Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 4.3.1 Released

Mostly false positive reduction and bug fixes in this one!

Changes since 4.3.1:

  • Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
  • Handle Array#map and Array#each over literal arrays (#1208 / #1224)
  • Use safe literal when accessing literal hash with unknown key (#1213)
  • Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
  • Improve handling of conditionals in shell commands (Jacob Evelyn)
  • Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
  • Ignore Object#freeze, use the target instead (#1211)
  • Ignore foreign_key calls in SQL (#1202)
  • Handle included calls outside of classes/modules (#1209)
  • Fix error when setting line number in implicit renders (#1210)

Safe Literals

This version of Brakeman introduces a new way of handling “known safe” values (integers, string literals, etc.) where the exact value is unknown. The uses of the values will be replaced with :BRAKEMAN_SAFE_LITERAL instead of actual values, as Brakeman had done previously. The new approach avoids some unhelpful side-effects and allows for more of this kind of thing in the future.

These changes fix up a number of false positives.

Array Safe Literals

In situations like

["hello", "there"].each do |s|
  something_with(s)
end

Brakeman will replace s inside the block with :BRAKEMAN_SAFE_LITERAL, since the value must be a string (or nil, but Brakeman doesn’t worrry about that).

Array#map and Array#each are currently supported.

Hash Access with Unknown Key

In code like

some_hash = { x: 1, y: 2}
result = some_hash[some_var]

Brakeman will replace result with :BRAKEMAN_SAFE_LITERAL since the value must be an integer.

(changes)

Symbolized Keys in Params

Calls to params.symbolize_keys in ActiveRecord methods will not be treated as dangerous.

(changes)

Conditionals in Shell Commands

Use of interpolated if expressions (or the ternary version) in shell commands is now handled better, thanks to Jacob Evelyn. The values of the branches will be checked for dangerous values before warning.

(changes)

Update ERB Use for Ruby 2.6

The interface for ERB will be updated in Ruby 2.6. Koichi ITO provided a fix in preparation for this change.

(changes)

Frozen Objects

Since the use of freeze is of little interest to Brakeman and obscures the object it is freezing, these calls are now ignored.

This, especially combined with the safe literals above, cleans up some false positives.

(changes)

Foreign Keys in SQL

Brakeman will now ignore calls to foreign_key in SQL strings.

(changes)

Not Module#included Calls

Calls to included outside of modules/classes will be ignored instead of causing an error.

(changes)

Checksums

The SHA256 sums for this release are:

70722056ed1b168e2a56baff048fa155948e1d214513f0debe9e2b78f82691f8  brakeman-4.3.1.gem
01078dd352a273965aa207dbffd01b8fe511d2302137f1984ea8bbddc38da3ce  brakeman-lib-4.3.1.gem
1497a934e0fe929d4b2685a3282e7976ebd75e901c56183601b5c528ff4021e0  brakeman-min-4.3.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.3.0 Released

Did you know we recently broke 11 million gem downloads? Wow!

Changes since 4.2.1:

  • Add --parser-timeout option
  • Improve timeout error messages
  • Check exec-type calls even if they are targets (#1199)
  • Index Kernel#` calls even if they are targets (#1183)
  • BaseCheck#include_interp? should return first string interpolation (#1189)
  • Ignore Process.pid in system calls
  • Warn about dangerous link_to href with sanitize() (#1187)
  • Ignore params#to_h and params#to_hash in SQL checks (#1180)
  • Convert Array#join to string interpolation (#1179)
  • Change "".freeze to just "" (#1182)
  • --color can be used to force color output (#1175)
  • Track parent calls in call index
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
  • Code Climate: omit leading dot from only_files (Todd Mazierski)

--color Option

Previously, --no-color could be used to turn off ANSI color in text reports. Now, --color can be used to force color output.

(changes)

--parser-timeout Option

The default timeout for parsing a single file is 10 seconds. For some files, this may not be enough.

The --parser-timeout option can be used to specify a per-file timeout (in seconds).

