Brakeman - Rails Security Scanner

Static analysis security scanner for Ruby on Rails

Brakeman 4.0 Released!

This release has breaking changes!

This is the 101st official release of Brakeman! It has been seven years and one month since the first release of Brakeman. To put that into historical context, Rails 3.0 was released a few days later!

How about some more numbers?

Thank you so much to everyone who has used, contributed to, or promoted Brakeman over the past seven years!

As a token of our appreciation, we have a limited edition 2017 Brakeman sticker:

Brakeman Sticker

Just email [email protected] with your name and address (anywhere in the world) and we’ll send you one. While supplies last!

If you have benefited from Brakeman, please consider supporting continued development via Brakeman Pro.

Changes since 3.7.2:

  • --exit-on-warn is now the default (#852)
  • --exit-on-error is now the default (#1083)
  • “Plain” report output is now the default
  • Add simple pager for reports output to terminal
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • Treat request.cookies like cookies (#1090)
  • Treat fail/raise like early returns (#754)
  • Rename “Cross Site Scripting” to “Cross-Site Scripting” (Paul Tetreau)
  • Remove reliance on CONFIDENCE constant in checks
  • Fix --exit-on-error and --exit-on-warn in config files

Changes since 4.0.0:

  • Do not use pager when CI environment variable is set

New Default Exit Codes

--exit-on-warn and --exit-on-error are now default behavior.

If any warnings are found or errors are raised during the scan, Brakeman’s exit code will be non-zero. This may break things! In particular, CI jobs or scripts that assume Brakeman will exit normally.

You may use --no-exit-on-warn and --no-exit-on-error to revert back to previous behavior and always exit with error code 0.

(changes and changes)

New Default Report Format

The “plain” report format is now the default.

To revert back to the table format, use -f tables or -o report.tables.

(changes)

Paged Output

By default, output to the terminal will be paged with less or Highline’s simple pager.

To disable, use --no-pager.

In 4.0.1 Brakeman will automatically disable the pager when the CI environment variable is set to true. This should be compatible with Travis CI, Circle CI, Codeship, and Bitbucket Pipelines.

(changes)

Fewer Mass Assignment Warnings

Low confidence mass assignment warnings have been removed in this release. Brakeman should now only warn when user input is used directly in the instantiation or update of a model.

(changes)

Fewer link_to Warnings

Warnings about XSS in link_to have confused quite a few people over the years. The danger is that links may have javascript: or data: values with XSS payloads.

Brakeman should now only warn when directly using user input or when using what looks like a URL from the database.

(changes)

More Cookies

request.cookies will now be treated like cookies in general.

(changes)

More Early Returns

Calls to raise or fail will be treated like early returns when considering simple guard expressions.

(changes)

Cross-Site Scripting

Messages about “Cross Site Scripting” will now include a hyphen. This does not affect warning fingerprints.

(changes)

CONFIDENCE

Brakeman checks previously used the CONFIDENCE hash when creating warnings, e.g. :confidence => CONFIDENCE[:high]. Now it’s possible to use :confidence => :high instead.

For those with custom checks, the CONFIDENCE hash is still available and nothing should break.

(changes)

Checksums

The SHA256 sums for these releases are:

0038932b43dcf2bf698ad6637500f69b5e4226b10c011a4a6bcce93a77a5e045  brakeman-4.0.0.gem
3688303859a7c9b452ddcef00f00f97789ce103774446d42851a763ecbf8df87  brakeman-lib-4.0.0.gem
559196c6e41e5b180448564d9aca84fb775a39b77dd7d8d880a0ce0e77df8ae2  brakeman-min-4.0.0.gem

d93d6f8e9c2655520153fe0512b338753cc36fac56b80947f652fd33e9f80dfb  brakeman-4.0.1.gem
82ab1e51f712ad10109a4fe080f6389b28bbbef83e0ecd6c33defa90319b4bc5  brakeman-lib-4.0.1.gem
579f240cb8e5357fe5e45c09eb43f3512481f7086052337437e5c436c617da8b  brakeman-min-4.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.7.1/3.7.2 Released

Just a little release. Next up: 4.0!

Changes since 3.7.1:

Changes since 3.7.0:

  • Handle simple guard with return at end of branch (#1073)
  • Add more collection methods for iteration detection
  • Modularize bin/brakeman
  • Improve multi-value Sexp error message
  • Update ruby2ruby and ruby_parser dependencies

Another Simple Guard

Brakeman will now handle when the branch in a simple guard condition ends in return.

