Ruby on Rails Static Analysis Security Tool

Brakeman 2.3.0 Released

This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of permit!. Also, this is the first signed gem release of Brakeman; see below for details.

Changes since 2.2.0:

  • Add check for CVE-2013-4491 (i18n XSS)
  • Add check for CVE-2013-6414 (header DoS)
  • Add check for CVE-2013-6415 (number_to_currency)
  • Add check for CVE-2013-6416 (simple_format XSS)
  • Add check for CVE-2013-6417 (query generation)
  • Add check for Parameters#permit! (#281)
  • Fix Slim XSS false positives (Noah Davis)
  • Whitelist Model#create for redirects (#406)
  • Collapse send/try calls
  • Fix scoping issues with instance variables and blocks (#406)
  • Fix typos in reflection and translate bug messages

I18n XSS

CVE-2013-4491 is a possible XSS in the i18n gem. Brakeman will warn unless the i18n gem is updated to the proper version or the workaround is used.

Header DoS

CVE-2013-6414 is a possible denial of service from special headers. Brakeman will warn unless the workaround is used.

Currency XSS

CVE-2013-6415 is an XSS in the second argument of number_to_currency. Brakeman will warn on uses of number_to_currency with dangerous unescaped arguments. If no dangerous uses are found, Brakeman will provide a general warning about the CVE.

Simple Format XSS

CVE-2013-6416 is an XSS in simple_format, which does not escape its output. Brakeman will warn on dangerous uses of simple_format. If no uses are found, it will report a general warning.

Query Generation Vulnerability

CVE-2013-6417 is the continuation of an old problem with SQL queries. The newest issue is caused by Rack middleware freezing the parameters before they can be cleaned up. Brakeman reports a general warning about this.

Check for Permit!

Brakeman now warns on uses of Parameters#permit!, which bypasses mass assignment protections. If a permit! is used without a subsequent mass assignment in the same method, the confidence will be medium.


Slim XSS False Positives

(Noah Davis) provided a fix for XSS false positives in Slim templates when ActiveSupport is loaded. While Brakeman itself does not depend on ActiveSupport, it might be loaded if Brakeman is run with Bundler or as part of a Rake task.


Whitelist Record Creation in Redirects

Redirects to Model#create and Model#create! should no longer warn.


Collapse try/send

The effect of using try(:something) or send(:something) are essentially the same as calling something, so Brakeman now converts calls to try/send directly to the method being called.

For example:


is changed to


This can help find more vulnerabilities as well as prevent some false positives if the method name is actually something safe like id.


Block Scoping

Several issues with blocks were fixed in this release. First, no calls with blocks were being processed correctly inside controllers. Secondly, instance variable assignments inside blocks were treated like local assignments. They are now treated as “method level” assignments (i.e. every method has its own “global” scope). Finally, local assignments inside blocks to existing variables were also being treated as block-local assignments.


Warning Typos

Two tiny changes have been made to warning messages. The “translate bug” from ages ago had an extra } in the message, and the message for unsafe reflection no longer capitalizes “Reflection”. But since everyone is using warning fingerprints and not relying on matching messages, you should be okay, right?


Signed Gems

The Brakeman gems are now signed and can be verified with this certificate.

To verify on installation:

gem cert --add <(curl -Ls
gem install brakeman -P MediumSecurity

“HighSecurity” requires all dependencies to be signed as well, which is unlikely.

Additionally, here are the SHA sums for this release:

2ae503781c51a69a1123d37d46b4813ea91f01e8  brakeman-2.3.0.gem
77d39eaf0e2663af526dcbf6e3b5bac16173fed1  brakeman-min-2.3.0.gem

Brakeman Users

We have a new page on this website listing companies which use Brakeman.

Please contact us (see bottom of page) to have your company listed!


Brakeman stickers are still available!

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.