Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.7.2 Released

Some minor fixes for a minor release.

Changes since 4.7.1:

  • Add request.params as query parameters (#1398)
  • Handle more permit! cases (#1426)
  • Remove version guard for named_scope vs. scope
  • Find SQL injection in String#strip_heredoc target (#1433)
  • Ensure file name is set when processing models
  • Bundle ruby_parser version 3.14.1 (#1429)

More Query Parameters

request.params has been added as a query parameters method.

(changes)

More permit!

More cases of permit! will be identified, particularly when it is the target of a method call.

(changes)

More Scopes

Both named_scope and scope will be handled regardless of detected Rails version.

(changes)

SQL Injection with strip_heredoc

strip_heredoc is now treated as returning a string. This fixes false positives if the target is a plain string and fixes false negatives if the target has interpolation.

(changes)

Model File Names

In some cases, warnings were missing file names because the file name was not being passed to the model processor.

The file name will now be passed along, and there is a new test in the test suite for file names on warnings.

(changes)

Checksums

The SHA256 sums for this release are:

339d6f3707a2c0a32003536a231255b839a0b87bd6a7ebef3c82aedd1bdd3ac8  brakeman-4.7.2.gem
39ce3a5fe248dee8c78fe671441d2abbfec66cec923ee9f56c62018229d3c9b0  brakeman-lib-4.7.2.gem
efa07aa8476ef5553c91734093349a3ed55e2ef05b469d3dcecfdaabede37296  brakeman-min-4.7.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

Changes since 4.7.0:

  • Address file permission issues in bundled ruby_parser-legacy
  • Sort text report by file and line (Jacob Evelyn)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
  • Check string length against limit before joining
  • Fix flaky rails4 test (Adam Kiczula)
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Add release dates to each version in CHANGES (TheSpartan1980)

File Permissions

A security issue was reported for the ruby_parser-legacy gem, where some files are installed with world-writable permissions. This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy gem.

In this release of the brakeman gem, the permissions on these files have been corrected. However, there has not been a fixed release of ruby_parser-legacy yet, so the brakeman-lib and brakeman-min gems are still affected.

Default Report Format Sorting

Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.

(changes)

Reverse Tabnabbing

Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank.

(changes)

Stabby Lambdas

ruby_parser 3.14.0 changed the AST representation of ->{} lambdas, and Brakeman needed to adjust.

(changes)

String Length Limit

Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah") before joining them. If the joined string would be longer than 50 characters, the strings are not joined.

Note the only change is when the length is checked, the limit was already in place.

(changes)

Flaky Test Fixed

Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!

(changes)

Ruby 2.7 Frozen Strings

In Ruby 2.7, symbols and some other constant values (true/false, etc.) will return frozen strings. This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.

(changes)

Release Dates in Changelog

Brakeman’s changelog now includes release dates thanks to TheSpartan1980.

(changes)

Checksums

The SHA256 sums for this release are:

cdc6f4c86b5b35b5e94798cf443909385aa1b79235da8e1ee1fd4381acf03691  brakeman-4.7.1.gem
2f7a7a6d79b1e5b8c6a390e04642e987c56cced2c8be3d63a1250f7bbc9e504d  brakeman-lib-4.7.1.gem
598431f6bfc90b119fc6883ead7896c1718ba5d9a0e0450893c3e628a6c8e7b0  brakeman-min-4.7.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.7.0 Released

This release updates Haml support to Haml 5.x!

Changes since 4.6.1:

Haml Support Update

Haml 5 introduced a completely different “compiled” format, so adding support was a significant effort taking a few months to complete. Due to the large number of changes, you may expect some changes to warnings for Haml templates.

Please report any bugs or odd behavior with Haml templates!

Haml 3.x and 4.x are no longer supported, although in general Haml is mostly backwards-compatible.

(changes)

Shell Commands

Jacob Evelyn added support for detecting command injection with -c in known-dangerous commands (such as bash or echo).

An example of dangerous code would be:

system("echo", "-c", params[:command])

Of course not all dangerous shell commands are covered - so in general be careful passing any user-controlled input to a shell command.

(changes)

CookieSerialization Bug

Phil Turnbull fixed an issue in CheckCookieSerialization where non-symbol cookie serialization options were handled poorly.

(changes)

Brakeman::Differ Refactor

Benoit Côté-Jodoin refactored Brakeman::Differ to compare warnings more efficiently and remove old fallback behavior. All warnings are compared by fingerprint now when using --compare.

(changes)

Version Comparisons

Andrey Glushkov updated the code for comparing library versions so it uses Gem::Version and handles “beta”/pre-release versions better.

(changes)

%W Interpolation

String interpolation when using %W is no longer considered dangerous in shell commands where regular interpolation would be.

(changes)

form_for

form_for is considered a safe method in XSS checks.

(changes)

String.new

String.new << 'some string' is now treated like '' << 'some string'.