For example:

unless [:valid, :value].include? params[:x]
  do_stuff
  more_stuff
  return
end

x.send(params[:x]) # Will no longer warn because `params[:x]` must be 'safe'

(changes)

More Collection Methods

Brakeman attempts to detect when a template is iterating over records from a database query.

This release adds a few more methods that might return a collection of records.

(changes)

Modularize Commandline

The logic in the brakeman executable has now entirely been moved to Brakeman::Commandline for easier testing and custom behavior.

(changes)

Checksums

The SHA256 sums for this release are:

9ad563247cc6a57b965e59e5bbbaefa202ce34ceb6d10e97ce500406d60cdb6e  brakeman-3.7.2.gem
5b753206f8e5937c33494edd323a9e6573e07958d9f8f5bb662b0f6085eafe19  brakeman-lib-3.7.2.gem
517a074cb92ece8a7e426ea221d63ddbcae6e3b851664083b7e73e6d7e0dd138  brakeman-min-3.7.2.gem

Brakeman 4.0 Plans

If all goes well, Brakeman 4.0 will be released on August 27th, which is also the 7th anniversary of Brakeman’s first release. It will also be the 101st release of Brakeman!

At least two major changes will be coming in Brakeman 4.0:

  • The plain report format will be the default instead of tables
  • -z or --exit-on-warn (sets exit code if any warnings are found) will be on by default

There will likely be other changes, but these two will be the most obvious.

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.7.0 Released

Changes since 3.6.2:

  • Avoid interpolating hashes/arrays on failed access (#921)
  • Fix false positive for redirect_to in Rails 4 (Mário Areias)
  • Show progress indicator in interactive mode (#1012)
  • Handle simple conditional guards that use return (#1057)
  • Improve support for rails4/rails5 options in config file (#1059)
  • Updated RubyParser to master

Performance Improvement with Hash/Array Accesses

When Brakeman sees a hash or array access that it cannot resolve (i.e. can’t find the value for the key), it will no longer copy the entire hash/array value to the call site.

For some applications, this will significantly improve performance.

This may cause some warning fingerprints to change.

(changes)

Unsafe Hash in Redirects

Thanks to Mário Areias, Brakeman correctly handles to_unsafe_hash and to_unsafe_h in redirect_to.

(changes)

Progress Indicator in Interactive Mode

When using -I to manage false positives, Brakeman will now show how far you are through the warnings.

image

(changes)

Simple Guards with Return

Brakeman can now recognize simple guard conditions such as:

return unless [:safe, :values].include? params[:x]

(changes)

Rails Version Option in Brakeman Configuration

It is now possible to specify just :rails4: true or :rails5: true in a Brakeman configuration file.

(changes)

Updated RubyParser

The main brakeman gem bundles as-of-yet unreleased changes in RubyParser. This includes “squiggly heredoc” support (<<~), improved line numbers, and a few other fixes.

Checksums

The SHA256 sums for this release are:

f46550d7c7827644a5663ccc10a6ca222e2534648f68630e3a777cb73df59824  brakeman-3.7.0.gem
0ea5359ae802284695500b92a03bf1d022574953a0da44607ff7f715f456c37e  brakeman-min-3.7.0.gem
f6f17e9f1f71a68b486d68f2b3413607fb47154a0fb6a6da23d9d7be87f37967  brakeman-lib-3.7.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.6.2 Released

Changes since 3.6.1:

  • Remove --rake option
  • By default, do not honor additional check paths in config
  • Properly handle template names without .html or .js
  • Catch YAML parsing errors in session settings check (#1046)
  • Better handling of if expressions in HAML rendering (#1032)
  • Avoid warning about SQLi with to_s in exists? (#1045)
  • Handle safe call operator in checks (#1031)
  • Handle empty if expressions when finding return values
  • Set template file names during rendering for better errors
  • Limit Slim dependency to before 3.0.8
  • Update RubyParser to 3.9.0

Rake Option Removed

The Rake task generated by --rake has caused quite a few problems. When Rake is run with a Rails application, it loads all of the app’s dependencies, which may conflict with Brakeman’s dependencies.

It is recommended to either not use a Rake task to run Brakeman or just shell out to Brakeman instead of using it as a library.

