Ruby on Rails Static Analysis Security Tool

Brakeman 2.5.0 Released

This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output formatting.

Changes since 2.4.3:

  • Add GitHub-flavored Markdown output format (Greg Ose)
  • Add check for regex denial of service (Ben Toews)
  • Fix false positives when sanitize is used in SQL (Jeff Yip)
  • Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
  • Add support for Rails 4 before_actions and friends
  • Add support for RailsLTS and
  • Check for protected_attributes gem (#475)
  • Fix SQLi detection in chain calls in scopes (#471)
  • Fix false positive when :host is specified in redirect (#464)
  • Check all arguments in for SQLi
  • Move SQLi CVE checks to CheckSQLCVEs
  • Handle more non-literals in routes (#461)

Markdown Output Format

Greg Ose added the option to output to GitHub-flavored markdown (-f markdown or -o Additionally, the --github-repo option can be used to link the files in the report to a specific GitHub repository. See here for details.


Regex Denial of Service

A new check for dangerous interpolation in regular expressions was contributed by Ben Toews. This will generate “Denial of Service” warnings if user input is interpolated into regular expressions.

For example, this will generate a warning:



Avoid Warning on Sanitized SQL

Brakeman should no longer warn about SQL values wrapped in sanitize.


More Symbol Denial of Service Methods

String#intern and Hash#symbolize_key were added to the symbol denial of service check by Jan Rusnacko.


Rails 4 Before Actions

Rails 4 added a bunch of aliases for before_filter and related methods, and Brakeman now recognizes these methods for adding and skipping filters.


Latest RailsLTS Version

This release adds support for the latest RailsLTS 2.3.18.x versions and will not warn on CVE-2012-1099 and CVE-2014-0081 for applications using the appropriate RailsLTS versions.


Protected Attributes Gem

Brakeman now treats applications using the protected_attributes gem as if mass assignment is enabled by default and attr_accessible is necessary to protect models.


SQL Injection in Scopes

There was a bug which caused Brakeman not warn about SQL injection in chained calls inside scope blocks (example here). Additionally, scope calls were not being handled for Rails 4.


Hosts in Redirects

Brakeman should no longer warn about instances of redirect_to when :host is explicitly specified.


SQL Injection in All Select Arguments

Brakeman was only checking the first argument to for SQL injection, but the method can take multiple arguments. This release corrects this to check all of the arguments.


SQL Injection CVEs Moved to Separate Check

All the checks for SQL injection CVEs have been moved from CheckSQL to CheckSQLCVEs. This should only have an effect for users explicitly specifying to run or skip CheckSQL.


More Routing Fixes

More instances of non-literals in routes will be ignored instead of raising exceptions. In general, information from routes.rb is not used except to warn about default routes (unless --no-assume-routes is used).



The SHA1 sums for this release are

fc8a7991e9351f8d5e26a59acf54422a638f4866  brakeman-2.5.0.gem
48f974aaf40957a325ee778d3d700fd29aa526bf  brakeman-min-2.5.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.