Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 0.8.0 Released

Change list for Brakeman 0.8.0:

  • Add check for mass assignment using without_protection
  • Add check for password in http_basic_authenticate_with
  • Warn on user input in hash argument with mass assignment
  • auto_link is now considered safe for Rails >= 3.0.6
  • Output detected Rails version in report
  • Keep track of methods called in class definition
  • Add ruby_parser hack for Ruby 1.9 hash syntax
  • Add a few Rails 3.1 tests

As always, please report any issues.

New Checks

This release adds two checks specific to Rails 3.1.

The first looks for mass assignment which deliberately bypasses attribute protection. For example:

User.new(params[:user], :without_protection) => true)

If user input is used for initializing the record, the warning will be set to high confidence. Otherwise, it will show up as medium confidence.

The second new check looks for controllers using the new http_basic_authenticate_with method and including the password directly in the source.

The example from the Rails guide looks like this:

class PostsController < ApplicationController

  http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index

  #...

end

This would raise a warning, mostly because it is a bad idea to have passwords in plain text right in your source code.

Changes to Existing Warnings

Mass assignment has been changed to raise a warning if there is any user input when calling Model.new.

auto_link was previously set to be a “known dangerous” method because it did not escape its output. That was fixed in Rails 3.0.6, so it will be considered safe for versions 3.0.6 and up. But then auto_link was removed in Rails 3.1, so for 3.1 and up it will be treated as a regular method.

Changes to Output

Warnings reports will now include the detected Rails version as part of the information reported.

Support for Ruby 1.9 Hash Syntax

RubyParser, used by Brakeman for all its Ruby parsing needs, does not support the new Ruby 1.9 syntax. After coming across an application which uses the 1.9 hash syntax extremely liberally, a temporary hack has been added that should allow Brakeman to parse it correctly.

This does mean that Brakeman is overriding RubyParser’s code to add in this functionality. That is why it is a temporary hack.

New Tests

Work has begun on a test application using Rails 3.1. There do not seem to be any huge changes in 3.1 that would prevent Brakeman from working, though.

Next Version

The main area of focus for the next (major) release will be Rails 3.x routing. Brakeman is currently quite limited in what kinds of routes in understands.

Comments