Changes since 2.2.0:
- Support scanning Rails engines (Geoffrey Hichborn)
- Ignore redirects to models using
friendly_id(AJ Ostrow)
- Ignore redirects to models using
- Add check for detailed exceptions in production (#391)
- Use Rails version from Gemfile if it is available (#398)
- Only add routes with actual names (#395)
- Reduce command injection false positives
This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions.
Rails Engines
Geoffrey Hichborn added support for checking Rails engines paths when searching for controllers, models, and views. Please let us know if there are any issues or files missed with this change.
(changes)
Redirects with Friendly ID
Thanks to AJ Ostrow, Brakeman should no longer warn on redirects to models using friendly_id.
(changes)
Detailed Exceptions
Nathaniel Talbott suggested checking that detailed exceptions (treating requests as local) are not enabled in production.
Brakeman now generates a warning in a new category called “Information Disclosure” if config.consider_all_requests_local is set to true in production or a controller overrides show_detailed_exceptions? to return something other than false.
Please see the changes regarding the new category and two new warning codes associated with these warnings.
Better Version Detection
Brakeman now uses the Rails version found in Gemfile or Gemfile.lock to determine when to enable Rails 3/4 mode, which seems obvious in retrospect. This required swapping when the Gemfile and the configuration files are processed.
(changes)
Rails 3 Routes
A small fix prevents Brakeman from raising an error when a route is a redirect or any value other than a string or symbol.
(changes)
Command Injection False Positives
There should be fewer false positives for command injection when interpolated values are literals. The check also now ignores commonly used values RAILS_ROOT, Rails.env, and Rails.root.
Additionally, reported “dangerous” values (user_input in JSON reports) for command injection are more specific. For example:
system "rm -rf #{some_var}"
used to report the entire string "rm -rf #{some_var}" as dangerous, even though it’s really warning about the interpolation of some_var. Now Brakeman will report the first potentially dangerous interpolated value. Note that this does not change fingerprints for existing warnings.
(changes)
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.