Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.5.1 Released

This release adds initial support for Rails 6!

Changes since 4.5.0:

  • Add initial Rails 6 support
  • Add optional check for config.force_ssl (#1181)
  • Add deserialization warning for Oj.load/object_load
  • Add SQL injection checks for destroy_by/delete_by
  • Add SQL injection checks for find_or_create_by and friends
  • Check link_to with block for href XSS (#1339)
  • Convert !! calls to boolean value (#1343)
  • Use relative paths for __FILE__
  • Represent file paths internally as Brakeman::FilePath
  • Handle empty partial names
  • Handle trailing comma in block args
  • Remove code for Ruby versions prior to 1.9

Initial Rails 6 Support

Rails 6 is (almost?) here!

This release adds basic support internally for Rails 6 as well as the -6 option to force Rails 6 mode.

(changes)

Optional Check for Force SSL Option

In Rails, config.force_ssl = true turns on HSTS, redirects HTTP to HTTPS, and sets the secure flag on all cookies.

A new optional check has been added to check if this option is enabled.

To enable this new check, use -A or --enable ForceSSL.

(changes)

Deserialization with Oj

The deserialization check now looks for unsafe use of the Oj JSON library.

(changes)

New SQL Injection Sinks

The SQL injection check has been expanded to check for unsafe use of destroy_by/delete_by (new in Rails 6) and find_or_create_by and related methods.

(changes)

Brakeman now checks link_to calls with blocks for javascript: links.

(changes)

Convert !! to Boolean

Use of !! to convert values to booleans will be treated as safe (turned into true or false).

(changes)

Relative Path for __FILE__

When ruby_parser parses __FILE__, it replaces it with the name of the current file. Unfortunately, Brakeman was passing in absolute paths for the current file. This meant that the fingerprints for warnings including __FILE__ would vary based on the path where the code was scanned.

Now a relative path is used instead, so fingerprints should stabilize.

(changes)

Brakeman::FilePath

Internally, file paths are now represented with Brakeman::FilePath to make it easier to manage absolute/relative paths as needed. This was a pretty huge change, so please report any issues.

As a result, the --no-separate-models option no longer works (it used to combine all model-level mass assignment warnings into one warning). That old option used to report a completely messed-up file name, which is incompatible with Brakeman::FilePath. Also, it was weird and wrong.

(changes)

Empty Partial Names

If any empty string ends up as a partial name in a render call, Brakeman will ignore it.

(changes)

Checksums

The SHA256 sums for this release are:

c8c48a88e9cd837122a590837ff5dbb4bd8214ad72baaffb75e5e5cd3585166f  brakeman-4.5.1.gem
48eaff4eb661f63d43c2f8b33da8efbabc6196ae5ff2ec58ad711e1649eff686  brakeman-lib-4.5.1.gem
c6fcfc5c32ec79a50281b0b97be5b703385ffb20ef45f770e7888ca6ba0b1666  brakeman-min-4.5.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.5.0 Released

This release drops support for running Brakeman with versions of Ruby older than 2.3.0. As always, scanning code with older syntax continues to be supported.

Also in this release: better supported for embedded “filters” in templates and (relatedly) the Sass dependency was removed!

Changes since 4.4.0:

  • Officially drop support for running with older Ruby versions
  • More thoroughly handle Shellwords escaping (#1323)
  • Handle non-integer version number comparisons (#1305)
  • Better handling of splat/kwsplat arguments (#1204)
  • Handle ** inside Hash literals
  • Add support for CoffeeScript in Slim templates
  • Improve support for embedded template “filters”
  • Remove Sass dependency
  • Avoid joining strings with different encodings
  • Improve “user input” reported for SQL injection
  • Stop swallowing exceptions in AliasProcessor
  • Add original exception to Tracker#errors list
  • Use FileParser in Scanner to parse files
  • Set location information in CheckContentTag
  • Update RubyParser to 3.13.0

Dropped Support for Older Rubies

Brakeman code will no longer attempt to maintain compatibility with Ruby 1.9.3, instead setting the minimum version to Ruby 2.3.0.

Note that Ruby 2.2.0 reached end of life almost a year ago and is no longer receiving security updates.

This does not affect the versions of Ruby code Brakeman can analyze. Thanks to RubyParser, scanning syntax back to Ruby 1.8 is still supported.

(changes)

More Shell Escaping

Brakeman is now better at handling shell escaping with Shellwords when checking for command injection.

(changes)

Non-Integer Version Numbers

When comparing non-integer version numbers (e.g., "beta1"), Brakeman will compare integers to integers and strings to strings instead of incorrectly converting some strings to integers.

(changes)

More Splats

Splat args (*arg) and double splat/keyword splats (**kwargs) are better supported now (instead of being ignored). Keyward splats inside of hash literals will be merged into the hash literal.

(changes)

Embedded Template Filters

Support for embedded filters in templates (e.g. markdown inside of Haml or Slim) has been completely rewritten. As a result, it is simpler to support embedded filters and it was possible to drop the Sass dependency. (The Sass gem itself is deprecated and will be end of life as of March 31st, 2019.)