Additionally, the error message for parsing timeouts has been improved considerably.

(changes)

Command Injection Fixes

Thanks to Jacob Evelyn reporting a number of issues around command injection, there are several improvements.

Use of backticks as targets of a call will now be checked for command injection.

For example:

`blah #{something}` == "expected output"

Previously, use of backticks was not being indexed in this case.

(changes)

Somewhat similarly, other calls (such as system) would not warn if they were targets of a call.

(changes)

Brakeman will no longer warn about Process.pid in system calls.

(changes)

Also fixed an issue where searching for string interpolation would return the innermost instance instead of the first instance (typically you want the first one).

(changes)

Freeze Calls

Calls to String#freeze will essentially be ignored.

"blah".freeze

will be treated like

"blah"

(changes)

More Strong Parameters in SQL

Calls to to_h and to_hash on params will be ignored in the context of SQL injection.

(changes)

Sanitize in link_to

Brakeman will now warn on uses of sanitize in attempts to avoid XSS in link_to. Unfortunately, it does not work that way.

(changes)

Array#join to String Interpolation

Uses of Array#join will now be converted to string interpolation.

For example:

[1, thing, "here"].join(' ')

will be changed to

"1 #{thing} here"

This both fixes some false positives and helps detect more vulnerabilities in checks that are looking at string interpolation.

(changes)

Parent Calls

Brakeman now tracks the parent method call (I’m sure there’s a better way to say that) of an argument. While this ended up not being needed for this release, it will help improve checks and messages in the future.

(changes)

Checksums

The SHA256 sums for this release are:

9284a1a9413743b4c915eda40312395e0ee574c6286893a27074b6f9527648f4  brakeman-4.3.0.gem
89ba3385fab967114c31da1462401c03caa8847d1115566a77039d0bda95181e  brakeman-lib-4.3.0.gem
1834031c1e949242ea6d08b3b1036d3f7c12c28257cdfa94cf3d0459b6f851b6  brakeman-min-4.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.2.1 Released

This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.

Changes since 4.2.0:

  • Add warning for CVE-2018-3741
  • Add warning for CVE-2018-8048
  • Scan app/jobs/ directory
  • Handle template_exists? in controllers (#1124)

CVE-2018-3741

CVE-2018-3741 is a vulnerability in the rails-html-sanitizer gem which may allow bypassing attribute whitelists and therefore cross-site scripting.

(changes)

CVE-2018-8048

CVE-2018-8048 is a similar vulnerability in the loofah gem.

(changes)

Scan Jobs

Brakeman will now scan files in the app/jobs/ directory and treat them as additional libraries.

(changes)

Template Guard Condition

Brakeman will no longer warn about dynamic render paths if template_exists? is used as a guard condition.

(changes)

A Note on Vulnerabilities in Depdendencies

Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.

Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.

Checksums

The SHA256 sums for this release are:

3ba1cd39d98edcae7a0802ef0206de1438439cfdf4edb559c676877e2c253498  brakeman-4.2.1.gem
54a4aa336f3c21477a9bab12eeba6bb79ffa34a015e89a748621f7fd037d1943  brakeman-lib-4.2.1.gem
d53f2275320dfe5609234e74ce3a73a7d8c44dfae824fb938a9bae2077a9aecf  brakeman-min-4.2.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.2.0 Released

First release of 2018!

Changes since 4.1.1:

  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
  • Exclude template folders in lib/ (kru0096)
  • Warn about SQL injection with not
  • Avoid warning about symbol DoS on Model#attributes (#1096)
  • Avoid warning about open redirects with model methods ending with _path(#1117)
  • Avoid warning about command injection with Shellwords.escape (#1159)
  • Use ivars from initialize in libraries
  • Fix multiple assignment of globals (#1155)
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0

Update ERb Handling for Ruby 2.5.0

The way ERb templates are compiled changed in Ruby 2.5.0 to use String#<<, so Brakeman has been changed to accomodate.

Please note ERb also changed such that <% # is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is <%#.

