Deardorff for updating Gemfile.lock parsing for files created on a different operating system.

(changes

Allow Empty Brakeman Config File

Sure, why not?

(changes)

RubyParser Update

Brakeman now uses the latest ruby_parser, which has support for Ruby 2.0 syntax and a lot of bug fixes. You may also notice some line numbers in warnings will be more accurate.

Report Issues

This was a big release, so please report any issues! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.