Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.8.2 Released

This release introduces a new option and two new checks!

Changes since 4.8.1:

  • Add --text-fields option
  • Add check for CVE-2020-8159
  • Add check for escaping HTML entities in JSON configuration option
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

Text Fields Option

It is now possible to specify which text fields are reported and their order for the default “text” report format using the --text-fields option.

Possible options are:

  • all
  • category
  • category_id
  • check
  • code
  • confidence
  • file
  • fingerprint
  • line
  • link
  • message
  • render_path

--text-fields accepts a comma-separated list of these options.

Please keep in mind the JSON report should be used for structured reports/parsing.

(changes)

CVE-2020-8159

This release includes a check for CVE-2020-8159 related to the actionpack-page_caching gem. The vulnerability allows arbitrary file writing and may be escalated to remote code execution.

If caches_page is called in any controllers, this will be a High confidence warning. Otherwise, Weak.

Reminder: Brakeman is not a ‘dependency’ scanner. It only includes checks for a small number of Rails-related CVEs. Use bundler-audit or related tools for dependency checking.

(changes)

JSON Escaping Configuration

Brakeman will now warn if HTML entity escaping in JSON is disabled globally with ActiveSupport.escape_html_entities_in_json = false. This is an unusual configuration.

(changes)

Basic Auth Check Fix

Hugo Corbucci fixed an error when checking calls to authenticate_or_request_with_http_basic without a block literal.

(changes)

Checksums

The SHA256 sums for this release are:

d7bf369896b4a3c41778f39f10b1e1d0844a965bbb582fa0a0566b1df4f07dec  brakeman-4.8.2.gem
c13e9a9e5b213ba95a16803ddb50eb3c7119533ca71444ffec2bb6cea22b926a  brakeman-lib-4.8.2.gem
a422a444b7db48682e1f112c83b1a7a7e3828ec02d52ed91c5b3eff235b801c1  brakeman-min-4.8.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.8.1 Released

Just a little bug fix release.

Changes since 4.8.0:

  • Warn about global(!) mass assignment
  • Check SQL query strings using String#strip or String.squish (#1459)
  • Handle non-symbol keys in locals hash for render (#1465)
  • Index calls in render arguments (#1459)

Global Mass Assignment

Strong parameters can be disabled with:

ActionController::Parameters.permit_all_parameters = true

Brakeman will now warn about this (very rare) configuration.

(changes)

Squished and Stripped SQL

Brakeman will now check string targets of squish or strip.

For example:

ActiveRecord::Base.connection.execute "SELECT * FROM #{user_input}".squish

(changes)

Non-Symbol Keys in Locals Hash

Using a value other than symbol literals as keys in the locals hash for render will no longer cause an error.

(changes)

Render Arguments

Calls made as arguments to render will be indexed and checked for all vulnerability types, like every other method call.

(changes)

Checksums

The SHA256 sums for this release are:

5f3cc763fce471434adc33aa251298fa24ea2a1c01ef2549aec55be4b5b14d46  brakeman-4.8.1.gem
c4a95b450fb7ec2440e68640a0821e3a6b62ea34f665e78264ba0b332e98e5df  brakeman-lib-4.8.1.gem
ada41dbfc3a436c062cd44161893249654caf43296801599303952f6261f2e5e  brakeman-min-4.8.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.8.0 Released

First release of 2020! This release comes with a brand new report format: JUnit XML.

Changes since 4.7.2:

  • Add JUnit XML report format (Naoki Kimurai)
  • Sort ignore files by fingerprint and line (Ngan Pham)
  • Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
  • User-friendly message when ignore config file has invalid JSON (D. Hicks)
  • Freeze call index results, fix thread-safety issue
  • Properly render confidence in Markdown report (#1446)
  • Report old warnings as fixed if zero warnings reported

JUnit XML Report

Thanks to Naoki Kimura, Brakeman can now generate a JUnit XML format. JUnit XML is produced and consumed by a number of different testing tools, including CircleCI.

Supporting this format makes it possible for Brakeman warnings to be consumed by general test infrastructure tools.

To use the new format, either use -f junit or -o report.junit.

changes

Sort Ignore Files

Warnings in “ignore files” were previously only sorted by fingerprint. Thanks to Ngan Pham they are now sorted by fingerprint then line number, to maintain stable ordering between warnings with the same fingerprint.

changes

Dangerous Concatenation in Commands

Jacob Evelyn has updated the command injection check (CheckExecute) to also consider string concatenation with dangerous values.

