This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of
permit!. Also, this is the first signed gem release of Brakeman; see below for details.
Changes since 2.2.0:
- Add check for CVE-2013-4491 (i18n XSS)
- Add check for CVE-2013-6414 (header DoS)
- Add check for CVE-2013-6415 (
- Add check for CVE-2013-6416 (
- Add check for CVE-2013-6417 (query generation)
- Add check for
- Fix Slim XSS false positives (Noah Davis)
Model#createfor redirects (#406)
- Collapse send/try calls
- Fix scoping issues with instance variables and blocks (#406)
- Fix typos in reflection and translate bug messages
CVE-2013-4491 is a possible XSS in the i18n gem. Brakeman will warn unless the i18n gem is updated to the proper version or the workaround is used.
CVE-2013-6414 is a possible denial of service from special headers. Brakeman will warn unless the workaround is used.
CVE-2013-6415 is an XSS in the second argument of
number_to_currency. Brakeman will warn on uses of
number_to_currency with dangerous unescaped arguments. If no dangerous uses are found, Brakeman will provide a general warning about the CVE.
Simple Format XSS
CVE-2013-6416 is an XSS in
simple_format, which does not escape its output. Brakeman will warn on dangerous uses of
simple_format. If no uses are found, it will report a general warning.
Query Generation Vulnerability
CVE-2013-6417 is the continuation of an old problem with SQL queries. The newest issue is caused by Rack middleware freezing the parameters before they can be cleaned up. Brakeman reports a general warning about this.
Check for Permit!
Brakeman now warns on uses of
Parameters#permit!, which bypasses mass assignment protections. If a
permit! is used without a subsequent mass assignment in the same method, the confidence will be medium.
Slim XSS False Positives
(Noah Davis) provided a fix for XSS false positives in Slim templates when ActiveSupport is loaded. While Brakeman itself does not depend on ActiveSupport, it might be loaded if Brakeman is run with Bundler or as part of a Rake task.
Whitelist Record Creation in Redirects
Model#create! should no longer warn.
The effect of using
send(:something) are essentially the same as calling
something, so Brakeman now converts calls to
send directly to the method being called.
is changed to
This can help find more vulnerabilities as well as prevent some false positives if the method name is actually something safe like
Several issues with blocks were fixed in this release. First, no calls with blocks were being processed correctly inside controllers. Secondly, instance variable assignments inside blocks were treated like local assignments. They are now treated as “method level” assignments (i.e. every method has its own “global” scope). Finally, local assignments inside blocks to existing variables were also being treated as block-local assignments.
Two tiny changes have been made to warning messages. The “translate bug” from ages ago had an extra
} in the message, and the message for unsafe reflection no longer capitalizes “Reflection”. But since everyone is using warning fingerprints and not relying on matching messages, you should be okay, right?
The Brakeman gems are now signed and can be verified with this certificate.
To verify on installation:
gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem) gem install brakeman -P MediumSecurity
“HighSecurity” requires all dependencies to be signed as well, which is unlikely.
Additionally, here are the SHA sums for this release:
2ae503781c51a69a1123d37d46b4813ea91f01e8 brakeman-2.3.0.gem 77d39eaf0e2663af526dcbf6e3b5bac16173fed1 brakeman-min-2.3.0.gem
We have a new page on this website listing companies which use Brakeman.
Please contact us (see bottom of page) to have your company listed!
Brakeman stickers are still available!
Wish you were getting one of these? Just send your name and address to email@example.com and you will be next! pic.twitter.com/qXdnGVo6hG— Brakeman Scanner (@brakeman) November 21, 2013