(changes)

Check Paths in Config Files

Brakeman allows loading custom checks with --add-checks-path. To avoid silently loading arbitary code, Brakeman will not support this option in configuration files unless explicitly enabled with --allow-check-paths-in-config.

(changes)

Templates without Format Extension

The 3.5.0 release added support for templates with a bare extension (like my_template.haml) but template names derived internally did not handle these bare extensions properly. When rendering templates, Brakeman was not able to match render names to the correct files.

(changes)

YAML Errors

When checking session settings, Brakeman parses config/secrets.yml. Sometimes this file has unsafe values or interpolated code which causes the parsing to fail. Brakeman will now only output a notice about this failure instead of an error.

(changes)

If Expressions in HAML

Typically Brakeman assumes all if branches in templates are taken and ignores the condition. This was not happening in all cases in rendered HAML templates.

(changes)

to_s False Positive with exists?

Brakeman will no longer warn about arguments calling to_s in exists?, since that is the recommended way to avoid SQL injection with that particular method.

(changes)

Better Safe Call Handling

The safe call operation &. will be handled better in all checks instead of being ignored.

(changes)

Empty Ifs

This release fixes an issue when finding return values from methods ending in an empty if expression.

(changes)

More Template Names

Template file names will now be set when passing code to template rendering libraries, in order to produce better error messages when something goes wrong.

(changes)

Dependencies

RubyParser has been updated to 3.9.0 which resolves some issues.

(changes)

Slim is limited to <3.0.8 since the 3.0.8 gem requires Ruby 2.0.

(changes)

Checksums

The SHA256 sums for this release are:

ba89440a5e94f463ad9b6f3602e83d16313857753a5cc9b754757bd3e58e2202  brakeman-3.6.2.gem
adae09f9aa3a4d311fe2de41fee5d9b821eff600c1c05e314b3b930adb85b4d7  brakeman-min-3.6.2.gem
d3da0a86dedcee84c35a14e00b7a9d22874aed89d7d031d1fe60b68ce4ae7c7a  brakeman-lib-3.6.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.6.1 Released

This is a small bug fix release to fix an issue when using --compare.

Changes since 3.6.0:

Error With Compare

Although comparison scans using --compare would complete successfully, an exception was being thrown afterwards.

Thanks to Anthony Lamorte for reporting and Sean Gransee for the fix!

(changes)

Checksums

The SHA256 sums for this release are:

3c10b2a9fd8b7b3baab956e6fcc2c7780768f1905433297e8dd940591f1bbb3b  brakeman-3.6.1.gem
98f6bd7531e0e3fbe273b9d185446bd28602176a392d5df8f9c52c36460afdaa  brakeman-lib-3.6.1.gem
44342c843867fce585f6fef09cd093a0544510adfeec15217efe44c6120e3192  brakeman-min-3.6.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.6.0 Released

Changes since 3.5.0:

  • Branch inside of case expressions (#944, #972, #1002)
  • Check targetless SQL calls outside of known models
  • Fix issue with nested interpolation inside SQL strings (#1008)
  • Add --exit-on-error (Michael Grosser)
  • Only report CVE-2015-3227 when exact version is known (#933, #995)
  • Print command line option errors without modification (#1010)
  • Ignore GraphQL tags inside ERB templates
  • Avoid recursive Concerns

Case Expressions

At long last, Brakeman will now treat case expressions similarly to ifs. This includes tracking variable assignments inside of when clauses and better handling case expressions as values.

Note that at this time Brakeman does not handle nested case expressions.

(changes)

Targetless SQL Calls

Brakeman 3.5.0 broadened the check for SQL injection to calls that may not be on models (because models are often defined outside the application). However, calls with no target were still checking to see if they were called inside of model classes. This led to missing some SQL injection vulnerabilities.

(changes)

Nested SQL Interpolation

Some cases of nested string interpolation in SQL calls were generating false positives. This should be fixed now.

(changes)

Exit on Errors

Michael Grosser added the --exit-on-error option to cause Brakeman to exit with a non-zero exit code if any errors are encountered. Normally Brakeman attempts to always generate a report regardless of any errors during the scan.

(changes)

Spurious CVE Warning

Brakeman was reporting CVE-2015-3227 on any application using an unknown Rails version.

(changes)

Option Errors

In an attempt to make command line option errors prettier, Brakeman was inadvertently messing up the error messages. It will no longer do so.