For example:

system("ls " + maybe_dangerous)

changes

Fix Thread-safety Issue

Two checks were modifying shared data (call site results), which introduced a race condition. Sometimes a result would strangely become nil and cause intermittent errors. Note this only popped up when using real threads on JRuby.

Now results from the CallIndex are frozen to help prevent this kind of modification of shared data in the future.

changes

Render Confidence in Markdown

Due to a previous refactoring, confidence levels were not being rendered in Markdown reports.

changes

Report Comparison Fix

Due to a very old bug, when comparing an old report with some warnings to a new report with zero warnings, the old warnings were not reported as fixed. Now they will be.

Probably no one noticed because we generally only care about new warnings.

changes

Checksums

The SHA256 sums for this release are:

2febb3ce4111fe14f57a8ea447c5770eeb32ba43333955b4ed27864ef045c277  brakeman-4.8.0.gem
c513373a37576d8107af724bf9f8a47e8d76253c85bdd6fdb4d3e93471a47ee6  brakeman-lib-4.8.0.gem
d82206b9a60ef1eb4c96d32ba0157774db301e3ca10dcbdd7b4171044b28eccf  brakeman-min-4.8.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.7.2 Released

Some minor fixes for a minor release.

Changes since 4.7.1:

  • Add request.params as query parameters (#1398)
  • Handle more permit! cases (#1426)
  • Remove version guard for named_scope vs. scope
  • Find SQL injection in String#strip_heredoc target (#1433)
  • Ensure file name is set when processing models
  • Bundle ruby_parser version 3.14.1 (#1429)

More Query Parameters

request.params has been added as a query parameters method.

(changes)

More permit!

More cases of permit! will be identified, particularly when it is the target of a method call.

(changes)

More Scopes

Both named_scope and scope will be handled regardless of detected Rails version.

(changes)

SQL Injection with strip_heredoc

strip_heredoc is now treated as returning a string. This fixes false positives if the target is a plain string and fixes false negatives if the target has interpolation.

(changes)

Model File Names

In some cases, warnings were missing file names because the file name was not being passed to the model processor.

The file name will now be passed along, and there is a new test in the test suite for file names on warnings.

(changes)

Checksums

The SHA256 sums for this release are:

339d6f3707a2c0a32003536a231255b839a0b87bd6a7ebef3c82aedd1bdd3ac8  brakeman-4.7.2.gem
39ce3a5fe248dee8c78fe671441d2abbfec66cec923ee9f56c62018229d3c9b0  brakeman-lib-4.7.2.gem
efa07aa8476ef5553c91734093349a3ed55e2ef05b469d3dcecfdaabede37296  brakeman-min-4.7.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

Changes since 4.7.0:

  • Address file permission issues in bundled ruby_parser-legacy
  • Sort text report by file and line (Jacob Evelyn)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
  • Check string length against limit before joining
  • Fix flaky rails4 test (Adam Kiczula)
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Add release dates to each version in CHANGES (TheSpartan1980)

File Permissions

A security issue was reported for the ruby_parser-legacy gem, where some files are installed with world-writable permissions. This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy gem.

In this release of the brakeman gem, the permissions on these files have been corrected. However, there has not been a fixed release of ruby_parser-legacy yet, so the brakeman-lib and brakeman-min gems are still affected.

Default Report Format Sorting

Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.

(changes)

Reverse Tabnabbing

Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank.

(changes)

Stabby Lambdas

ruby_parser 3.14.0 changed the AST representation of ->{} lambdas, and Brakeman needed to adjust.

(changes)

String Length Limit

Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah") before joining them. If the joined string would be longer than 50 characters, the strings are not joined.

Note the only change is when the length is checked, the limit was already in place.

(changes)

Flaky Test Fixed

Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!

(changes)

Ruby 2.7 Frozen Strings

In Ruby 2.7, symbols and some other constant values (true/false, etc.) will return frozen strings. This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.

(changes)

Release Dates in Changelog

Brakeman’s changelog now includes release dates thanks to TheSpartan1980.

(changes)

Checksums

The SHA256 sums for this release are:

cdc6f4c86b5b35b5e94798cf443909385aa1b79235da8e1ee1fd4381acf03691  brakeman-4.7.1.gem
2f7a7a6d79b1e5b8c6a390e04642e987c56cced2c8be3d63a1250f7bbc9e504d  brakeman-lib-4.7.1.gem
598431f6bfc90b119fc6883ead7896c1718ba5d9a0e0450893c3e628a6c8e7b0  brakeman-min-4.7.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.