Changes since 1.7.1:
- Support relative paths in reports (fsword)
- Allow Brakeman to be run without tty (fsword)
- Fix exit code with
--compare(fsword) - Fix
--rakeoption (Deepak Kumar) - Add high confidence warnings for
to_jsonXSS (Neil Matatall) - Fix
redirect_tofalse negative - Fix duplicate warnings with
rawcalls - Fix shadowing of rendered partials
- Add “render chain” to HTML reports
- Add check for XSS in
content_tag - Add full backtrace for errors in debug mode
- Treat model attributes in
orexpressions as immediate values - Switch to method access for Sexp nodes
Relative Paths in Reports
The --relative-paths option will now cause Brakeman to output relative paths for warnings in reports in either JSON or tabs format. This is useful when comparing reports run on different machines or just in different directories.
Brakeman without TTY
Thanks to fsword, Brakeman can now run without a TTY available.
Exit Code for Compare
Also thanks to fsword, Brakeman will return a proper exit code when run with -z --compare. If any changes are found, the exit code will be nonzero.
Rake Task Generation Fixed
The --rake option was broken, but Deepak Kumar noticed and fixed it!
High Confidence Warnings for JSON
Older versions of Rails default to not escaping to_json calls, leading to cross site scripting problems. Since Rails 2.1.0, Rails has provided an option to escape JSON output by default. Brakeman will check this option, and warn on unescaped to_json calls.
Fix Redirect False Negative
Brakeman was incorrectly checking for :only_path => true in any argument to redirect_to. However, it is only valid as part of the first argument.
Fix Duplicate Warnings on Raw Calls
A logic mistake sometimes caused a high and weak confidence warning to be reported for the same code using raw. This has been fixed.
Fix Shadowing of Rendered Partials
Due to the way Brakeman was storing rendered partials, a view that was rendered multiple times via different code paths would only store a single instance of the rendered view. This could result in some vulnerabilities not being reported.
To fix this, Brakeman now stores the entire “render chain” (that is, each location of a render). This ensures a unique key for each rendered template.
Report Render Chain in HTML
HTML reports now have a new feature that reports the “render chain” for view warnings (if the chain is more than a single call deep).
A warning like this:
Might expand to show this chain:
Check for XSS in content_tag
content_tag is a view helper for generating HTML tags containing some content. In Rails 2.x, content_tag did not escape this content. In Rails 3.x, this changed so that now it is escaped. While content_tag does have an escape parameter (true by default), this only applies to the tag attribute values.
Brakeman now warns on possible cross site scripting via content_tag calls. See here for more details.
Backtraces in Debug Mode
By default, Brakeman tries its best to recover from errors and produce a report. However, this can sometimes make it difficult to track down the sources of errors. Now, with the -d option, Brakeman will report backtraces for errors encountered while running, as well as including backtraces in HTML reports.
Convenience Methods for Sexp Access
Previously, all code dealing with s-expressions in the Sexp class accessed nodes via array access, e.g. exp[1] or exp[2]. This led to hard-to-read code like exp[2][3][1][1..-1]. This release includes convenience methods to replace those types of calls. Available methods are documented here.
Hopefully this leads to code that is both easier to read and easier to write.
Reporting Problems
This release touches a lot of code (76 changed files with 1,515 additions and 598 deletions), so there is ample opportunity for bugs to sneak in. Please report any issues!
Also consider joining the mailing list and following @brakeman on Twitter.