Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 1.2.1 Released

This is essentially just a bugfix release, but due to the fixes for link_to warnings, there is a good possibility the number of reported warnings will decrease when upgrading to this version.

Changes since 1.2.0:

  • Remove link_to warning for Rails 3.x or when using rails_xss
  • Don’t warn if first argument to link_to is escaped
  • Detect usage of attr_accessible with no arguments
  • Fix error when rendering a partial from a view but not through a controller
  • Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
  • Simplify Brakeman Rake task
  • Avoid modifying $VERBOSE
  • Add Brakeman::RescanReport#to_s
  • Add Brakeman::Warning#to_s

link_to Changes

Prior to Rails 3.0, there was a bug in link_to that caused the body of the link tag to be output without escaping. While this was fixed in Rails 3.0, Brakeman has still been warning on it. This was also fixed in the rails_xss, so Brakeman should no longer warn on link_to for Rails 2.x when using the rails_xss plugin.

Brakeman was also warning on link_to even if the body argument was manually escaped. This should be resolved now.

One other related issue was a silly bug causing Brakeman to sometimes ignore --escape-html or the rails_xss plugin, leading to some confusing output. This is fixed.

Thanks to Neil Matatall for reporting the link_to issue and Andreas for reporting the rails_xss problems.

attr_accessible with No Arguments

Brakeman was not detecting the case where attr_accessible is called with zero arguments, causing spurious mass assignment warnings.

Thanks to Justin Wiley for reporting this.

Brakeman Rake Task

The Brakeman Rake task (installed via --rake) is even simpler now.

$VERBOSE

Brakeman was using $VERBOSE and Kernel.warn for controlling debug output. This has changed and $VERBOSE will no longer be modified when using Brakeman.

Rails 3.2 Support

So far, there have not been any issues with Brakeman and Rails 3.2. Please report any that come up!

JRuby Performance

Prior to Brakeman 1.2, JRuby was very slow when running Brakeman. This has changed, and now JRuby is probably the fastest option for scanning large applications. Give it a try, especially if you are using Ruby 1.8.7!

Mailing List

There is now a Brakeman mailing list on librelist.

To subscribe, send any email to brakeman@librelist.com. You will be asked to confirm your subscription.

Archives are available for browsing on The Mail Archive.

Comments