Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.10.0 Released

This release introduces a new report format!

Changes since 4.9.1:

SARIF Report Format

Steve Winton from GitHub has contributed support for Static Analysis Results Interchange Format (SARIF). This is a standard format for static analysis tools and can be consumed by some report viewers, such as this one for Visual Studio Code.

To output a SARIF report, use -f sarif or a file name like -o report.sarif.

(changes)

Previewing Brakeman 5.0

What is planned for Brakeman 5.0?

The big change coming in 5.0 is scanning way more files. Currently, Brakeman scans specific directories in app/, config/, lib/, and engines/. It also only looks for files in particular places - e.g. views will be somewhere in app/**/views.

In 5.0, Brakeman will scan (almost) all files in the project directory with .rb or template-related extensions. This will dramatically increase the scope of Brakeman scans, which is better coverage but at the cost of more false positives and slower scans.

Also expected in Brakeman 5.0 is a bump of minimum Ruby version to 2.4.0 (which is already EOL).

Checksums

The SHA256 sums for this release are:

7bef7df71137d06be5fc3325ead57f8ce35be7691bf6dd389228461d731b79dd  brakeman-4.10.0.gem
698b8eb02cdea7a6e407192c261c61d8fc6cd24d590a1b388defc9de17966119  brakeman-lib-4.10.0.gem
64bb565ee84b9a9646985e456db1125ff9fb884ca83de6ba6fbc2c63bdbc8de9  brakeman-min-4.10.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.9.1 Released

This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.

Changes since 4.9.0:

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
  • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)

Check ActiveRecord Version

For non-Rails applications that are using ActiveRecord, use the version of active_record to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.

Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.

(changes)

SQL Injection with Chomp

Brakeman will now check for string interpolation inside strings that have chomp called on them.

(changes)

Joined Arrays Line Number

Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.

(changes)

Protected Attributes

When using the protected_attributes gem, it is allowed but not required to set attr_accessible on models.

Brakeman will no longer warn about missing attr_accessible when protected_attributes is used.

(changes)

Update RubyParser

As noted above, this version of Brakeman ships with an updated version of ruby_parser.

Checksums

The SHA256 sums for this release are:

5a17706b1da4886f1b6864c3ffff1ab40684f3f7b4d667138227c467ebccb0f7  brakeman-4.9.1.gem
8bb3d88f9786e9f08c24d38e88c40adf02f4a47b17de8c1c816f7e174de476a4  brakeman-lib-4.9.1.gem
8eae3eec1ebab0cf3b29ea50089f613b0d8e544ae4c332f1f5e64a240e8a0a94  brakeman-min-4.9.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman Turns Ten!

Hi! Justin Collins here with a rare non-release-related Brakeman post.

On August 27, 2010 (two days before Rails 3.0!), I released the first public version of my summer intern project at AT&T Interactive: a static analysis security tool for Ruby on Rails called “Brakeman”.

Brakeman was intended to be a stop-gap solution until commercial products started supporting Ruby. I had no idea it would take me on such a wild journey nor did I think I would still be maintaining it ten years later.

In the past ten years, Brakeman has had:

I am extremely grateful to everyone who has contributed to this journey: those who took chances on me, those who supported and promoted Brakeman, those who have contributed time and code to Brakeman, those who reported bugs and suggested improvements, and everyone who has used Brakeman to make their applications safer!

Very special thanks to:

Want some Brakeman FAQ nuggets? You got it!

Where did the idea for Brakeman come from?

I recall during my internship interview at AT&T Interactive, we were talking about cross-site scripting. I distinctly recall saying, “What if we had a tool that looked at the inputs and outputs of an application and found cross-site scripting?” The response was an excited “Do you know of a tool like that for Ruby?” To which I replied, “No, but I’m sure it wouldn’t be that hard to build!” This idea was later pitched back to me as a possible internship project.

By the way, that’s still not how Brakeman works, but it was originally designed to find cross-site scripting.

Who came up with the name “Brakeman”?

Carl Johnson and Tatsuya Murase on the security team at AT&T Interactive were way more into trains than me, and they suggested the name. There were a couple other candidates, but I thought “Brakeman” had a snappy sound to it and was unique.

Was Brakeman your PhD research?

Nope, unrelated. However, Brakeman was released exactly at the midpoint of my PhD career.

Here is my dissertation for those interested few.

It’s a brakeman lantern and was designed by Janelle Lawless.

Do you still maintain Brakeman? Who owns it?

Yes, I am still the maintainer of the free version you see here.

The bits of Brakeman owned by Brakeman, Inc. were sold to Synopsys.

Will Brakeman ever support other languages/frameworks?

Almost certainly not. It is very tailored to Ruby and Rails and I don’t have time or energy to build another static analysis engine from scratch!

Can I see a picture of you presenting Brakeman in public for the very first time?

Sure, here you go:

Justin Collins presenting at LA Ruby Meetup October 2010

That’s nice but what about blurry video of the first conference talk about Brakeman?

No problem!

Okay but what I really want is a sweet Brakeman sticker.