(changes)

Checksums

The SHA256 sums for this release are:

f43d949f1de9c0bb67b7bc7d41000ac70a1fb6c2250c5e7332015f0cc5ce36c5  brakeman-4.7.0.gem
c02dbaa4ad0c7402ef99697c7b1916b7d9558dd5aa45e1a36efed117628498cc  brakeman-lib-4.7.0.gem
3ab80a47bbfbb0f869bb1289292ed62b9643b5e0884a4a79e2c7e44218ce3b07  brakeman-min-4.7.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.6.1 Released

This release corrects a typo in the reverse tabnabbing warning message.

Changes since 4.6.0:

Checksums

The SHA256 sums for this release are:

6e31f8c8dbdea7b198c591d44b73aee067cca5612db191fe04d8d8c2a8eb9011  brakeman-4.6.1.gem
6879d5175e5f20bf5ac1bd20dad0ef9a1e4c72d9774114d752b19c7e7d7d69fc  brakeman-lib-4.6.1.gem
72a0ef7b91b11bea925b365645096a186ec3929024066792957006c46355560e  brakeman-min-4.6.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.6.0 Released

This release has two new checks!

Changes since 4.5.1:

  • Add check for cookie serialization with Marshal (#1316)
  • Add reverse tabnabbing check (Linos Giannopoulos)
  • Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
  • Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
  • Warn people that Haml 5 is not fully supported (Jared Beck)
  • Index calls in initializers
  • Improve template output handling in conditional branches
  • Avoid assigning nil line numbers to Sexps
  • Add special warning code for custom checks
  • Add call matching by regular expression
  • Skip calls to dup (#1374)
  • Restore Warning#relative_path
  • Better handling of gems with no version declared

Brakeman will now warn if Rails.application.config.action_dispatch.cookies_serializer is set to :marshal or :json.

This options allow cookies to be deserialized via Marshal. If an attacker is able to construct a valid encrypted cookie, this could lead to arbitrary code execution.

(changes)

Reverse Tabnabbing Check

Linos Giannopoulos has added an optional check for cases of “reverse tabnabbing”. This occurs when a link is opened in a new window/tab via a link (with target: '_blank'). The new window can control the location of the old window. If an attacker controls the new window, they can redirect the old window to a malicious site. This is especially useful for phishing attacks. These kinds of attacks are most likely on applications that allow arbitrary links to external sites.

To completely remove the ability of an attacker to control the old window, add rel: "noreferrer noopener" to the link_to call. Note: this will cause the new window to lose referrer information.

To enable this new check, use --enable ReverseTabnabbing or -A to enable all optional checks.

(changes)

File Access False Positive

Tejas Bubane provided a fix to ignore use of ActiveStorage::Filename#sanitized inside file access calls.

(changes)

Fixed Loofah Version

Markus Nölle corrected the “fixed” version of Loofah for CVE-2018-8048 from 2.1.2 to 2.2.1. Oops!

(changes)

Haml 5 Support

Jared Beck added a notification when Haml 5 is in use by an application. At the moment, Brakeman does not support Haml 5.x. There appear to be only a few syntax differences between Haml 4.x and 5.x, so most users are unaffected.

Support is planned for a future release.

(changes)

Initializers More Fully Supported

When Brakeman scans an application, it “indexes” all method calls of interest. Most checks then operated on those indexed calls.

However, for historical reasons, initializers (files in config/initializers/) were not included in that index.

Now they are! Besides some modest speed gains and simpler/more consistent checks, now regular old checks can “see” initializers. This may result in previously-unreported warnings now popping up in initializers.

(changes)

Conditional Branches in Templates

Very obvious code like this:

<%= blah ? x : params[:x].html_safe %>

Was not being handled correctly and the cross-site scripting issue would not be reported. This is now fixed!

(changes)

Empty Line Numbers

A change in sexp_processor causes it to raise an exception if an Sexp is assigned a nil line. Brakeman was a bit cavalier when assigning line numbers, so this caused an issue for some users.

As a result, line numbers should be assigned a bit more consistently now.

(changes)

Custom Check Warning Code

Every warning reported by Brakeman refers to an integer “warning code”. This is so the “warning type” or category can be a bit more flexible if we want to change the name or formatting. However, this list of warning codes is hardcoded into Brakeman. The hardcoding makes it hard for users to add their own checks, because they need to either use an existing code or monkey-patch in a new one.

To help with this situation, custom checks/rules can now use the :custom_check warning code.

A tutorial on writing custom checks is in progress.

(changes)

Call Matching via Regex

It is now possible to search for call targets by regular expression, although it is discouraged for performance reasons.

(changes)

Dup Calls

Brakeman now skips calls to #dup as if they aren’t there.

(changes)

Warning#relative_path

Warning#relative_path has been added back for dependencies that might need it, such as guard-brakeman.

(changes)

Checksums

The SHA256 sums for this release are:

48be7f5a8d814ad42bbb9a2222a331e59a8ece9b50103d8e809a0bbc9d128ef9  brakeman-4.6.0.gem
ff81f5d6fb258a1b83c78ba4144163d1183bd9f31536782722617e880ff85917  brakeman-lib-4.6.0.gem
ef3ad0f59dc32630b1e39f289257cf33a882f2838f455e6009c0cb973ee1d378  brakeman-min-4.6.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.