(changes)

Exclude Template Folders

Files in lib/**/templates will be ignored, since they are generally ERb files, not actually Ruby.

(changes)

SQL Injection with not

In ActiveRecord, not takes the same arguments as where, making it just as vulnerable to SQL injection.

Thank you to Jobert Abma for reporting this.

(changes)

Symbol DoS False Positive

Brakeman will no longer warn about Model#attributes.symbolize_keys.

(changes)

Open Redirect False Positive

Brakeman will no longer warn about open redirects with Model#something_ending_in_path.

(changes)

Shellwords Escaping

Brakeman will no longer warn about command injection when Shellwords.escape and friends are used.

Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.

(changes)

Use Initialized Environment in Libraries

When processing libraries, instance variables set in initialize will be used in subsequent methods.

(changes)

Update RubyParser

This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to self[...].

(changes)

Checksums

The SHA256 sums for this release are:

c6ad3861920075ccf553343815fcce07aa09d015bc8529c6e4d8a865674530f7  brakeman-4.2.0.gem
94a97496761ddd27974867bde3235cab303761dadec4bd6a8d22260a72aaaa38  brakeman-lib-4.2.0.gem
a071eb6d6e866df0338bcb9c8dd56f5b0d66c68212eb604f551ac8aa196d6923  brakeman-min-4.2.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.1 Released

Just a small fix-up release!

Changes since 4.1.0:

  • Remove check for use of permit with *_id keys
  • Avoid duplicate warnings about permitted attributes
  • Avoid duplicate warnings about division by zero

Checksums

The SHA256 sums for this release are:

7b65d6694b488aaa09e147f5a39d7e544385a11ec52ae93058b04b17999925b6  brakeman-4.1.1.gem
ffb525462d391f9a7f85b9b1ebbf7b165d03cd2eaed7093c3f1b4fdb135947e2  brakeman-lib-4.1.1.gem
b50a7b19d56a7606cd3a625611f8e720d47da8a57d126e7dcf443714cec98194  brakeman-min-4.1.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.0 Released

Wow, it has been too long since the last release!

Happy December!

Changes since 4.0.1:

  • Add check for dangerous keys in permit
  • Add optional check for divide by zero
  • Remove errors about divide by zero
  • Warn about dynamic values in Arel.sql
  • Show better location for Sass errors (Andrew Bromwich)
  • Avoid warning about file access for temp files (#1110)
  • Avoid CSRF warning in Rails 5.2 default config (#1132)
  • Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
  • Handle nested destructuring/multiple assignment
  • Do not warn on params.permit with safe values (#1000)
  • Use HTTPS for warning links
  • Try to guess options for less pager (#1118)
  • Do not page if results fit on screen
  • Leave results on screen after paging
  • Fix upgrade version for CVE-2016-6316
  • Fix include_paths for Code Climate engine (Will Fleming)
  • Support app_path configuration for Code Climate engine (Noah Davis)
  • Refactor Code Climate engine options parsing (Noah Davis)

New Check for Dangerous Permit Keys

Very similar to warning about potentially dangerous keys in attr_accessible, Brakeman now warns about potentially dangerous keys whitelisted for mass assignment via params.permit.

(changes)

New Optional Check for Division by Zero

Previously, Brakeman would report errors when it encountered potential division by zero. Now, it optionally reports warnings instead.

(changes)

Arel.sql

Arel.sql allows one to add raw SQL to queries. Brakeman now warns about potential SQL injection when using Arel.sql with dynamic values.

(changes)

Sass Error Locations

Thanks to Andrew, Brakeman now reports actual file names for errors involving Sass.

(changes)

Temp Files

Brakeman no longer warns about file access with params[:blah].tempfile.path or params[:blah].path.

(changes)

Rails 5.2 CSRF Configuration

In Rails 5.2, CSRF protection is enabled by default. Brakeman will now respect this.

(changes)

Attribute Combination Assignment

This release handles code like x[:y] += 1 better. Previously, it would not update the value for x[:y].

