Brakeman 2.0 is here! While it does include a lot of updates, the “2.0” is mostly to indicate this release includes some changes which may break external tools (also, who wants a version “1.10”?). Tool maintainers are encouraged to avoid dependencies on warning messages and types (use the “warning code” instead), and to use warning fingerprints + line numbers for comparing warnings.
Lots more features are on the horizon for the 2.x family!
Changes since 1.9.5:
- Remove “timestamp” key from JSON reports
- Relative paths are used by default in JSON reports
- Fix fingerprint generation to actually use the file path
- Clean up SQL CVE warning messages
- Remove deprecated config file locations
--only-filesoption to specify files/paths to scan (Ian Ehlert)
- Add Marshal/CSV deserialization check
- Combine Marshal/YAML/CSV deserialization checks into single check
- Avoid duplicate “Dangerous Send” and “Unsafe Reflection” warnings
- Avoid duplicate results for Symbol DoS check
- Medium confidence for mass assignment to
- Only treat classes with names containing
- Better handling of classes nested inside controllers
- Better handling of controller classes nested in classes/modules
->lambdas with no arguments (#331)
- Handle explicit block argument destructuring
- Skip Rails config options that are real objects (#324)
- Detect Rails 3 JSON escape config option
- Much better tracking of warning file names
- Fix errors when using
- Fix text report console output in JRuby (#229)
- Fix false positives on
- Fix false positives on
- Fix model path guesses to use “models/” instead of “controllers/”
- Use exceptions instead of abort in brakeman lib (#230)
- Update to Ruby2Ruby 2.0.5
JSON Report Changes
Several changes were made to JSON reports in this release. The
["scan_info"]["timestamp"] key was removed, since it was just a duplicate of
JSON reports now default to reporting relative paths for file names in warnings, which seems to be more useful for external tools. Because of this change, the
--relative-paths option has been removed and replaced with
The previous release had a bug where fingerprints were not really including the file name as part of the fingerprint. This has been resolved, and fingerprints should be a reliable way of tracking warnings now.
The warning messages for SQL CVEs were unnecessarily verbose, so they have been trimmed down. Of course, this shouldn’t affect anyone, because all apps have upgraded to Rails versions without reported vulnerabilities, right?
Some small changes have been made to other warning messages. Please do not rely on warning messages remaining constant. To track warnings, use the
warning_code attribute which will never change.
Config File Default Locations
The following locations will no longer be automatically searched for Brakeman configuration files:
* `./config.yaml` * `.brakeman/config.yaml` * `/etc/brakeman/config.yaml` * The Brakeman `lib/` directory
The following locations are still used:
* `./config/brakeman.yml` * `~/.brakeman/config.yml` * `/etc/brakeman/config.yml`
Yes, Brakeman can use configuration files. See
brakeman --help for details.
While individual files can be exempted from a scan using
--skip-files, the new
--only-files option can limit scans to a set of files and directories, thanks to Ian Ehlert.
Brakeman now checks for deserialization of user input using
CSV. The former
YAMLLoad check has been merged into the new
Fewer Duplicate Warnings
A few new checks (symbol DoS, dangerous sends, and unsafe reflection) were generating a lot of duplicate warnings. This has been fixed.
Nested Classes and Controllers
Brakeman’s previous approach to nested classes was to ignore them. But it appears some people use classes as namespaces and place important classes (like controllers) inside them. This release changes how Brakeman deals with nested classes, as well as classes that inherit from
ApplicationController but do not have
Controller in their name. Please see the pull request for details.
Hopefully this means more accurate scans, but please report any correct warnings from earlier versions missing in 2.0.
“Stabby” Lambdas with No Arguments
undefined method 'each' for 0:Fixnum caused by use of
-> lambdas with zero arguments should be fixed now.
Explicit Block Argument Destructuring
Explicit block argument destructuring like this:
blah do |x, (y,z)| end
used to be ignored, but now the arguments are handled in order to keep block arguments in their proper scope.
Rails 3 Config Processing
Brakeman only cares about Rails configuration processing to check for specific settings. It converts a setting like
config.a.b.z to a hash entry like
[:config][:a][:b][:z]. However, if real values are found for
config.a.b this messes things up. So for now they are ignored.
Errors from Separating Models
Noah Davis fixed an error where file names were not being properly set when using the
Better File Tracking
Files associated with warnings should be more accurate now, as file information is better preserved during processing.
JRuby Console Output
Model#id and to_json False Positives
There should be fewer warnings generated by
to_json calls on
Exceptions instead of Abort
A few instances of
abort have been removed from Brakeman and replaced with exceptions. This should make it easier to use Brakeman as a library.