This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output formatting.
Changes since 2.4.3:
- Add GitHub-flavored Markdown output format (Greg Ose)
- Add check for regex denial of service (Ben Toews)
- Fix false positives when
sanitizeis used in SQL (Jeff Yip) - Add
String#internandHash#symbolize_keysDoS check (Jan Rusnacko) - Add support for Rails 4
before_actionsand friends - Add support for RailsLTS 2.3.18.7 and 2.3.18.8
- Check for
protected_attributesgem (#475) - Fix SQLi detection in chain calls in scopes (#471)
- Fix false positive when
:hostis specified in redirect (#464) - Check all arguments in
Model.selectfor SQLi - Move SQLi CVE checks to
CheckSQLCVEs - Handle more non-literals in routes (#461)
Markdown Output Format
Greg Ose added the option to output to GitHub-flavored markdown (-f markdown or -o report.md). Additionally, the --github-repo option can be used to link the files in the report to a specific GitHub repository. See here for details.
(changes)
Regex Denial of Service
A new check for dangerous interpolation in regular expressions was contributed by Ben Toews. This will generate “Denial of Service” warnings if user input is interpolated into regular expressions.
For example, this will generate a warning:
/#{params[:name]}/
(changes)
Avoid Warning on Sanitized SQL
Brakeman should no longer warn about SQL values wrapped in sanitize.
(changes)
More Symbol Denial of Service Methods
String#intern and Hash#symbolize_key were added to the symbol denial of service check by Jan Rusnacko.
(changes)
Rails 4 Before Actions
Rails 4 added a bunch of aliases for before_filter and related methods, and Brakeman now recognizes these methods for adding and skipping filters.
(changes)
Latest RailsLTS Version
This release adds support for the latest RailsLTS 2.3.18.x versions and will not warn on CVE-2012-1099 and CVE-2014-0081 for applications using the appropriate RailsLTS versions.
(changes)
Protected Attributes Gem
Brakeman now treats applications using the protected_attributes gem as if mass assignment is enabled by default and attr_accessible is necessary to protect models.
(changes)
SQL Injection in Scopes
There was a bug which caused Brakeman not warn about SQL injection in chained calls inside scope blocks (example here). Additionally, scope calls were not being handled for Rails 4.
(changes)
Hosts in Redirects
Brakeman should no longer warn about instances of redirect_to when :host is explicitly specified.
(changes)
SQL Injection in All Select Arguments
Brakeman was only checking the first argument to Model.select for SQL injection, but the method can take multiple arguments. This release corrects this to check all of the arguments.
(changes)
SQL Injection CVEs Moved to Separate Check
All the checks for SQL injection CVEs have been moved from CheckSQL to CheckSQLCVEs. This should only have an effect for users explicitly specifying to run or skip CheckSQL.
(changes)
More Routing Fixes
More instances of non-literals in routes will be ignored instead of raising exceptions. In general, information from routes.rb is not used except to warn about default routes (unless --no-assume-routes is used).
(changes)
SHAs
The SHA1 sums for this release are
fc8a7991e9351f8d5e26a59acf54422a638f4866 brakeman-2.5.0.gem
48f974aaf40957a325ee778d3d700fd29aa526bf brakeman-min-2.5.0.gem
Reporting Issues
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and joining the mailing list.