(changes)

Nested Destructuring

Brakeman now can handle nested multiple assignment, like x, (a, b), y = z, assuming z is known to be an array.

(changes)

Pager Updates

The default pager (less) now leaves the output in the terminal after exiting and now exits immediately if the output fits on the screen.

Additionally, Brakeman attempts to detect if these options are actually supported by less before using them.

(changes and here)

CVE-2016-6316

In case this one was keeping you up at night, Brakeman now reports the correct upgrade version for CVE-2016-6316.

(changes)

HTTPS for Warning Links

Links to brakemanscanner.org in reports are now HTTPS! Only makes sense.

(changes)

Code Climate Updates

The Brakeman engine on Code Climate now supports app_path and include_paths, together.

(changes)

Checksums

The SHA256 sums for this release are:

1dd62ee8aa872acf5d0aace6dc0745b55c78da68640f04754bf11c12a58842bf  brakeman-4.1.0.gem
a16bd3082223655f132ff4c601f5d1930290082116fc256c5c1e652ff3ba933a  brakeman-lib-4.1.0.gem
29d9be77b06195675e6b803141da979438983c0970c182fe8b8ccf3145ecda9f  brakeman-min-4.1.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.0 Released!

This release has breaking changes!

This is the 101st official release of Brakeman! It has been seven years and one month since the first release of Brakeman. To put that into historical context, Rails 3.0 was released a few days later!

How about some more numbers?

Thank you so much to everyone who has used, contributed to, or promoted Brakeman over the past seven years!

As a token of our appreciation, we have a limited edition 2017 Brakeman sticker:

Brakeman Sticker

Just email [email protected] with your name and address (anywhere in the world) and we’ll send you one. While supplies last!

If you have benefited from Brakeman, please consider supporting continued development via Brakeman Pro.

Changes since 3.7.2:

  • --exit-on-warn is now the default (#852)
  • --exit-on-error is now the default (#1083)
  • “Plain” report output is now the default
  • Add simple pager for reports output to terminal
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • Treat request.cookies like cookies (#1090)
  • Treat fail/raise like early returns (#754)
  • Rename “Cross Site Scripting” to “Cross-Site Scripting” (Paul Tetreau)
  • Remove reliance on CONFIDENCE constant in checks
  • Fix --exit-on-error and --exit-on-warn in config files

Changes since 4.0.0:

  • Do not use pager when CI environment variable is set

New Default Exit Codes

--exit-on-warn and --exit-on-error are now default behavior.

If any warnings are found or errors are raised during the scan, Brakeman’s exit code will be non-zero. This may break things! In particular, CI jobs or scripts that assume Brakeman will exit normally.

You may use --no-exit-on-warn and --no-exit-on-error to revert back to previous behavior and always exit with error code 0.

(changes and changes)

New Default Report Format

The “plain” report format is now the default.

To revert back to the table format, use -f tables or -o report.tables.

(changes)

Paged Output

By default, output to the terminal will be paged with less or Highline’s simple pager.

To disable, use --no-pager.

In 4.0.1 Brakeman will automatically disable the pager when the CI environment variable is set to true. This should be compatible with Travis CI, Circle CI, Codeship, and Bitbucket Pipelines.

(changes)

Fewer Mass Assignment Warnings

Low confidence mass assignment warnings have been removed in this release. Brakeman should now only warn when user input is used directly in the instantiation or update of a model.

(changes)

Fewer link_to Warnings

Warnings about XSS in link_to have confused quite a few people over the years. The danger is that links may have javascript: or data: values with XSS payloads.

Brakeman should now only warn when directly using user input or when using what looks like a URL from the database.

(changes)

More Cookies

request.cookies will now be treated like cookies in general.

(changes)

More Early Returns

Calls to raise or fail will be treated like early returns when considering simple guard expressions.

(changes)

Cross-Site Scripting

Messages about “Cross Site Scripting” will now include a hyphen. This does not affect warning fingerprints.

