Special thanks to Bart de Water and Ryan Cartner for proposing new rules!

Changes since 5.3.1:

• Add check for weak RSA key sizes and padding modes (#1736)
• Add check for absolute paths issue with Pathname (#1721)
• Handle multiple values and splats in case/when (#1730)
• Ignore more model methods in redirects (#1723)
• Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)
• Use relative paths for CodeClimate report format (Mike Poage)

Check RSA Key Sizes and Padding Modes

Brakeman now warns on:

• RSA key sizes less than 2048 bits
• Use of padding modes other than OAEP (including none)

(changes)

Unexpected Absolute Paths

When joining paths using Pathname#join, any arguments that start with a forward slash (/) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how File.join works.

Pathname.new('a').join('b', '/c', 'd')
 => #<Pathname:/c/d>

(There are more Pathname methods with this issue - to be added in a future release.)

(changes)

Multiple Values in whens

If a when clause contains only ‘safe’ values, Brakeman will treat the case value as safe:

y = [1, 2, 3]

case x
when *y
  maybe_dangerous(x) # `x` must be an integer, so not dangerous
end

(changes)

Ignore More Redirects

More model methods are ignored in redirects:

• first!
• last!
• sole
• find_by_sole

(changes)

Rails Defaults

James Gregory-Monk fixed how Rails default configuration values are set so overrides were properly handled.

(changes)

Checksums

The SHA256 sums for this release are:

bab990760949e999c5d52b297d8badda376754eb296c91abf829def733ed9d51  brakeman-5.4.0.gem
2b5a0cd5845b8c0e1b83e00122654af48b025ac3e6625c9ecbc5535226068416  brakeman-lib-5.4.0.gem
fcbd60456c5db62767d143696e1edf8e4eaee734f2a039903aeca7bb4e6b3dbf  brakeman-min-5.4.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

This release adds CWE information to reports - the first JSON report change in a long time!

Changes since 5.2.3:

• Add CWE information to warnings (Stephen Aghaulor)
• Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
• Add check for CVE-2022-32209
• Load rexml as a Brakeman dependency
• Fix “full call” information propagating unnecessarily

CWE Information

Thanks to Stephen Aghaulor for taking on the arduous task of adding CWE information to every Brakeman warning type!

CWE information is now available in most report formats. In particular, it is a new field for the JSON report.

Example:

    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 124,
      "fingerprint": "c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d",
      "check_name": "SanitizeConfigCve",
      "message": "rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)",
      "file": "config/initializers/sanitizers.rb",
      "line": 1,
      "link": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
      "code": "Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"a\", \"style\"]",
      "render_path": null,
      "location": null,
      "user_input": null,
      "confidence": "High",
      "cwe_id": [
        79
      ]
    }

(changes)

Explicit Paths in Vendor Directory

By default, Brakeman does not scan any code in the vendor/ directory.

But it was also ignoring any paths in vendor/, even if the user explicitly included them via --add-libs-path or --add-engines-path.

Thanks to Joe Rafaniello this is now changed to respect the explicit additional paths, even if they reside in vendor/.

(changes)

CVE-2022-32209

As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!

A check was added for CVE-2022-32209.

If the vulnerable configuration is detected, the warning will be high confidence.

If only the vulnerable version of rails-html-sanitizer is detected, the warning will be weak confidence.

(changes)

Checksums

The SHA256 sums for this release are:

4fe584ef37c16e1011a0f2db36ebab540fef403ff8e26afed212e2d7ff5a3176  brakeman-5.3.0.gem
1f5caa0bd05fd8ea5b4f5791371dd0911f96d804612c7be986bab3ed0163a8cf  brakeman-lib-5.3.0.gem
4a4ccef090c4eb5857140c15fa69ff65167f3eb550f7a0ca555012642aafe7e9  brakeman-min-5.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

Changes since 5.2.2:

• Fix error with hash shorthand syntax (#1700)
• Match order of interactive options with help message (Rory O’kane)

Hash Shorthand Syntax

Parsing shorthand hash syntax like this was added with RubyParser 3.19:

thing = 1

blah(thing:)

but Brakeman needed to handle it properly, too.

(changes)

Interative Options

Rory O’kane updated the ordering of options in the help message for interative ignore so the help message matches the order of the options in the prompt!

(changes)

Checksums

The SHA256 sums for this release are:

5b6efb6a1e5c2b79063553647638e17239d2d2f4d50561230c8b0acaae4728d4  brakeman-5.2.3.gem
3104abc8ac2b6558d9610ede40f4cac2ebc7ae45569876b8e5907b7422c4e3af  brakeman-lib-5.2.3.gem
10d743c930c03ed1d2bea021ade8fac10f1229d02b8f65bf2214f7f09ec7a0ff  brakeman-min-5.2.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Changes since 5.2.1:

• Respect equality in if conditions (#1683)
• Update message for unsafe reflection (Pedro Baracho)
• Handle nil when joining values (Dan Buettner)
• Add additional String methods for SQL injection check (#1669)
• Update ruby_parser for Ruby 3.1 support (Merek Skubela)

Equality Checks in Conditions

When Brakeman comes across code like:

if x == 1
  # do something with x
end

It will now assume x is 1 inside of the if branch.

(changes)

Unsafe Reflection Messages

Pedro Baracho updated the messages for unsafe reflection to be clearer.

(changes)

Another String Joining Fix

Dan Buettner fixed an exception when a nil gets into a string joining operation.

(changes)

More SQL Injection

When Brakeman checks for SQL injection, there are a number of methods (like to_s or strip) that essentially return the string itself.

This list of methods has been expanded to include chop, lstrip, rstrip, scrub, and tr.

(changes)

Update RubyParser

This version of Brakeman includes RubyParser 3.19 which adds support for Ruby 3.1 syntax. Thanks Merek Skubela!

(changes)

Checksums

The SHA256 sums for this release are:

246c9540f5d90fbde39c95999d319f9706bf79668f66bb35419825c1cbef61ae  brakeman-5.2.2.gem
1b559598d78919c0f6f3a8e8602b86ab35f825810b1d7daf872b7791b452e78b  brakeman-lib-5.2.2.gem
4c34dcc1900bf872254eee2b313b1634ffacc9002fd7d26b8390259318cf6194  brakeman-min-5.2.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Oops! Minor emergency fix release.

Changes since 5.2.0:

• Add warning codes for EOL Ruby and Rails check

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.