After the excitment yesterday with a mass assignment vulnerability being exploited in a very public manner on Github, interest in Brakeman has skyrocketed.
This lead to re-examination of Brakeman’s code for detecting that mass assignment has been globally disabled - and it turns out there was a bug or two. So here is a bug-fix release of Brakeman to correct that and some other minor issues.
Upgrading to 1.5.1 may increase the number of warnings reported.
Changes since 1.5.0:
- Fix detection of global mass assignment setting
- Fix partial rendering in Rails 3
- Show backtrace when interrupt received (Ruby 1.9 only)
- More debug output
- Internal fixes:
- Remove duplicate method in Brakeman::Rails2XSSErubis
- Add tracking of module and class to Brakeman::BaseProcessor
- Report module when using Brakeman::FindCall
Mass assignment is not a particularly new issue, but the amount of attention suddenly focused on it this weekend was amazing.
This release of Brakeman can detect three different methods for defaulting all models to a whitelist of allowed attributes that can be mass assigned.
The first is probably the most widely-seen version. In an intializer, do
The second is essentially equivalent, but 1.5.1 adds support for it as well:
module ActiveRecord class Base attr_accessible nil end end
The third option is only available for Rails 3.1.0 and newer. The following configuration setting can be added to
config.active_record.whitelist_attributes = true
Brakeman should correctly detect all of these.
This is a very nice post explaining the dangers of mass assignment (mentioning Brakeman is nice, too.)
Partials in Rails 3
In Rails 3,
render 'blah' is now equivalent to
render :partial => 'blah' when used inside a template.
Brakeman now supports this correctly.
More debugging output has been added for use with the
Additionally, when interrupting the application (for example, with
^C), a stack trace will be output. Please note, however, that this only works with Ruby 1.9.
There have been a few internal changes. There is a possibility that these will affect some warnings. However, it should only result in accurate reporting of class names.
Please report any problems on Github!