Brakeman

Ruby on Rails Static Analysis Security Tool

Happy 8th Birthday, Brakeman!

In celebration of Brakeman’s 8th birthday this week, we’d like to share an update to keep you apprised of what we’ve been up to since our acquisition by Synopsys in June of this year.

Stemming from the acquisition, Synopsys welcomed Justin Collins of the original Brakeman core team. He is working closely with the Synopsys Static Analysis division to integrate the Brakeman Pro Engine into the Coverity proprietary product offering. This is an exciting opportunity to build Ruby on Rails support into an enterprise-class engine that is quickly emerging as a leader in static application security testing.

As for the Brakeman project, we’d like to assure you that Synopsys is committed to the continued success of the project.

Synopsys has a rich history of working with the open source community through Coverity Scan, providing testing as a free service to support building quality and security into the open source software (OSS) development process. To-date since its inception in 2006, Coverity Scan has provided scanning support to over 4,600 open source projects. The December 2017 acquisition of Black Duck Software is another testament to Synopsys’ dedication to securing the growing use of open source.

Rest easy knowing that Brakeman will continue to be maintained by the same team. Code will remain available on GitHub, and Ruby gems will continue being distributed via RubyGems.org.

Brakeman Has Been Acquired by Synopsys

We are excited to announce Brakeman Pro has been acquired by Synopsys.

Started in 2014, Brakeman Pro has been a partnership between Justin Collins, Neil Matatall, Jim Manico, and Adam Korman. Although it’s been an unconventional journey, we are all grateful to have traveled it together. Sincere thanks to the many folks who supported, promoted, and encouraged us along the way.

Justin Collins will be joining Synopsys to help integrate the Brakeman Pro Engine into their static application security testing (SAST) offerings, as well as continuing to develop and support the Brakeman OSS project. This is an exciting opportunity to focus on improving and expanding SAST for the Ruby community.

Brakeman OSS

This Brakeman OSS project is part of the acquisition, and Synopsys now owns the copyright previously held by Brakeman, Inc.

The project going forward and any future contributions will be made available under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Public License. For most users who are using Brakeman for internal purposes or assessments, nothing will change. Brakeman OSS will continue to be maintained by the same folks, free, and open source. Code will remain available on GitHub, and Ruby gems will be distributed from RubyGems.org.

However, under the new license, it is no longer possible to use Brakeman OSS for the development of a commercial product or online service or to resell Brakeman OSS as a service. Companies wishing to do either will require a commercial agreement with Synopsys. Please see here for more details.

Thank You

Thank you again to our customers, friends, and family who supported us in making the web a little bit safer!

Brakeman 4.3.1 Released

Mostly false positive reduction and bug fixes in this one!

Changes since 4.3.1:

  • Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
  • Handle Array#map and Array#each over literal arrays (#1208 / #1224)
  • Use safe literal when accessing literal hash with unknown key (#1213)
  • Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
  • Improve handling of conditionals in shell commands (Jacob Evelyn)
  • Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
  • Ignore Object#freeze, use the target instead (#1211)
  • Ignore foreign_key calls in SQL (#1202)
  • Handle included calls outside of classes/modules (#1209)
  • Fix error when setting line number in implicit renders (#1210)

Safe Literals

This version of Brakeman introduces a new way of handling “known safe” values (integers, string literals, etc.) where the exact value is unknown. The uses of the values will be replaced with :BRAKEMAN_SAFE_LITERAL instead of actual values, as Brakeman had done previously. The new approach avoids some unhelpful side-effects and allows for more of this kind of thing in the future.

These changes fix up a number of false positives.

Array Safe Literals

In situations like

["hello", "there"].each do |s|
  something_with(s)
end

Brakeman will replace s inside the block with :BRAKEMAN_SAFE_LITERAL, since the value must be a string (or nil, but Brakeman doesn’t worrry about that).

Array#map and Array#each are currently supported.

Hash Access with Unknown Key

In code like

some_hash = { x: 1, y: 2}
result = some_hash[some_var]

Brakeman will replace result with :BRAKEMAN_SAFE_LITERAL since the value must be an integer.

(changes)

Symbolized Keys in Params

Calls to params.symbolize_keys in ActiveRecord methods will not be treated as dangerous.

(changes)

Conditionals in Shell Commands

Use of interpolated if expressions (or the ternary version) in shell commands is now handled better, thanks to Jacob Evelyn. The values of the branches will be checked for dangerous values before warning.

(changes)

Update ERB Use for Ruby 2.6

The interface for ERB will be updated in Ruby 2.6. Koichi ITO provided a fix in preparation for this change.

(changes)

Frozen Objects

Since the use of freeze is of little interest to Brakeman and obscures the object it is freezing, these calls are now ignored.

This, especially combined with the safe literals above, cleans up some false positives.

(changes)

Foreign Keys in SQL

Brakeman will now ignore calls to foreign_key in SQL strings.

