Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 2.4.1 Released

This release only adds checks for the latest CVEs, no other changes.

Changes since 2.4.0:

  • Add check for CVE-2014-0080
  • Add check for CVE-2014-0081, replaces CVE-2013-6415
  • Add check for CVE-2014-0082

CVE-2014-0080

CVE-2014-0080 is a SQL injection issue only affects applications using PostgreSQL with Rails 4.x. If Brakeman detects the pg gem and an affected version, it will warn about this CVE.

(changes)

CVE-2014-0081

CVE-2014-0081 is a vulnerability in number_to_currency, number_to_percentage, and number_to_human. Values passed in as options may not be properly escaped. It affects all previous versions of Rails.

Brakeman will warn on unsafe uses of these methods. If no unsafe calls are found, it will generate a generic medium confidence warning.

Warnings for CVE-2014-0081 replace warnings for CVE-2013-6415, which was about just number_to_currency.

(changes)

CVE-2014-0082

CVE-2014-0082 is a potential symbol denial of service problem when handling render :text in Rails 3.x.

Brakeman will only warn about this CVE if it detects use of render :text in affected versions.

(changes)

SHAs

The SHA1 sums for this release are

e9fb5439d5a322b4a9c9611d75d994e7df83d4d2  brakeman-2.4.1.gem
b84ad90a7ec9b6e6bbce8fc69c50d1d8b3214d0f  brakeman-min-2.4.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter or joining the mailing list.