Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 2.1.1 Released

This is a small bug fix release. The only expected changes in warnings are for dangerous attributes in attr_accessible and cross site scripting involving model attributes. Some warning fingerprints may change as a result of this update.

Changes since 2.1.0:

  • More accurate results for model attribute warnings (#385)
  • Do not warn on attr_accessible using roles (#372)
  • New warning code for dangerous attributes in attr_accessible
  • Fix infinite loop when run as rake task (Matthew Shanley)
  • Use exit code zero with -z if all warnings ignored (#381)
  • Respect ignored warnings in rescans (#382)
  • Respect ignored warnings in tabs format reports
  • Ignore dynamic controller names in routes

More Accurate Model Matching

Model attributes which are reported as user input should now be reported more accurately. For example, instead of reporting Model.find(1) as user input, the entire attribute will be reported. For example: Model.find(1).name

As a side effect, several methods which were already intended to be ignored (such as count) will actually be ignored for XSS warnings.

(changes)

attr_accessible Check Updates

The check for potentially dangerous attributes whitelisted in attr_accessible has been updated to ignore attributes protected by roles. Additionally, it now has its own warning code to separate it from regular mass assignment warnings.

(warning code change, role change)

Rake Task Fix

The last release included a method named load_dependency which handles calling require for optional dependencies. Unfortunately, Rails overrides require to call its own method called load_dependency. Rails is loaded when any rake command is used, so when Brakeman is run with Rake it causes an infinite loop between load_dependency and require.

Thanks to Matthew Shanley for reporting the issue and providing a fix.

(changes)

Exit Code Fixed When Warnings Ignored

Brakeman will now return 0 when using -z and all reported warnings are ignored.

(changes)

Ignore Warnings in Rescans

Ignored warnings should now be ignored during rescans (for use with guard-brakeman).

(changes)

Remove Ignored Warnings in Tabs Report

Ignoring warnings should now work for those using the Jenkins plugin.

(changes)

Ignore Dynamic Controller Name in Routes

Instead of completely aborting route processing, dynamic controller names are just ignored.

(changes)

Report Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.