A release was forced today because two new Rails vulnerabilities were reported (the first since November):
- Manual options are not escaped in select()
- Some operations on SafeBuffer mistakenly return strings marked as html_safe
This release includes checks for these two vulnerabilities.
There is also a new check for skipping CSRF token verification, and some other changes which may result in fewer or more vulnerabilities being reported.
Changes since 1.4.0:
- Add version check for SafeBuffer vulnerability
- Add check for select vulnerability in Rails 3
- select() is no longer considered safe in Rails 2
- Add check for skipping CSRF protection with a blacklist
- Add JSON report format
- Model#id should not be considered XSS
- Standardize methods to check for SQL injection
- Fix Rails 2 route parsing issue with nested routes
Check for SafeBuffer Vulnerability
A new vulnerability was reported that affects strings which are marked as
html_safe and then modified in some way. For some operations, the new, modified string will still be marked as
html_safe. Full details here.
For this vulnerability, Brakeman only does a version check and reports if an application is used a vulnerable version of Rails. It only reports on Rails 3 applications, since Rails 3 introduced the concept of SafeBuffers.
Check for select Helper Vulnerability
Another vulnerability was reported today in the
select form helper. Option tags built by hand (interpolating values into
<option></option>) will not be escaped by
select. Full details here.
For Rails 3 applications, Brakeman checks for uses of
select which have user input in the
options argument. This check may be refined in the future.
For Rails 2, Brakeman no longer considers
select a safe method when checking for cross site scripting.
Check for CSRF Filter Skipping
When cross site request forgery protection is enabled, a
before_filter is added called
verify_authenticity_token. This filter checks that actions called responding to a
POST have a correct authenticity token from the client. Since this is a regular
before_filter, it can be skipped using
skip_before_filter is called using an
:except option, then the default for the controller becomes NOT checking for an authenticity token:
skip_before_filter :verify_authenticity_token, :except => [:create, :delete]
It is recommended to use
:only if skipping this filter is actually necessary. This way, any new actions added later will automatically fall under the CSRF protection.
This check may be extended in the future to other important filters.
JSON Report Format
While the code for outputting JSON was in the 1.4.0 release, it was not actually added as a proper output format! This has been rectified.
-f json or
-o report.json will now produce JSON reports.
The information contained in these reports may change in the future, although that should only be adding more information.
The code for finding SQL methods to check for SQL injection was a little messed up. Depending on how the method was called, different sets of methods were considered dangerous.
This has been changed for better consistency and coverage. This means reports may include new SQL injections, so keep an eye out.
Rails 2 Route Parsing Fix
There was a bug in the code which determined if a method was being called on
map, which caused Brakeman to think strange methods were route definitions (for example,
require). This has been fixed.
Always report problems encountered when running Brakeman.