Ruby on Rails Static Analysis Security Tool

Brakeman 2.2.0 Released

This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions.

Changes since 2.2.0:

  • Support scanning Rails engines (Geoffrey Hichborn)
  • Ignore redirects to models using friendly_id (AJ Ostrow)
  • Add check for detailed exceptions in production (#391)
  • Use Rails version from Gemfile if it is available (#398)
  • Only add routes with actual names (#395)
  • Reduce command injection false positives

Rails Engines

Geoffrey Hichborn added support for checking Rails engines paths when searching for controllers, models, and views. Please let us know if there are any issues or files missed with this change.


Redirects with Friendly ID

Thanks to AJ Ostrow, Brakeman should no longer warn on redirects to models using friendly_id.


Detailed Exceptions

Nathaniel Talbott suggested checking that detailed exceptions (treating requests as local) are not enabled in production.

Brakeman now generates a warning in a new category called “Information Disclosure” if config.consider_all_requests_local is set to true in production or a controller overrides show_detailed_exceptions? to return something other than false.

Please see the changes regarding the new category and two new warning codes associated with these warnings.

Better Version Detection

Brakeman now uses the Rails version found in Gemfile or Gemfile.lock to determine when to enable Rails 3/4 mode, which seems obvious in retrospect. This required swapping when the Gemfile and the configuration files are processed.


Rails 3 Routes

A small fix prevents Brakeman from raising an error when a route is a redirect or any value other than a string or symbol.


Command Injection False Positives

There should be fewer false positives for command injection when interpolated values are literals. The check also now ignores commonly used values RAILS_ROOT, Rails.env, and Rails.root.

Additionally, reported “dangerous” values (user_input in JSON reports) for command injection are more specific. For example:

system "rm -rf #{some_var}"

used to report the entire string "rm -rf #{some_var}" as dangerous, even though it’s really warning about the interpolation of some_var. Now Brakeman will report the first potentially dangerous interpolated value. Note that this does not change fingerprints for existing warnings.


Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.


The SHA-1 for the Brakeman 2.2.0 gem is:

f3a2b369bda79c677a913cdb2350cbda8bce8a90  brakeman-2.2.0.gem