Changes since 5.1.2:

• Initial Rails 7 support (#1653)
• Add new checks for unsupported Ruby and Rails version
• Fix issue with calls to foo.root in routes (#1640)
• Ignore I18n.locale in SQL queries (#1597)
• Do not treat sanitize_sql_like as safe
• Bundled version of ruby_parser updated to 3.18.1
• Require Ruby 2.5.0+ (#1649)

Initial Rails 7 Support

Nothing special here, but the -7 option is available and Brakeman won’t think a Rails 7 app is a Rails 2 app.

(changes)

New Checks for Unmaintained Software

Brakeman will now warn about use of Ruby or Rails versions which are no longer maintained.

Unlike other warnings, these new checks have a time component and will change as the end-of-life dates approach:

• 60 days until EOL: Low warning
• 30 days until EOL: Medium warning
• EOL+: High warning

(changes)

Bug Fix in Routes

Calls to something.root will no longer cause Brakeman to freak out.

(changes)

SQL Injection Updates

I18n.locale is ignored in SQL queries.

(changes)

sanitize_sql_like is no longer treated as “safe”. It only escapes LIKE-specific characters such as % but does not prevent SQL injection.

(changes)

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Here’s a small bugfix release with a big parser update!

Huge thanks as always to Ryan Davis for maintaining ruby_parser.

Changes since 5.1.1:

• Updated ruby_parser (Ryan Davis)
• Fix issue where the previous output is still visible (Jason Frey)
• Handle cases where enums are not symbols (#1627)
• Support newer Haml with ::Haml::AttributeBuilder.build
• Fix sorting with nil line numbers

Updated RubyParser

Once again, Ryan Davis comes through with a great update of ruby_parser including support for newer Ruby 2.7 and 3.0 syntaxes as well as many other fixes and improvements.

(changes)

Output Cleanup

Jason Frey cleaned up the Processing libs... updates so it doesn’t look like Processing libs...ssed anymore.

(changes)

Enums Without Symbols

Calls to enum where the first argument is not a symbol will be ignored for now.

(changes)

Newer Haml

In Haml 5.2.2 the ::Haml::AttributeBuilder.build method started popping up and Brakeman was treating it as suspicious.

For now, ignoring it because it seems pretty safe.

(changes)

Sorting with Missing Line Numbers

In some, apparently rare cases, if two warnings have the same confidence, warning type, and are in the same file, but have nil line numbers, then it could (but doesn’t always) cause a sorting error.

(changes)

Checksums

The SHA256 sums for this release are:

d95b1cee8d751db8300c9390d8c90cf3e54f725c4d448f7ccfbdb9a723b6377a  brakeman-5.1.2.gem
8e6a25a4da113269e70a0e536325e8a18b02745f23dea25ecf640c675961961c  brakeman-lib-5.1.2.gem
7b272fa7efc2f25208614bd801993e2b161b4edbf8c423c93b6b13aaee09ae84  brakeman-min-5.1.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

This is a huge release! (So many changes, I had to look up how to nest lists in Markdown…)

Thank you to the many contributors!

There are several new features, take a look below.

Changes since 5.0.4:

• Report Formats
  • Add GitHub Actions format (Klaus Badelt)
  • Add ignored warnings to SARIF report (Eli Block)
  • Fix SARIF report when checks have no description (Eli Block)
  • Adjust copy of --interactive menu (Elia Schito)
• Performance
  • Read and parse files in parallel
• Ruby Interpretation
  • Initial support for ActiveRecord enums (#1492)
  • Interprocedural dataflow from very simple class methods
  • Support Array#fetch and Hash#fetch (#1571)
  • Support Array#push
  • Support Array#*
  • Better Array#join support
  • Support Hash#values and Hash#values_at
  • Support Hash#include?
• SQL Injection
  • Update SQL injection check for Rails 6.0/6.1
  • Add --sql-safe-methods option (Esty Scheiner)
  • Ignore dates in SQL
  • Ignore sanitize_sql_like in SQL (#1571)
  • Ignore method calls on numbers in SQL (#1571)
• Other Fixes
  • Ignore renderables in dynamic render path check (Brad Parker)
  • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
  • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
  • Check for user-controlled evaluation even if it’s a call target (#1590)
• Refactoring
  • Refactor cookie?/param? methods (Keenan Brock)
  • Better method definition tracking and lookup

Report Formats

Klaus Badelt added support for GitHub Actions annotation format with -f github.

(changes)

Eli Block added support for reporting ignored warnings in SARIF using the “suppressed” property and fixed a SARIF bug.

(changes)

Elia Schito clarified some text in the --interactive menu for ignoring warnings.

(changes)

Parallel File Parsing

Brakeman now uses the parallel gem to read and parse files in parallel.

By default, parallel will split the reading/parsing into a number of separate processes based on number of CPUs.

In testing, this has dramatically improved speed for large code bases - around 35% reduction in overall scan time.

However, if you run into weird behavior (e.g. scanning just hangs during file parsing), this feature can be disabled using --no-threads.

(changes)

Ruby Interpretation

Simple Class Methods

Brakeman will now track and return very simple literal values (e.g. strings, hashes of literals, arrays of literals) from very simple class methods (e.g. single line).

For example:

class User
  def self.path_prefix
    '/user'
  end
end

User.path_prefix # => '/user'

This should help prevent some false positives.