(changes)

CONFIDENCE

Brakeman checks previously used the CONFIDENCE hash when creating warnings, e.g. :confidence => CONFIDENCE[:high]. Now it’s possible to use :confidence => :high instead.

For those with custom checks, the CONFIDENCE hash is still available and nothing should break.

(changes)

Checksums

The SHA256 sums for these releases are:

0038932b43dcf2bf698ad6637500f69b5e4226b10c011a4a6bcce93a77a5e045  brakeman-4.0.0.gem
3688303859a7c9b452ddcef00f00f97789ce103774446d42851a763ecbf8df87  brakeman-lib-4.0.0.gem
559196c6e41e5b180448564d9aca84fb775a39b77dd7d8d880a0ce0e77df8ae2  brakeman-min-4.0.0.gem

d93d6f8e9c2655520153fe0512b338753cc36fac56b80947f652fd33e9f80dfb  brakeman-4.0.1.gem
82ab1e51f712ad10109a4fe080f6389b28bbbef83e0ecd6c33defa90319b4bc5  brakeman-lib-4.0.1.gem
579f240cb8e5357fe5e45c09eb43f3512481f7086052337437e5c436c617da8b  brakeman-min-4.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.7.1/3.7.2 Released

Just a little release. Next up: 4.0!

Changes since 3.7.1:

Changes since 3.7.0:

  • Handle simple guard with return at end of branch (#1073)
  • Add more collection methods for iteration detection
  • Modularize bin/brakeman
  • Improve multi-value Sexp error message
  • Update ruby2ruby and ruby_parser dependencies

Another Simple Guard

Brakeman will now handle when the branch in a simple guard condition ends in return.

For example:

unless [:valid, :value].include? params[:x]
  do_stuff
  more_stuff
  return
end

x.send(params[:x]) # Will no longer warn because `params[:x]` must be 'safe'

(changes)

More Collection Methods

Brakeman attempts to detect when a template is iterating over records from a database query.

This release adds a few more methods that might return a collection of records.

(changes)

Modularize Commandline

The logic in the brakeman executable has now entirely been moved to Brakeman::Commandline for easier testing and custom behavior.

(changes)

Checksums

The SHA256 sums for this release are:

9ad563247cc6a57b965e59e5bbbaefa202ce34ceb6d10e97ce500406d60cdb6e  brakeman-3.7.2.gem
5b753206f8e5937c33494edd323a9e6573e07958d9f8f5bb662b0f6085eafe19  brakeman-lib-3.7.2.gem
517a074cb92ece8a7e426ea221d63ddbcae6e3b851664083b7e73e6d7e0dd138  brakeman-min-3.7.2.gem

Brakeman 4.0 Plans

If all goes well, Brakeman 4.0 will be released on August 27th, which is also the 7th anniversary of Brakeman’s first release. It will also be the 101st release of Brakeman!

At least two major changes will be coming in Brakeman 4.0:

  • The plain report format will be the default instead of tables
  • -z or --exit-on-warn (sets exit code if any warnings are found) will be on by default

There will likely be other changes, but these two will be the most obvious.

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.7.0 Released

Changes since 3.6.2:

  • Avoid interpolating hashes/arrays on failed access (#921)
  • Fix false positive for redirect_to in Rails 4 (Mário Areias)
  • Show progress indicator in interactive mode (#1012)
  • Handle simple conditional guards that use return (#1057)
  • Improve support for rails4/rails5 options in config file (#1059)
  • Updated RubyParser to master

Performance Improvement with Hash/Array Accesses

When Brakeman sees a hash or array access that it cannot resolve (i.e. can’t find the value for the key), it will no longer copy the entire hash/array value to the call site.

For some applications, this will significantly improve performance.

This may cause some warning fingerprints to change.

(changes)

Unsafe Hash in Redirects

Thanks to Mário Areias, Brakeman correctly handles to_unsafe_hash and to_unsafe_h in redirect_to.