(changes)

String Encoding

Previously, it was possible to run into errors when Brakeman attempted to join or concatenate strings with different encodings. Now it will just fail and leave the strings apart.

(changes)

Better Reporting of SQL Injection

SQL injection warnings now have better information about which value triggered the warning. Previously, sometimes the value highlighted as “dangerous” was misleading and confusing.

(changes)

RubyParser Updated

Thanks to Ryan Davis, RubyParser now has better support for newer Ruby 2.5 and Ruby 2.6 syntax, along with many other fixes!

This should address many of the parsing errors folks have been seeing.

(changes)

Checksums

The SHA256 sums for this release are:

c82c73e47668e1381829bcf50d09b952f7968bc36af9c5abd6ee20ee03882130  brakeman-4.5.0.gem
0d372dac72e6bf7f9ff9c2558e3f5d92ef62cd4c6ab051fcea88016f3bfa7470  brakeman-lib-4.5.0.gem
8565a780be3595ffc5a8d847f6eece8746a272138290fff115555d7aecaa1a38  brakeman-min-4.5.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.4.0 Released

Happy new year and apologies for the delay in releases! Brakeman should now return to the normal 1-2 month release cycle. There are already pull requests lined up for the next release.

This release includes a number of fixes and new features. In particular, please note there are large changes to how reports and warning messages are generated. Please report any issues!

Also, the brakeman gem version of this release no longer supports use of Slim with Ruby 1.9.3. See below for details.

As noted previously, due to the Synopsys acquisition Brakeman is now distributed under a non-OSS license. See below for details.

Changes since 4.3.1:

  • Add check for CVE-2018-3760
  • Add --enable option to enable optional checks
  • Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
  • Handle empty secrets.yml files (Naoki Kimura)
  • Ignore Tempfiles in FileAccess warnings (Christina Koller)
  • Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
  • Treat if not like unless (#1225)
  • Fix Rails 4 configuration handling
  • Set default encoding to UTF-8
  • Support reading gem versions from gemspecs
  • Support gem versions which are just major.minor (e.g. 3.0)
  • Correctly set rel="noreferrer" in HTML reports
  • Fix thread-safety issue in CallIndex
  • Fix trim mode for ERb templates in old Rails versions
  • Avoid nil errors when concatenating arrays
  • Add rendered template information to render paths
  • Trim some unnecessary files from bundled gems
  • Deadcode and typo fixes found via Coverity
  • Complete overhaul of warning message construction
  • Update to Slim 4.0.1 (Jake Peterson)
  • Update to RubyParser 3.12.0
  • Updated license

CVE-2018-3760

A new check was added for CVE-2018-3760 (Sprockets path traversal vulnerability). Brakeman will warn about use of the affected Sprockets version and config.assets.compile = true.

(changes)

Enable Optional Checks

Brakeman has options to enable all checks, to disable some checks, and to enable a subset of checks, but not to enable default+some optional checks.

The --enable option has been added to allow enabling individual optional checks.

(changes)

Docker Support

Thanks to Ryan Kemper, Brakeman now has a Dockerfile to enable local building and running of Brakeman inside Docker.

Additionally, there is now a Docker image available for Brakeman:

docker pull presidentbeef/brakeman
docker run -v "$(pwd)":/code brakeman --color

See the Brakeman README for more details.

Please note the Docker image is built from the master Brakeman branch. The master branch is typically stable, but it will typically be ahead of the gem release.

(changes)

Empty Secrets

Thanks to Naoki Kimura, Brakeman will no longer show an error when the secrets.yml file is empty.

(changes)

File Access with Tempfiles

Thanks to Christina Koller, Brakeman will no longer warn about file access issues when Tempfiles are used.

(changes)

Shellescape and Command Injection

Thanks to George Ogata, Brakeman will no longer warn about command injection when shelljoin or shellescape are used.

(changes)

Rails 4 Configuration

When implementing the check for CVE-2018-3760, it was discovered that Brakeman was not handling the Rails 4 configuration format properly:

Brakeman was not picking up any configuration options if this format was used:

<AppName>.application.configure do
  #...
end

(changes)

Default Encoding

Brakeman now sets the default external encoding to UTF-8 to avoid issues where the environment might set a different encoding.

(changes)

Gem Versions

Brakeman can now read gem versions from gemspec files. This is common for Rails engines.

Additionally, Brakeman now understands versions which only specify major/minor versions (e.g. ~>4.0).

The order of precedence is Gemfile.lock > Gemfile > *.gemspec.

(changes)

No Referrer in HTML Reports

Brakeman has unfortunately been setting rel="no-referrer" instead of rel="noreferrer" in HTML reports.

(changes)

Thread-Safety in Call Index

In rare cases (heavy CPU load?), accessing the CallIndex when running checks caused thread-unsafe behavior. This would have been reflected in a Ruby error about modifying the index during iteration, although checks don’t actual modify the CallIndex.

(changes)

ERb Trim Mode

Brakeman has been accidentally setting the “trim mode” to the template file path (oops!) which silently (!) worked in tests. This only affects Rails 2.x.