Enums

Since ActiveRecord enums essentially generate some class (and instance) methods that return fixed literal values, the above class method return values is also used to support enum.

For example:

class User < ActiveRecord::Base
  enum status: [:pending, :active, :locked]
end

User.statuses[:pending] # => 0

(changes)

Hash and Array Methods

In some ways, Brakeman is a very poor Ruby interpreter. To “understand” the code it analyzes, Brakeman essentially evaluates some methods. This release adds and improves support for evaluating a number of Hash and Array methods.

• Support Array#fetch and Hash#fetch (changes)
• Support Array#push (changes)
• Support Array#* and improve Array#join (changes)
• Support Hash#values and Hash#values_at (changes)
• Support Hash#include? (changes)

SQL Injection

Updates for Rails 6.0/6.1

Some new Rails 6.0 methods were previously added for SQL injection (destroy_by/delete_by), but this release is more thorough.

Newly vulnerable methods:

• reselect
• rewhere

No longer vulnerable:

• delete_all
• destroy_all
• pluck (in Rails 6.1)

Not really vulnerable:

• order (in Rails 6.1)
• reorder (in Rails 6.1)

(Also, [https://rails-sqli.org/] has also been updated with Rails 6 information!)

(changes)

Safe Methods

Esty Scheiner added the --sql-safe-methods option to ignore some methods when checking for SQL injection.

(changes)

False Positives

Brakeman no longer warns about SQL injection for:

• Dates and methods called on dates (changes)
• Method calls on number literals (changes)
• sanitize_sql_like (changes)

Misc Fixes

Brad Parker updated the dynamic render path check to ignore “renderables”.

(changes)

Richard Fitzgerald fixed a command injection false positive when using Open3.capture.

(changes)

Andrew Szczepanski fixed an infinite loop when a mixin appears to include itself.

(changes)

Brakeman will now warn about user-controlled evaluation even if the evaluation is a call target itself.

For example:

eval(params[:debug]).do_something_else

(changes)

Refactoring

Keenan Brock cleaned up the cookie?/param? utility methods.

(changes)

In support of enum and simple class methods, Brakeman now has a cleaner way of tracking and looking up method definitions.

(changes)

New and Updated Options

--sql-safe-methods can be used to specify methods that should be ignored in the context of SQL injection.

--format github/-f github will output code the annotation format used by GitHub Actions.

--no-threads/-n will disable use of threads (actually forked processes) for reading and parsing files. (Previously, this method only disabled use of threads when running checks.)

Checksums

The SHA256 sums for this release are:

2cc7a174bc9ebb90161f218ea35905de8d749210f69a0bfda9fba71429dc5047  brakeman-5.1.0.gem
b8182c9fd7d6d116b2b531c5d8fe0bf9c8da14118b755ed00be8de8c4684ad10  brakeman-lib-5.1.0.gem
e38ff386530bc5585e2efd183ba73c08abb740c3b26072662025a3d9395b707a  brakeman-min-5.1.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

This is a tiny bugfix release!

What happened to 5.0.2 and 5.0.3??

They were messed up. Sorry. Don’t use them.

Changes since 5.0.1:

• Fix Loofah version check (#1603)

Checksums

The SHA256 sums for this release are:

4d1af5c3e65a0c2319396a796bd9a587a13317faff92bd09b74c44ba70aef8b3  brakeman-5.0.4.gem
6b529ae8f1e16aed711759c3b52fc01c60befeb896042de02aaa5aabf5c24cb5  brakeman-lib-5.0.4.gem
5a402076af48fc526211212d70a751c80c27cae535077c1c7a63dadc314efe97  brakeman-min-5.0.4.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Has it really been three months since Brakeman 5.0? Yikes!

Here’s a small update with some bugfixes before we move on to 5.1.

Changes since 5.0.0:

• Support loading slim/smart (#1570)
• Set more line numbers on Sexps (#1579)
• Detect ::Rails.application.configure too (#1584)
• Always ignore slice/only calls for mass assignment
• Don’t fail if $HOME/$USER are not defined
• Convert splat array arguments to arguments
• Bundle unreleased RubyParser changes

Support Smart Text in Slim Templates

In order to support “Smart Text” in Slim templates, Brakeman will load slim/smart if slim/smart is mentioned in the Gemfile.

(changes)

More Line Numbers

Setting nil value for the line number of a Sexp raises an exception.

This is usually from creating a Sexp without a line number in the first place.

More instances of this have been fixed in this release.

(changes)

Always Ignore slice/only for Mass Assignment

If slice or only are called for arguments to mass assignment (e.g. User.new(some_hash.slice(:name, :email))), Brakeman will not warn about mass assignment.

These have been ignored for a while, but a logic error caused Brakeman to sometimes still warn about them.

(changes)

Convert Splats to Arguments

In really obvious cases like

some_call(*[a, b, c])

Brakeman will convert the arguments to

some_call(a, b, c)

(changes)

Checksums

The SHA256 sums for this release are:

4c1b7c7747ecfca11a822a4bab5ad05f13515e195d7d34590d3add215573b431  brakeman-5.0.1.gem
79129c2977936113fc87a9a2e9490b734f088286d0b33ed9ca61cb6587dc18c7  brakeman-lib-5.0.1.gem
549034d7aeb2a5ca8fe299c41b91938d502a89e70a1afa68643ca3c9e5ccaf96  brakeman-min-5.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.