Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 5.0.4 Released

This is a tiny bugfix release!

What happened to 5.0.2 and 5.0.3??

They were messed up. Sorry. Don’t use them.

Changes since 5.0.1:

  • Fix Loofah version check (#1603)

Checksums

The SHA256 sums for this release are:

4d1af5c3e65a0c2319396a796bd9a587a13317faff92bd09b74c44ba70aef8b3  brakeman-5.0.4.gem
6b529ae8f1e16aed711759c3b52fc01c60befeb896042de02aaa5aabf5c24cb5  brakeman-lib-5.0.4.gem
5a402076af48fc526211212d70a751c80c27cae535077c1c7a63dadc314efe97  brakeman-min-5.0.4.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.0.1 Released

Has it really been three months since Brakeman 5.0? Yikes!

Here’s a small update with some bugfixes before we move on to 5.1.

Changes since 5.0.0:

  • Support loading slim/smart (#1570)
  • Set more line numbers on Sexps (#1579)
  • Detect ::Rails.application.configure too (#1584)
  • Always ignore slice/only calls for mass assignment
  • Don’t fail if $HOME/$USER are not defined
  • Convert splat array arguments to arguments
  • Bundle unreleased RubyParser changes

Support Smart Text in Slim Templates

In order to support “Smart Text” in Slim templates, Brakeman will load slim/smart if slim/smart is mentioned in the Gemfile.

(changes)

More Line Numbers

Setting nil value for the line number of a Sexp raises an exception.

This is usually from creating a Sexp without a line number in the first place.

More instances of this have been fixed in this release.

(changes)

Always Ignore slice/only for Mass Assignment

If slice or only are called for arguments to mass assignment (e.g. User.new(some_hash.slice(:name, :email))), Brakeman will not warn about mass assignment.

These have been ignored for a while, but a logic error caused Brakeman to sometimes still warn about them.

(changes)

Convert Splats to Arguments

In really obvious cases like

some_call(*[a, b, c])

Brakeman will convert the arguments to

some_call(a, b, c)

(changes)

Checksums

The SHA256 sums for this release are:

4c1b7c7747ecfca11a822a4bab5ad05f13515e195d7d34590d3add215573b431  brakeman-5.0.1.gem
79129c2977936113fc87a9a2e9490b734f088286d0b33ed9ca61cb6587dc18c7  brakeman-lib-5.0.1.gem
549034d7aeb2a5ca8fe299c41b91938d502a89e70a1afa68643ca3c9e5ccaf96  brakeman-min-5.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 5.0.0 Released

It has been a long time coming, but it is finally here! Lots of changes in this one…

Brakeman now scans (almost) all Ruby (and ERB, Haml, Slim) files in an application. This may have a significant impact on reported warnings and scan times - see below for more information.

Changes since 4.10.1:

  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected

Scan Almost All Ruby Files

Since the beginning, Brakeman has been picky about what directories it searches for files. In general, Brakeman has looked in ‘normal’ Rails directores like app/controllers/, app/models/, app/views/, lib/, config, etc. This is because Rails has some default logic based on file paths - like mapping a controller action to a given view.

But if an application varied from the norm, Brakeman would simply not scan those other directories. This behavior led to a lot of confusion with folks wondering why Brakeman was not finding certain vulnerabilities.

Brakeman now attempts to deduce the contents of a file first, then falls back to the path name if necessary. This has been surprisingly effective.

However, scanning more files means Brakeman runs slower and may report more false positives because the new files are harder to reason about and less likely to be exposed as part of the attack surface.

Brakeman does ignore test, spec, and vendor directories. To scan the vendor directory as well, use --no-skip-vendor.

Please report any issues!

(changes)

CSV Report Update

The CSV report format has been completely changed! Previously, it was meant as an ‘Excel-lite’ format, only really useful for viewing in a spreadsheet program.

Now it is regular CSV with normalized columns to mostly match the JSON report (except for nested fields).

(changes)

Sonarqube Report Format

Thanks to Adam England, Brakeman now supports the Sonarqube “Generic Issue Import Format”.

(And thanks Adam for your patience.)

(changes)

More Unsafe Method Reflection

A new check was added for unsafe use of method, to_proc, and tap.

(changes)

HTTP Verb Confusion Check

In Rails, HEAD requests are routed like GET requests, but request.get? will be false.

Some code may assume if request.get? is false, then request.post? is true:

if request.get?
  # Do something benign
else
  # Do something sensitive because it's a POST
  # but actually it could be a HEAD :(
end

Brakeman will warn when an if expression checks request.get? but has an else clause instead of elseif ....

(changes)

UUIDs as Safe Attributes

#uuid will be treated as a safe value, particular in SQL.

(changes)

Tempfile Paths in Shell Commands

Tempfile#path will be considered as safe value for command injection.