This has been corrected and Ruby will now warn about incorrect trim modes.

(changes)

Array Joins

This release fixes a nil error when attempting to concatenate arrays.

(changes)

Rendered Template Information

Template “render paths” now include which template was rendered.

This is reflected in the JSON report:

      "render_path": [
        {
          "type": "controller",
          "class": "HomeController",
          "method": "test_to_json",
          "line": 148,
          "file": "app/controllers/home_controller.rb",
          "rendered": {
            "name": "home/test_to_json",
            "file": "app/views/home/test_to_json.html.erb"
          }
        }
      ]

In the future this information may be used to improve other report formats as well.

(changes

Reduced Gem Size

The brakeman gem bundles all its dependencies, which makes the gem a bit big.

This change removes some of the unneeded files (such as tests) and reduces the file size by about a third.

(changes)

Dead Code and Typos

A few bits of dead code and minor typos were found via Coverity and fixed.

Warning Message Overhaul

Brakeman warning messages were previously just strings.

In order to introduce some formatting flexibility, Brakeman warning messages are now constructed as arrays of Message objects. These objects specify the type of the message string (e.g. “code” or “plain”). At report generation time, the messages can be converted to a particular format, such as HTML, plaintext, etc.

Along with this change, quite a bit of cleanup was performed on report generation in general.

These changes make it easier to produce consistent messages as well as potentially supporting translation in the future.

You may notice warning message text and/or formatting has changed as a result of these changes. Please report any issues.

(changes)

Dependency Updates

Thanks to Jake Peterson, the Slim dependency has been updated to 4.0.1 to support newer syntax.

Note that Slim 4.x not longer supports Ruby 1.9.3. You may need to use the brakeman-lib gem or update your Ruby version.

(changes)

RubyParser has been updated to 3.12.0 which includes some added syntax support and is faster!

(changes)

New License

Brakeman is now distributed under the Brakeman Public Use License which restricts commercial use of Brakeman.

It does not restrict use of Brakeman to scan your own code or your organization’s code, regardless of whether that code is proprietary, commercial, free, open source, etc.

Feel free to message @presidentbeef if you have questions.

(changes)

Checksums

The SHA256 sums for this release are:

d3204cfe9d26782954ee8805fd748d11e8f950d2c1aee7c806c1856f273ee3b9  brakeman-4.4.0.gem
88849f05b1c85756fee8974b8061383493714676187af3b94b6a7978a7e1e58d  brakeman-lib-4.4.0.gem
0417c20b0b6dab00c5cf5e9341868dc5d8139bca463bf45fefa925cac286127e  brakeman-min-4.4.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Happy 8th Birthday, Brakeman!

In celebration of Brakeman’s 8th birthday this week, we’d like to share an update to keep you apprised of what we’ve been up to since our acquisition by Synopsys in June of this year.

Stemming from the acquisition, Synopsys welcomed Justin Collins of the original Brakeman core team. He is working closely with the Synopsys Static Analysis division to integrate the Brakeman Pro Engine into the Coverity proprietary product offering. This is an exciting opportunity to build Ruby on Rails support into an enterprise-class engine that is quickly emerging as a leader in static application security testing.

As for the Brakeman project, we’d like to assure you that Synopsys is committed to the continued success of the project.

Synopsys has a rich history of working with the open source community through Coverity Scan, providing testing as a free service to support building quality and security into the open source software (OSS) development process. To-date since its inception in 2006, Coverity Scan has provided scanning support to over 4,600 open source projects. The December 2017 acquisition of Black Duck Software is another testament to Synopsys’ dedication to securing the growing use of open source.

Rest easy knowing that Brakeman will continue to be maintained by the same team. Code will remain available on GitHub, and Ruby gems will continue being distributed via RubyGems.org.

Brakeman Has Been Acquired by Synopsys

We are excited to announce Brakeman Pro has been acquired by Synopsys.

Started in 2014, Brakeman Pro has been a partnership between Justin Collins, Neil Matatall, Jim Manico, and Adam Korman. Although it’s been an unconventional journey, we are all grateful to have traveled it together. Sincere thanks to the many folks who supported, promoted, and encouraged us along the way.

Justin Collins will be joining Synopsys to help integrate the Brakeman Pro Engine into their static application security testing (SAST) offerings, as well as continuing to develop and support the Brakeman OSS project. This is an exciting opportunity to focus on improving and expanding SAST for the Ruby community.

Brakeman OSS

This Brakeman OSS project is part of the acquisition, and Synopsys now owns the copyright previously held by Brakeman, Inc.

The project going forward and any future contributions will be made available under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Public License. For most users who are using Brakeman for internal purposes or assessments, nothing will change. Brakeman OSS will continue to be maintained by the same folks, free, and open source. Code will remain available on GitHub, and Ruby gems will be distributed from RubyGems.org.

However, under the new license, it is no longer possible to use Brakeman OSS for the development of a commercial product or online service or to resell Brakeman OSS as a service. Companies wishing to do either will require a commercial agreement with Synopsys. Please see here for more details.

Thank You

Thank you again to our customers, friends, and family who supported us in making the web a little bit safer!