Oh, one of these special edition ones?

Metallic Brakeman Sticker

Email your name and physical address to [email protected]

What’s next?

Next is Brakeman 5.0! It would have been nice to have a release coincide with this anniversary, but alas that is way too hard to manage. No promises, but if all goes well 5.0 will be released in September.

As long as Rails continues to hang on as a solid option for many companies and individuals, I expect to continue maintaining Brakeman. The project means a lot to me and it’s a privilege and responsibility I take very seriously.

We’ll see what happens in the next ten years!

Brakeman 4.9.0 Released

It’s been a while! This will (probably) be the last minor release before 5.0.

Changes since 4.8.2:

  • Add --ensure-ignore-notes (Eli Block)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Always scan environment.rb
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Do not warn about mass assignment with params.permit!.slice
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
  • Remove whitelist/blacklist language, add clarifications
  • Add “full call” information to call index results
  • Updated Slim dependency (Jeremiah Church)

Ensuring Notes Are Added For Ignored Warnings

Eli Block has added a new option to ensure all ignored warnings have notes.

If --ensure-ignore-notes is set and the configured “ignore” file does not have notes for all warnings, a non-zero exit code will be set.

(changes)

Check for Template Injection

Matt Hickman added a new check for user input in calls to ERB.new which can lead to remote code execution.

(changes)

Check for CVE-2020-8166

Jamie Finnigan added a new check for CVE-2020-8166.

(Note, in general you should not rely on Brakeman for vulnerable dependency checks. There are much better tools available now!)

(changes)

Always Scan Environment

Brakeman used to conditionally scan config/environment.rb based on the Rails version, since in newer versions there’s nothing of interest in that file.

However, some applications do use that file for important constant definitions. Since there is no harm in doing so, Brakeman will now always scan config/environment.rb.

(changes)

More Safe YAML

Brakeman will no longer warn about deserialization if the safe_yaml gem is used with YAML.load(..., safe: true).

(changes)

Mass Assignment False Positives

Brakeman will no longer warn about mass assignment with params.permit!.slice or when params.permit! is used as an argument to a path helper (e.g. something_path(params.permit!)).

(changes and changes)

Dir.glob in Guards

Brakeman will now consider Dir.glob to be a safe source of values in guard statements.

In other words, code like this:

  def show
    template = params[:template]
    files = Dir.glob("/some/template/path/*")

    # Guard condition using Dir.glob results
    return redirect_to '/groups' unless files.include? template

    # Will not warn because we are checking `files` for `params[:template]` above
    render "groups/#{template}"
  end

(changes)

Updated Warning Messages

Updated a few warning messages to be clearer instead of just using ‘whitelist’/’blacklist’ as a verb.

(changes)

Checksums

The SHA256 sums for this release are:

3afcfee962907361cbc5047b7089eaa7c31546cc4de201939faba6d3a1b07a18  brakeman-4.9.0.gem
dc6a50321170e83e61ae75d1bb2dade53392a44b614d4068553f1425539a3b8f  brakeman-lib-4.9.0.gem
4c8ea640925bf33a775729b000b91312abe42ea7945dac1a6bfcc0347fb6323d  brakeman-min-4.9.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.8.2 Released

This release introduces a new option and two new checks!

Changes since 4.8.1:

  • Add --text-fields option
  • Add check for CVE-2020-8159
  • Add check for escaping HTML entities in JSON configuration option
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

Text Fields Option

It is now possible to specify which text fields are reported and their order for the default “text” report format using the --text-fields option.

Possible options are:

  • all
  • category
  • category_id
  • check
  • code
  • confidence
  • file
  • fingerprint
  • line
  • link
  • message
  • render_path

--text-fields accepts a comma-separated list of these options.

Please keep in mind the JSON report should be used for structured reports/parsing.

(changes)

CVE-2020-8159

This release includes a check for CVE-2020-8159 related to the actionpack-page_caching gem. The vulnerability allows arbitrary file writing and may be escalated to remote code execution.

If caches_page is called in any controllers, this will be a High confidence warning. Otherwise, Weak.

Reminder: Brakeman is not a ‘dependency’ scanner. It only includes checks for a small number of Rails-related CVEs. Use bundler-audit or related tools for dependency checking.

(changes)

JSON Escaping Configuration

Brakeman will now warn if HTML entity escaping in JSON is disabled globally with ActiveSupport.escape_html_entities_in_json = false. This is an unusual configuration.

(changes)

Basic Auth Check Fix

Hugo Corbucci fixed an error when checking calls to authenticate_or_request_with_http_basic without a block literal.

(changes)

Checksums

The SHA256 sums for this release are:

d7bf369896b4a3c41778f39f10b1e1d0844a965bbb582fa0a0566b1df4f07dec  brakeman-4.8.2.gem
c13e9a9e5b213ba95a16803ddb50eb3c7119533ca71444ffec2bb6cea22b926a  brakeman-lib-4.8.2.gem
a422a444b7db48682e1f112c83b1a7a7e3828ec02d52ed91c5b3eff235b801c1  brakeman-min-4.8.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.