It has been a long time coming, but it is finally here! Lots of changes in this one…
Brakeman now scans (almost) all Ruby (and ERB, Haml, Slim) files in an application. This may have a significant impact on reported warnings and scan times - see below for more information.
Changes since 4.10.1:
- Scan (almost) all Ruby files in project
- Revamp CSV report to a CSV list of warnings
- Add Sonarqube report format (Adam England)
- Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
- Add check for potential HTTP verb confusion (#1432)
uuidas a safe attribute
Tempfile#pathin shell commands
- Ignore development environment
- Set Rails configuration defaults based on
- Update Ruby requirement to version 2.4.0
- Suggest using
--forceif no Rails application is detected
Scan Almost All Ruby Files
Since the beginning, Brakeman has been picky about what directories it searches for files.
In general, Brakeman has looked in ‘normal’ Rails directores like
This is because Rails has some default logic based on file paths - like mapping a controller action to a given view.
But if an application varied from the norm, Brakeman would simply not scan those other directories. This behavior led to a lot of confusion with folks wondering why Brakeman was not finding certain vulnerabilities.
Brakeman now attempts to deduce the contents of a file first, then falls back to the path name if necessary. This has been surprisingly effective.
However, scanning more files means Brakeman runs slower and may report more false positives because the new files are harder to reason about and less likely to be exposed as part of the attack surface.
Brakeman does ignore
vendor directories. To scan the
vendor directory as well, use
Please report any issues!
CSV Report Update
The CSV report format has been completely changed! Previously, it was meant as an ‘Excel-lite’ format, only really useful for viewing in a spreadsheet program.
Now it is regular CSV with normalized columns to mostly match the JSON report (except for nested fields).
Sonarqube Report Format
(And thanks Adam for your patience.)
More Unsafe Method Reflection
A new check was added for unsafe use of
HTTP Verb Confusion Check
HEAD requests are routed like
GET requests, but
request.get? will be false.
Some code may assume if
request.get? is false, then
request.post? is true:
if request.get? # Do something benign else # Do something sensitive because it's a POST # but actually it could be a HEAD :( end
Brakeman will warn when an
if expression checks
request.get? but has an
else clause instead of
UUIDs as Safe Attributes
#uuid will be treated as a safe value, particular in SQL.
Tempfile Paths in Shell Commands
Tempfile#path will be considered as safe value for command injection.
Also adds support for Tempfiles like:
Tempfile.open('...') do |file| # Brakeman knows `file` is a Tempfile end
Ignore Development Environment
Brakeman will ignore code that is guarded like
if Rails.env.development? # ...whatever code end
This was already true for
Brakeman will treat
This was already true for
Set Rails Defaults
Brakeman will set default values for Rails configuration options based on the version argument to
config.load_defaults which is usually called in
Requires Ruby 2.4.0
The minimal Ruby version for running Brakeman is now 2.4.0 (which is already EOL!)
Note Brakeman can analyze Ruby syntax from 1.8 to 2.6 (some 2.7+ syntax is not supported yet).
The SHA256 sums for this release are:
21b91f67cde4cf487df0a4dbf6e54729064c665bb0b4b370b71bac9435b63e4c brakeman-5.0.0.gem 3641c52448ca1d12423595ca1a874c1362f438cd58196825be648bb797096cb5 brakeman-lib-5.0.0.gem 50bab26fe8fcf8d962baaf5b08b7c178315b7c0e4be07d1b134e8ae00338c908 brakeman-min-5.0.0.gem
Thank you to everyone who reported bugs and contributed to this release!