(changes)

Progress Indicator in Interactive Mode

When using -I to manage false positives, Brakeman will now show how far you are through the warnings.

image

(changes)

Simple Guards with Return

Brakeman can now recognize simple guard conditions such as:

return unless [:safe, :values].include? params[:x]

(changes)

Rails Version Option in Brakeman Configuration

It is now possible to specify just :rails4: true or :rails5: true in a Brakeman configuration file.

(changes)

Updated RubyParser

The main brakeman gem bundles as-of-yet unreleased changes in RubyParser. This includes “squiggly heredoc” support (<<~), improved line numbers, and a few other fixes.

Checksums

The SHA256 sums for this release are:

f46550d7c7827644a5663ccc10a6ca222e2534648f68630e3a777cb73df59824  brakeman-3.7.0.gem
0ea5359ae802284695500b92a03bf1d022574953a0da44607ff7f715f456c37e  brakeman-min-3.7.0.gem
f6f17e9f1f71a68b486d68f2b3413607fb47154a0fb6a6da23d9d7be87f37967  brakeman-lib-3.7.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.6.2 Released

Changes since 3.6.1:

  • Remove --rake option
  • By default, do not honor additional check paths in config
  • Properly handle template names without .html or .js
  • Catch YAML parsing errors in session settings check (#1046)
  • Better handling of if expressions in HAML rendering (#1032)
  • Avoid warning about SQLi with to_s in exists? (#1045)
  • Handle safe call operator in checks (#1031)
  • Handle empty if expressions when finding return values
  • Set template file names during rendering for better errors
  • Limit Slim dependency to before 3.0.8
  • Update RubyParser to 3.9.0

Rake Option Removed

The Rake task generated by --rake has caused quite a few problems. When Rake is run with a Rails application, it loads all of the app’s dependencies, which may conflict with Brakeman’s dependencies.

It is recommended to either not use a Rake task to run Brakeman or just shell out to Brakeman instead of using it as a library.

(changes)

Check Paths in Config Files

Brakeman allows loading custom checks with --add-checks-path. To avoid silently loading arbitary code, Brakeman will not support this option in configuration files unless explicitly enabled with --allow-check-paths-in-config.

(changes)

Templates without Format Extension

The 3.5.0 release added support for templates with a bare extension (like my_template.haml) but template names derived internally did not handle these bare extensions properly. When rendering templates, Brakeman was not able to match render names to the correct files.

(changes)

YAML Errors

When checking session settings, Brakeman parses config/secrets.yml. Sometimes this file has unsafe values or interpolated code which causes the parsing to fail. Brakeman will now only output a notice about this failure instead of an error.

(changes)

If Expressions in HAML

Typically Brakeman assumes all if branches in templates are taken and ignores the condition. This was not happening in all cases in rendered HAML templates.

(changes)

to_s False Positive with exists?

Brakeman will no longer warn about arguments calling to_s in exists?, since that is the recommended way to avoid SQL injection with that particular method.

(changes)

Better Safe Call Handling

The safe call operation &. will be handled better in all checks instead of being ignored.

(changes)

Empty Ifs

This release fixes an issue when finding return values from methods ending in an empty if expression.

(changes)

More Template Names

Template file names will now be set when passing code to template rendering libraries, in order to produce better error messages when something goes wrong.

(changes)

Dependencies

RubyParser has been updated to 3.9.0 which resolves some issues.

(changes)

Slim is limited to <3.0.8 since the 3.0.8 gem requires Ruby 2.0.

(changes)

Checksums

The SHA256 sums for this release are:

ba89440a5e94f463ad9b6f3602e83d16313857753a5cc9b754757bd3e58e2202  brakeman-3.6.2.gem
adae09f9aa3a4d311fe2de41fee5d9b821eff600c1c05e314b3b930adb85b4d7  brakeman-min-3.6.2.gem
d3da0a86dedcee84c35a14e00b7a9d22874aed89d7d031d1fe60b68ce4ae7c7a  brakeman-lib-3.6.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.