Ruby on Rails Static Analysis Security Tool

Brakeman 1.7.1 Released

This is a small release to add checks for the Rails vulnerabilities reported last week.

Changes since 1.7.0:

CVE-2012-3463 - XSS in select_tag Prompt

In Rails 3.x, values supplied to the :prompt option in the select_tag helper are not escaped, leading to a cross-site scripting vulnerability.

Brakeman will warn on all uses of select_tag with unescaped user input in the :prompt option.

CVE-2012-3464 - Single Quotes are Unescaped

This is pretty much a known issue (example from 2008), but Rails 3.2.8 fixes it.

Single quotes are most dangerous when interpolating values into HTML attributes that use single quotes, which is why it is often recommended to always use double quotes in HTML.

There is a provided workaround for earlier versions of Rails which replaces ERB::Util.html_escape with Rack::Utils.escape_html. This method adds escaping for both single quotes (') and forward slashes (/).

If the provided workaround is used in an initializer, as suggested, then Brakeman will not generate a warning for this vulnerability. Otherwise, Brakeman will generate a warning for affected versions.

CVE-2012-3465 - XSS in strip_tags

Another vulnerability has been reported for strip_tags (earlier report was CVE-2011-2931).

Brakeman will warn on affected versions if uses of strip_tags are detected.

XSS in select Helper

This vulnerability was reported a while ago, but it was unclear if it applied to Rails 2.x or just Rails 3. Thanks to Neil Matatall, it has been confirmed to be an issue in Rails 2.x as well.

Therefore, Brakeman will be reporting the vulnerability (select does not escape options list if supplied as a straight string) for Rails 2.x as well.

Report Issues

Please report any issues with this release!

Also consider joining the mailing list or following @brakeman on Twitter.