Also adds support for Tempfiles like:

Tempfile.open('...') do |file|
  # Brakeman knows `file` is a Tempfile
end

(changes

Ignore Development Environment

Brakeman will ignore code that is guarded like

if Rails.env.development?
  # ...whatever code
end

This was already true for Rails.env.test?.

(changes)

Collapse __send__ Calls

Brakeman will treat

Blah.__send__(:something, 5.0)

as

Blah.something(5.0)

This was already true for send and try.

(changes)

Set Rails Defaults

Brakeman will set default values for Rails configuration options based on the version argument to config.load_defaults which is usually called in application.rb.

(changes)

Requires Ruby 2.4.0

The minimal Ruby version for running Brakeman is now 2.4.0 (which is already EOL!)

Note Brakeman can analyze Ruby syntax from 1.8 to 2.6 (some 2.7+ syntax is not supported yet).

(changes)

Checksums

The SHA256 sums for this release are:

21b91f67cde4cf487df0a4dbf6e54729064c665bb0b4b370b71bac9435b63e4c  brakeman-5.0.0.gem
3641c52448ca1d12423595ca1a874c1362f438cd58196825be648bb797096cb5  brakeman-lib-5.0.0.gem
50bab26fe8fcf8d962baaf5b08b7c178315b7c0e4be07d1b134e8ae00338c908  brakeman-min-5.0.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.10.1 Released

This releases fixes Ruby 3.0 compatibility (meaning running under 3.0, new syntax is not supported yet).

Changes since 4.10.0:

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

REXML as an Explicit Dependency

In Ruby 3.0, REXML has become a ‘bundled’ gem. It is distributed with Ruby, but if Bundler is involved then it needs to be declared as an explicit dependency.

If you like minimal dependencies, you can always use the brakeman-min gem which declares only strict dependencies.

(changes)

Avoid Slicing with Sexp#[]

Sexp subclasses from Array, and Array no longer returns subclasses from methods that create new arrays.

Brakeman was unfortunately using Sexp#[] with ranges (e.g. s(:a, :b, :c)[1..-1]), which runs into this behavior. Happily, the Sexp#sexp_body method already exists to properly slice and return a Sexp.

(changes)

Recursive Renders with Absolute Paths

Brakeman has long been able to detect recursive render loops, but that detection did not work if the partial name was an ‘absolute’ path.

This is now fixed!

(changes)

Ensure RubyParser Path is a String

In some cases, the parser was given a Brakeman::FilePath for the file name. This only caused an issue in some weird corner cases, but it was wrong nonetheless.

Now Brakeman::FileParser will ensure the file name is passed as a string.

(changes)

Support Haml 5.2

Haml 5.2.0 introduced a new method for escaping output, which caused some false positives.

(Note this was avoided in Brakeman 4.10.0 by bundling an earlier version of Haml.)

(changes)

Checksums

The SHA256 sums for this release are:

e40451080554884a63d73a2933c36518a3cf7a2bb471e6d864ce39a9d3455c98  brakeman-4.10.1.gem
ec69e04e087b74862629e952d7817dd7b73e30810166e01d69d24d7164101455  brakeman-lib-4.10.1.gem
3deee68eadd8eb6850254a8e753d6bbe933194c883f12a2455bdf5fd97b1eba2  brakeman-min-4.10.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.10.0 Released

This release introduces a new report format!

Changes since 4.9.1:

SARIF Report Format

Steve Winton from GitHub has contributed support for Static Analysis Results Interchange Format (SARIF). This is a standard format for static analysis tools and can be consumed by some report viewers, such as this one for Visual Studio Code.

To output a SARIF report, use -f sarif or a file name like -o report.sarif.

(changes)

Previewing Brakeman 5.0

What is planned for Brakeman 5.0?

The big change coming in 5.0 is scanning way more files. Currently, Brakeman scans specific directories in app/, config/, lib/, and engines/. It also only looks for files in particular places - e.g. views will be somewhere in app/**/views.

In 5.0, Brakeman will scan (almost) all files in the project directory with .rb or template-related extensions. This will dramatically increase the scope of Brakeman scans, which is better coverage but at the cost of more false positives and slower scans.

Also expected in Brakeman 5.0 is a bump of minimum Ruby version to 2.4.0 (which is already EOL).

Checksums

The SHA256 sums for this release are:

7bef7df71137d06be5fc3325ead57f8ce35be7691bf6dd389228461d731b79dd  brakeman-4.10.0.gem
698b8eb02cdea7a6e407192c261c61d8fc6cd24d590a1b388defc9de17966119  brakeman-lib-4.10.0.gem
64bb565ee84b9a9646985e456db1125ff9fb884ca83de6ba6fbc2c63bdbc8de9  brakeman-min-4.10.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.