This release has two new checks!
Changes since 4.5.1:
- Add check for cookie serialization with Marshal (#1316)
- Add reverse tabnabbing check (Linos Giannopoulos)
- Avoid warning about file access with
ActiveStorage::Filename#sanitized (Tejas Bubane)
- Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
- Warn people that Haml 5 is not fully supported (Jared Beck)
- Index calls in initializers
- Improve template output handling in conditional branches
- Avoid assigning
nil line numbers to
- Add special warning code for custom checks
- Add call matching by regular expression
- Skip calls to
- Better handling of gems with no version declared
Cookie Serialization Check
Brakeman will now warn if
Rails.application.config.action_dispatch.cookies_serializer is set to
This options allow cookies to be deserialized via
Marshal. If an attacker is able to construct a valid encrypted cookie, this could lead to arbitrary code execution.
Reverse Tabnabbing Check
Linos Giannopoulos has added an optional check for cases of “reverse tabnabbing”. This occurs when a link is opened in a new window/tab via a link (with
The new window can control the location of the old window. If an attacker controls the new window, they can redirect the old window to a malicious site. This is especially useful for
phishing attacks. These kinds of attacks are most likely on applications that allow arbitrary links to external sites.
To completely remove the ability of an attacker to control the old window, add
rel: "noreferrer noopener" to the
link_to call. Note: this will cause the new window to lose referrer information.
To enable this new check, use
--enable ReverseTabnabbing or
-A to enable all optional checks.
File Access False Positive
Tejas Bubane provided a fix to ignore use of
ActiveStorage::Filename#sanitized inside file access calls.
Fixed Loofah Version
Markus Nölle corrected the “fixed” version of Loofah for CVE-2018-8048 from
Haml 5 Support
Jared Beck added a notification when Haml 5 is in use by an application. At the moment, Brakeman does not support Haml 5.x.
There appear to be only a few syntax differences between Haml 4.x and 5.x, so most users are unaffected.
Support is planned for a future release.
Initializers More Fully Supported
When Brakeman scans an application, it “indexes” all method calls of interest. Most checks then operated on those indexed calls.
However, for historical reasons, initializers (files in
config/initializers/) were not included in that index.
Now they are! Besides some modest speed gains and simpler/more consistent checks, now regular old checks can “see” initializers.
This may result in previously-unreported warnings now popping up in initializers.
Conditional Branches in Templates
Very obvious code like this:
<%= blah ? x : params[:x].html_safe %>
Was not being handled correctly and the cross-site scripting issue would not be reported. This is now fixed!
Empty Line Numbers
A change in
sexp_processor causes it to raise an exception if an
Sexp is assigned a
Brakeman was a bit cavalier when assigning line numbers, so this caused an issue for some users.
As a result, line numbers should be assigned a bit more consistently now.
Custom Check Warning Code
Every warning reported by Brakeman refers to an integer “warning code”. This is so the “warning type” or category can be a bit more flexible if we want to change the name or formatting.
However, this list of warning codes is hardcoded into Brakeman. The hardcoding makes it hard for users to add their own checks, because they need to either use an existing code or monkey-patch in a new one.
To help with this situation, custom checks/rules can now use the
:custom_check warning code.
A tutorial on writing custom checks is in progress.
Call Matching via Regex
It is now possible to search for call targets by regular expression, although it is discouraged for performance reasons.
Brakeman now skips calls to
#dup as if they aren’t there.
Warning#relative_path has been added back for dependencies that might need it, such as guard-brakeman.
The SHA256 sums for this release are:
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.