This is primarily a false positive reduction release. One major change is the change in dependency from the
json_pure gem to
Changes since 1.8.2:
multi_jsongem for better harmony (#164)
- Performance improvement for call indexing
- Fix issue with processing HAML files (#168)
- Handle pre-release versions when processing
- Only check first argument of
- Fix false positives from
- Fix false positives on redirects to models decorated with Draper gem (#172)
- Fix false positive on redirect to model association (#111)
- Fix false positive on
- Fix false positive XSS on any
- Fix error on Rails 2 named routes with no args
- Fix error in rescan of mixins with symbols in method name
- Do not rescan non-Ruby files in config/
Change to MultiJSON
Brakeman now depends on the multijson gem instead of
json_pure. This should make it easier for people who include Brakeman as a dependency.
Faster Call Indexing
Dumb code in the
CallIndex was causing call indexing to be slow on some large applications. This should now be faster and require less memory!
Fix HAML Processing
Some HAML files were causing Brakeman’s alias processing to slow to a crawl. This was due to the template code (sometimes) directly appending to the output variable via
<<. Since Brakeman attempts to treat targets of
<< as arrays, Brakeman was generating large data structures each time
<< was encountered.
Handle Pre-release Versions
Gemfile.lock file is present in a Rails application, Brakeman uses it to determine the version of Rails in use. Previous versions did not accept pre-release version numbers (like
3.1.2.rc1), leading to version inappropriate warnings.
Redirect False Positives
Several false positives related to redirects have been fixed, and the scope of the redirect check is somewhat reduced.
Calls beginning with
Model.arel_table should no longer be treated as user input (in any context).
Model instances returned by the
decorate method in the Draper gem are considered safe.
Redirects to model associations (e.g,
belongs_to :account) are considered safe.
Redirects to method calls with safe values should no longer warn. For example:
redirect_to blah(User.first) #No warning
Additionally, only the first argument of
redirect_to will be checked for user input.
YAML False Positive
File access warnings for YAML calls have been reduced to only those calls which actually access files.
Integer Output False Positives
to_i should not trigger XSS warnings.
Errors on Named Routes
Rails 2 named routes with no arguments were causing errors, which have now been fixed.
Now that RubyParser 3.x is officially released, work is underway to use the new version. This will increase Ruby 1.9 syntax compatibility and remove the need to parse applications with the same Ruby version as the application uses. Additionally, it will allow us to get rid of the vendored version of RubyParser that Brakeman uses for Ruby 1.9. Unfortunately, RubyParser 3.x introduces a lot of incompatibilities and upgrading requires a significant amount of effort.
Another exciting feature in development is limited interprocedural analysis. Brakeman will be able to handle simple things like calls to helper methods in controllers which set instance variables or return user input. This should help with the “obvious” vulnerabilities that Brakeman often misses.