Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 5.2.3 Released

Changes since 5.2.2:

  • Fix error with hash shorthand syntax (#1700)
  • Match order of interactive options with help message (Rory O’kane)

Hash Shorthand Syntax

Parsing shorthand hash syntax like this was added with RubyParser 3.19:

thing = 1

blah(thing:)

but Brakeman needed to handle it properly, too.

(changes)

Interative Options

Rory O’kane updated the ordering of options in the help message for interative ignore so the help message matches the order of the options in the prompt!

(changes)

Checksums

The SHA256 sums for this release are:

5b6efb6a1e5c2b79063553647638e17239d2d2f4d50561230c8b0acaae4728d4  brakeman-5.2.3.gem
3104abc8ac2b6558d9610ede40f4cac2ebc7ae45569876b8e5907b7422c4e3af  brakeman-lib-5.2.3.gem
10d743c930c03ed1d2bea021ade8fac10f1229d02b8f65bf2214f7f09ec7a0ff  brakeman-min-5.2.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.2.2 Released

Changes since 5.2.1:

  • Respect equality in if conditions (#1683)
  • Update message for unsafe reflection (Pedro Baracho)
  • Handle nil when joining values (Dan Buettner)
  • Add additional String methods for SQL injection check (#1669)
  • Update ruby_parser for Ruby 3.1 support (Merek Skubela)

Equality Checks in Conditions

When Brakeman comes across code like:

if x == 1
  # do something with x
end

It will now assume x is 1 inside of the if branch.

(changes)

Unsafe Reflection Messages

Pedro Baracho updated the messages for unsafe reflection to be clearer.

(changes)

Another String Joining Fix

Dan Buettner fixed an exception when a nil gets into a string joining operation.

(changes)

More SQL Injection

When Brakeman checks for SQL injection, there are a number of methods (like to_s or strip) that essentially return the string itself.

This list of methods has been expanded to include chop, lstrip, rstrip, scrub, and tr.

(changes)

Update RubyParser

This version of Brakeman includes RubyParser 3.19 which adds support for Ruby 3.1 syntax. Thanks Merek Skubela!

(changes)

Checksums

The SHA256 sums for this release are:

246c9540f5d90fbde39c95999d319f9706bf79668f66bb35419825c1cbef61ae  brakeman-5.2.2.gem
1b559598d78919c0f6f3a8e8602b86ab35f825810b1d7daf872b7791b452e78b  brakeman-lib-5.2.2.gem
4c34dcc1900bf872254eee2b313b1634ffacc9002fd7d26b8390259318cf6194  brakeman-min-5.2.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.2.1 Released

Oops! Minor emergency fix release.

Changes since 5.2.0:

  • Add warning codes for EOL Ruby and Rails check

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.2.0 Released

Changes since 5.1.2:

  • Initial Rails 7 support (#1653)
  • Add new checks for unsupported Ruby and Rails version
  • Fix issue with calls to foo.root in routes (#1640)
  • Ignore I18n.locale in SQL queries (#1597)
  • Do not treat sanitize_sql_like as safe
  • Bundled version of ruby_parser updated to 3.18.1
  • Require Ruby 2.5.0+ (#1649)

Initial Rails 7 Support

Nothing special here, but the -7 option is available and Brakeman won’t think a Rails 7 app is a Rails 2 app.

(changes)

New Checks for Unmaintained Software

Brakeman will now warn about use of Ruby or Rails versions which are no longer maintained.

Unlike other warnings, these new checks have a time component and will change as the end-of-life dates approach:

  • 60 days until EOL: Low warning
  • 30 days until EOL: Medium warning
  • EOL+: High warning

(changes)

Bug Fix in Routes

Calls to something.root will no longer cause Brakeman to freak out.

(changes)

SQL Injection Updates

I18n.locale is ignored in SQL queries.

(changes)

sanitize_sql_like is no longer treated as “safe”. It only escapes LIKE-specific characters such as % but does not prevent SQL injection.

(changes)

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.1.2 Released

Here’s a small bugfix release with a big parser update!

Huge thanks as always to Ryan Davis for maintaining ruby_parser.

Changes since 5.1.1:

  • Updated ruby_parser (Ryan Davis)
  • Fix issue where the previous output is still visible (Jason Frey)
  • Handle cases where enums are not symbols (#1627)
  • Support newer Haml with ::Haml::AttributeBuilder.build
  • Fix sorting with nil line numbers

Updated RubyParser

Once again, Ryan Davis comes through with a great update of ruby_parser including support for newer Ruby 2.7 and 3.0 syntaxes as well as many other fixes and improvements.

(changes)

Output Cleanup

Jason Frey cleaned up the Processing libs... updates so it doesn’t look like Processing libs...ssed anymore.

(changes)

Enums Without Symbols

Calls to enum where the first argument is not a symbol will be ignored for now.

(changes)

Newer Haml

In Haml 5.2.2 the ::Haml::AttributeBuilder.build method started popping up and Brakeman was treating it as suspicious.

For now, ignoring it because it seems pretty safe.

(changes)

Sorting with Missing Line Numbers

In some, apparently rare cases, if two warnings have the same confidence, warning type, and are in the same file, but have nil line numbers, then it could (but doesn’t always) cause a sorting error.

(changes)

Checksums

The SHA256 sums for this release are:

d95b1cee8d751db8300c9390d8c90cf3e54f725c4d448f7ccfbdb9a723b6377a  brakeman-5.1.2.gem
8e6a25a4da113269e70a0e536325e8a18b02745f23dea25ecf640c675961961c  brakeman-lib-5.1.2.gem
7b272fa7efc2f25208614bd801993e2b161b4edbf8c423c93b6b13aaee09ae84  brakeman-min-5.1.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.