(changes)

GraphQL in ERB

Brakeman will now ignore <%graphql tags in ERB templates.

(changes)

Recursive Concerns

Concerns that include themselves will no longer cause infinite loops.

(changes)

Checksums

The SHA256 sums for this release are:

c9bcc82a14359fe5f010551b1256eb1cea6848115f3429c7db74a386d6b0cf8c  brakeman-3.6.0.gem
4793a407f79970a284474db3235d355f9927e987b71e33f1ce99fac3f3c249aa  brakeman-min-3.6.0.gem
5c0a7aab7fc14d069d9dc208b653e10f71c355cb959fd144d6e8f7430c88a8e7  brakeman-lib-3.6.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.5.0 Released

Changes since 3.4.1:

  • Warn about SQL injection even if target is not known ActiveRecord model
  • Avoid warning about models as SQL injection (#655, #680, #833)
  • Avoid warning about SQLi in all, first, or last after Rails 4.0
  • Treat templates without .html as HTML anyway (#790)
  • Report check name in JSON and plain reports (#971)
  • Add --ensure-latest option (tamgrosser / Michael Grosser)
  • Add --no-summary to hide summaries in HTML/text reports (#963)
  • Fail on invalid checks specified by -x or -t (#970)
  • Handle included block in concerns (#958)
  • Updated RubyParser/Ruby2Ruby dependencies

SQL Injection Improvements

This release includes several changes to the SQL Injection check.

First, Brakeman will no longer restrict SQL injection warnings to calls on known ActiveRecord models. While this may lead to a few false positives, there were too many reports of obvious SQL injection being missed. This reverses a decision made previously. Warnings that may involve non-models are given a lower confidence.

Next, SQL that includes calls on model targets will no longer generate warnings. There were too many false positives and no known vulnerabilities flagged by this.

Finally, Brakeman will no longer check calls to all, first, and last as they changed in Rails 4.1.

(changes)

Extensionless Templates

Templates which do not specify any extension (e.g. just .erb instead of .html.erb) will still be treated as HTML instead of being ignored.

(changes)

Check Name in Reports

The plain and JSON reports now include the name of the check that generated the warning.

(changes)

Option to Enforce Latest Brakeman

The --ensure-latest option has been added. If there is a newer version of Brakeman available, this option will cause Brakeman to exit with a non-zero exit code.

(changes)

Option to Hide Summary

When using --no-summary and either the plain or “table” output, Brakeman will only report warnings, no metadata. Probably most useful in combination with --quiet.

(changes)

Fail on Invalid Checks

When use -t or -x to control which checks are run, Brakeman will now fail if the options supplied do not match existing check names. -t None may be used to avoid running any checks.

(changes)

Handle Included Concerns

Brakeman will now handle the included block in Concerns. Additionally, to support this, Concerns are processed prior to other classes.

(changes)

Checksums

The SHA256 sums for this release are:

49fd8b3e6c1f348304bdbfc3b5d4cfbd465a5b5d4feec8337bbe3df7836787be  brakeman-3.5.0.gem
2ef50a61ca4aa1cff1f28dfe6308ea53157d996975519f5ae5c9266bf5772fb0  brakeman-min-3.5.0.gem
766c9da778e3be36ca709e637276f090514dbc0ddde5e261a1baff6da351480e  brakeman-lib-3.5.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

Brakeman 3.4.1 Released

  • Configurable engines path (Jason Yeo)
  • Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo)
  • Pull Ruby version from .ruby-version or Gemfile
  • Use Ruby version to turn off SymbolDoS check (#928)
  • Fix ignoring link interpolation not at beginning of string (#939)
  • Show action help at start of interactive ignore (#949)
  • Avoid warning about where_values_hash in SQLi (#942)

Engine Paths Option

Thanks to the work of Jason Yeo, Brakeman now supports custom paths to Rails engines uses the --add-engines-path option.

Multiple comma-separated paths may be configured. To include all subdirectories, use * (e.g. my_engines/*). Absolute paths may be used for engines outside the application.

(changes)

Expanded CSRF Check

Also thanks to Jason Yeo, any controller with ActionController::Base as a direct parent will be checked for a protect_from_forgery call.

(changes)

Ruby Version Info

Brakeman will now pull information about the Ruby version used for an application either from the Gemfile or .ruby-version. Right now this is only used for disabling (the already optional) Symbol DoS check for versions of Ruby that have symbol garbage collection.

