This released was forced due to messed up dependencies with Brakeman 1.9.0 and Ruby2Ruby - my fault entirely! As such, this release does not match the roadmap for 1.9.1, which will be changed to 1.9.2.
Changes since 1.9.0:
- Add check for CVE-2012-5664 - SQL Injection
- Add check for CVE-2013-0155 - SQL Injection
- Add check for CVE-2013-0156 - Remote Code Execution
- Add check for unsafe
- Update to RubyParser 3.1.1 (neersighted)
- Remove ActiveSupport dependency (Neil Matatall)
- Do not warn on arrays passed to
link_to(Neil Matatall) (#232)
- Warn on secret tokens (#200)
- Warn on more mass assignment methods (#223)
CVE-2012-5664 - SQL Injection
CVE-2012-5664 is a vulnerability Rails’ dynamic finders. While dynamic finders (such as
User.find_by_name) appear to take a single argument, they also accept a hash options which can be used to modify the SQL query. Normally the hash of options would be the second argument, but it can also be the first. If an application passes in user code as the first argument, it will be interpreted as the options hash, leading to SQL injection.
The provided fix is to only accept the hash if the dynamic finder is called with the proper number of arguments. A workaround is to always cast input to dynamic finders.
CVE-2013-0155 - SQL Injection
CVE-2013-0155 is a SQL vulnerability where certain JSON input can cause
find methods to add
NULL as a valid value.
CVE-2013-0156 - Remote Code Execution
CVE-2013-0156 is the worst Rails vulnerability in recent memory. It allows attackers to easily execute arbitrary code on any Rails application.
Besides upgrading Rails, there are workarounds for this issue: disable XML request parsing or disable YAML/symbol types inside XML requests.
Exploits for this vulnerability are easily available and already in use in the wild. Please upgrade, patch, or use a workaround.
In light of CVE-2013-0156, Brakeman will now warn on any uses of
YAML.load with user input. Do not load arbitrary YAML in applications!
Brakeman now uses the latest RubyParser and Ruby2Ruby versions.
Thanks to Neil, Brakeman no longer depends on any version of ActiveSupport or i18n.
Namespaced URLs in
Brakeman will no longer warn on array arguments to
Secret tokens stored in source control are bad! Doubly bad if the source code is available publicly. Anyone with access to an application’s secret token can generate any session cookies they would like. See this post for details.
More Mass Assignment
Bryan Helmkamp pointed out more Rails methods which perform mass assignment. The following methods have been added:
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider joining the mailing list or following @brakeman on Twitter.