This release includes improvements to Rails 3 route processing, better performance, several bug fixes, and more!
Changes since 1.6.2:
- Add check for CVE-2012-3424
- Link report types to descriptions on website
- Report errors raised while running check
- Improve processing of Rails 3 routes
- Improve file access check
- Avoid warning on non-ActiveModel models
- Fix how
params[:x] ||=is handled
- Treat user input in
orexpressions as immediate values
- Fix processing of negative array indexes
- Fix “empty char-class” error
- Speed improvements by stripping down SexpProcessor
- Add line breaks to truncated table rows
Check for HTTP Auth Digest DoS
CVE-2012-3424, a potential denial of service vulnerability in how Rails handles HTTP authentication digest parameters, was recently announced. It affects Rails 3.x, and is fixed in 3.0.16, 3.1.7, and 3.2.7.
Brakeman will generate a warning for the Rails versions affected, but will only report a high confidence warning if
authenticate_with_http_digest methods are called.
Links to Warning Information
HTML reports now link warning types to descriptions on the Brakeman website. JSON reports will also include the link information. Due to this change, it is not possible to compare JSON reports from previous versions using the
Suggestions and pull requests for improving the documention are welcome!
Report Check Errors
Previously, errors encounted while running checks were not included in reports. This has been fixed.
Better Rails 3 Route Processing
Even the simple information Brakeman uses (which methods are routes) is difficult to extract from Rails 3 routes due to all the different options it offers. This release should decrease the number of “Error while processing routes” messages that come up.
See this pull request for more information about specific fixes.
Improved File Access Check
The check for user input in file access calls has been improved so the confidence of the warnings will vary according to how the user input is used, like most other checks.
Additionally, the check will now respect the
No SQLi Warnings for Non-ActiveModel
Models which do not inherit from
ActiveRecord::Base will no longer be reported in SQL injection warnings.
Default Assignment to
Normally, when Brakeman processes an assignment like
x ||= y, it will assign
x if no previous value is found for
However, in this case:
params[:x] ||= y
The information that the left hand side is a
params hash is lost.
This has been changed so default assignment to a
params hash will not replace the entire value, but will handle it as
params[:x] || y.
User Input in
Previously, unescaped output like
<%= params[:x] || z %>
would have been reported as a weak confidence warning. This has been changed so that any user input in an
or expression will be considered immediate (versus “indirect”) output and will likely result in high confidence warnings.
Scan times should decrease by 15-25% with this release. This is mostly due to stripping unused bits out of SexpProcessor.
Besides errors raised when processing Rails 3 routes, the
Result must be a Sexp, was Symbol::array and
empty char-class errors should be resolved now.
Please report any errors raised when performing scans, as they are usually bugs.
Please report any issues with this release!