(changes)

Link Interpolation False Positive

Brakeman’s warning about interpolating user input into URLs has always checked to see if the interpolation was at the beginning of the string. However, that check didn’t work if the first thing in the string was another interpolation. This has been fixed.

(changes)

More Help in Interactive Ignore

For clarity, “interactive ignore” mode will now display the action options before going through each warning.

image

(changes)

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

Brakeman 3.4.0 Released

Changes since 3.3.5:

  • Show obsolete ignore entries in reports (Jonathan Cheatham)
  • Add option to prune ignore file with -I
  • Add new plain report format (#914)
  • Support creating reports in non-existent paths (#924)
  • Add --no-exit-warn (#925)
  • Improved Slim template support

Obsolete Ignore Entries

The “ignore” configuration file can sometimes grow large due to stale entries that no longer correspond to existing warnings. Thanks to Jonathan Cheatham, these obsolete entires will now be noted in the default and JSON reports.

(changes)

When using the -I option it is now possible to prune the ignore file.

image

image

(changes)

New Report Format

This release adds a new “plain text” report format. It will eventually replace the default “table” report in Brakeman 4.0.

image

To output in the new format, use -f plain or -o report.plain.

The color codes should be disabled automatically if outputing to a file, but --no-color can be used to turn colors off.

Feedback on the new report format is encouraged prior to the 4.0 release.

(changes)

Report Paths

If the specified output file is in a non-existent path, Brakeman will now attempt to create the path before writing out the report.

(changes)

No Exit Code on Warnings

--no-exit-warn has been added to complement --exit-warn.

(changes)

Improved Slim Support

Most users will not notice any changes, but internally Slim templates are handled a bit better.

(changes and more)

SHAs

The SHA256 sums for this release are

0cfd4b9cb8515ed9cbd254710761bfc409c604f3351e200b22955a1c3f93f8d8  brakeman-3.4.0.gem
7d07d87aa0732465bb6f0c17279f78edcfd0b1d841ddb63a95529ba762841395  brakeman-min-3.4.0.gem
e3d61c1de5549984a0d9eb3a3a53a4ef17b1b41db1be7d504237dd05a0cfa203  brakeman-lib-3.4.0.gem

Reporting Issues

Thank you to everyone who reported bugs.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.

Brakeman 3.3.4/3.3.5 Released

This is a quick release to add warnings for CVE-2016-6316 and CVE-2016-6317. There was a bug in 3.3.4 that affected debug output which has been fixed in 3.3.5.

Changes since 3.3.3:

  • Add generic warning for CVE-2016-6316
  • Warn about dangerous use of content_tag with CVE-2016-6316
  • Add warning for CVE-2016-6317
  • Use Minitest

Changes since 3.3.4:

  • Fix bug in reports when using --debug

CVE-2016-6316

Typically Rails will escape attribute values passed to tag helpers like content_tag. If the attribute has already been marked as “safe” with .html_safe or (more likely) a different escaping helper like sanitize, the tag helper will not escape the value again (that is the purpose of .html_safe). However, not all sanitizers/escape methods escape double quotes, which are dangerous inside of tag attributes. In particular, double quotes allow an attacker to close the current attribute and insert new attributes (like onmouseover) that can execute JavaScript.

Brakeman will issue a generic warning about CVE-2016-6316 for affected versions and may generate warnings for potentially dangerous calls to content_tag.

(changes)

CVE-2016-6317

The JSON bug is back. Specially-crafted queries can cause parameters to be interpreted as empty hashes, which may cause unexpected behavior in SQL queries.

Brakeman will generate a generic warning for affected versions (4.2 series).

(changes)

Minitest

Unrelated, Brakeman now uses Minitest instead of test-unit.

(changes)

SHAs

The SHA256 sums for this release are

7231e00bdb4353ee7e91e5f1e60e34cf29b5563e6f7e1e5478223e72568c493a  brakeman-3.3.5.gem
c07e282c2e1733f8d7db4a4ffefe22e7e38a62ddfd750f0866c0b49070cb61c9  brakeman-lib-3.3.5.gem
a7f8e6fa8eb4254b7ad17080180289794a02641b1f2ec362de57cfdb2f1535be  brakeman-min-3.3.5.gem

Reporting Issues

Thank you to everyone who reported bugs.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.