This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output formatting.
Changes since 2.4.3:
- Add GitHub-flavored Markdown output format (Greg Ose)
- Add check for regex denial of service (Ben Toews)
- Fix false positives when
sanitizeis used in SQL (Jeff Yip)
Hash#symbolize_keysDoS check (Jan Rusnacko)
- Add support for Rails 4
- Add support for RailsLTS 188.8.131.52 and 184.108.40.206
- Check for
- Fix SQLi detection in chain calls in scopes (#471)
- Fix false positive when
:hostis specified in redirect (#464)
- Check all arguments in
- Move SQLi CVE checks to
- Handle more non-literals in routes (#461)
Markdown Output Format
Greg Ose added the option to output to GitHub-flavored markdown (
-f markdown or
-o report.md). Additionally, the
--github-repo option can be used to link the files in the report to a specific GitHub repository. See here for details.
Regex Denial of Service
A new check for dangerous interpolation in regular expressions was contributed by Ben Toews. This will generate “Denial of Service” warnings if user input is interpolated into regular expressions.
For example, this will generate a warning:
Avoid Warning on Sanitized SQL
Brakeman should no longer warn about SQL values wrapped in
More Symbol Denial of Service Methods
Hash#symbolize_key were added to the symbol denial of service check by Jan Rusnacko.
Rails 4 Before Actions
Rails 4 added a bunch of aliases for
before_filter and related methods, and Brakeman now recognizes these methods for adding and skipping filters.
Latest RailsLTS Version
Protected Attributes Gem
Brakeman now treats applications using the
protected_attributes gem as if mass assignment is enabled by default and
attr_accessible is necessary to protect models.
SQL Injection in Scopes
There was a bug which caused Brakeman not warn about SQL injection in chained calls inside scope blocks (example here). Additionally, scope calls were not being handled for Rails 4.
Hosts in Redirects
Brakeman should no longer warn about instances of
:host is explicitly specified.
SQL Injection in All Select Arguments
Brakeman was only checking the first argument to
Model.select for SQL injection, but the method can take multiple arguments. This release corrects this to check all of the arguments.
SQL Injection CVEs Moved to Separate Check
All the checks for SQL injection CVEs have been moved from
CheckSQLCVEs. This should only have an effect for users explicitly specifying to run or skip
More Routing Fixes
More instances of non-literals in routes will be ignored instead of raising exceptions. In general, information from
routes.rb is not used except to warn about default routes (unless
--no-assume-routes is used).
The SHA1 sums for this release are
fc8a7991e9351f8d5e26a59acf54422a638f4866 brakeman-2.5.0.gem 48f974aaf40957a325ee778d3d700fd29aa526bf brakeman-min-2.5.0.gem