(changes)

Not Module#included Calls

Calls to included outside of modules/classes will be ignored instead of causing an error.

(changes)

Checksums

The SHA256 sums for this release are:

70722056ed1b168e2a56baff048fa155948e1d214513f0debe9e2b78f82691f8  brakeman-4.3.1.gem
01078dd352a273965aa207dbffd01b8fe511d2302137f1984ea8bbddc38da3ce  brakeman-lib-4.3.1.gem
1497a934e0fe929d4b2685a3282e7976ebd75e901c56183601b5c528ff4021e0  brakeman-min-4.3.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.3.0 Released

Did you know we recently broke 11 million gem downloads? Wow!

Changes since 4.2.1:

  • Add --parser-timeout option
  • Improve timeout error messages
  • Check exec-type calls even if they are targets (#1199)
  • Index Kernel#` calls even if they are targets (#1183)
  • BaseCheck#include_interp? should return first string interpolation (#1189)
  • Ignore Process.pid in system calls
  • Warn about dangerous link_to href with sanitize() (#1187)
  • Ignore params#to_h and params#to_hash in SQL checks (#1180)
  • Convert Array#join to string interpolation (#1179)
  • Change "".freeze to just "" (#1182)
  • --color can be used to force color output (#1175)
  • Track parent calls in call index
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
  • Code Climate: omit leading dot from only_files (Todd Mazierski)

--color Option

Previously, --no-color could be used to turn off ANSI color in text reports. Now, --color can be used to force color output.

(changes)

--parser-timeout Option

The default timeout for parsing a single file is 10 seconds. For some files, this may not be enough.

The --parser-timeout option can be used to specify a per-file timeout (in seconds).

Additionally, the error message for parsing timeouts has been improved considerably.

(changes)

Command Injection Fixes

Thanks to Jacob Evelyn reporting a number of issues around command injection, there are several improvements.

Use of backticks as targets of a call will now be checked for command injection.

For example:

`blah #{something}` == "expected output"

Previously, use of backticks was not being indexed in this case.

(changes)

Somewhat similarly, other calls (such as system) would not warn if they were targets of a call.

(changes)

Brakeman will no longer warn about Process.pid in system calls.

(changes)

Also fixed an issue where searching for string interpolation would return the innermost instance instead of the first instance (typically you want the first one).

(changes)

Freeze Calls

Calls to String#freeze will essentially be ignored.

"blah".freeze

will be treated like

"blah"

(changes)

More Strong Parameters in SQL

Calls to to_h and to_hash on params will be ignored in the context of SQL injection.

(changes)

Brakeman will now warn on uses of sanitize in attempts to avoid XSS in link_to. Unfortunately, it does not work that way.

(changes)

Array#join to String Interpolation

Uses of Array#join will now be converted to string interpolation.

For example:

[1, thing, "here"].join(' ')

will be changed to

"1 #{thing} here"

This both fixes some false positives and helps detect more vulnerabilities in checks that are looking at string interpolation.

(changes)

Parent Calls

Brakeman now tracks the parent method call (I’m sure there’s a better way to say that) of an argument. While this ended up not being needed for this release, it will help improve checks and messages in the future.

(changes)

Checksums

The SHA256 sums for this release are:

9284a1a9413743b4c915eda40312395e0ee574c6286893a27074b6f9527648f4  brakeman-4.3.0.gem
89ba3385fab967114c31da1462401c03caa8847d1115566a77039d0bda95181e  brakeman-lib-4.3.0.gem
1834031c1e949242ea6d08b3b1036d3f7c12c28257cdfa94cf3d0459b6f851b6  brakeman-min-4.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.2.1 Released

This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.

Changes since 4.2.0:

  • Add warning for CVE-2018-3741
  • Add warning for CVE-2018-8048
  • Scan app/jobs/ directory
  • Handle template_exists? in controllers (#1124)

CVE-2018-3741

CVE-2018-3741 is a vulnerability in the rails-html-sanitizer gem which may allow bypassing attribute whitelists and therefore cross-site scripting.

(changes)

CVE-2018-8048

CVE-2018-8048 is a similar vulnerability in the loofah gem.

(changes)

Scan Jobs

Brakeman will now scan files in the app/jobs/ directory and treat them as additional libraries.

(changes)

Template Guard Condition

Brakeman will no longer warn about dynamic render paths if template_exists? is used as a guard condition.

(changes)

A Note on Vulnerabilities in Depdendencies

Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.

Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.

Checksums

The SHA256 sums for this release are:

3ba1cd39d98edcae7a0802ef0206de1438439cfdf4edb559c676877e2c253498  brakeman-4.2.1.gem
54a4aa336f3c21477a9bab12eeba6bb79ffa34a015e89a748621f7fd037d1943  brakeman-lib-4.2.1.gem
d53f2275320dfe5609234e74ce3a73a7d8c44dfae824fb938a9bae2077a9aecf  brakeman-min-4.2.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.