This release introduces significant changes to how and when files are parsed, which may introduce changes in existing warnings and errors.
Changes since 2.5.0:
- Improve default route detection in Rails 3/4 (Jeff Jarmoc)
- Handle controllers and models split across files (Patrick Toomey)
- Fix handling of
protected_attributesgem in Rails 4 (Geoffrey Hichborn)
- Add check for CVE-2014-0130
find_by!to SQLi check for Rails 4
- Do not branch values for
- Parse most files upfront instead of on demand
- Fix CheckRender with nested render calls (#484)
- Fix detection of
:hostsetting in redirects (#506)
- Ignore more model methods in redirects
- Update to use RubyParser 3.5.0 (Patrick Toomey)
Improved Default Route Detection
In addition to Jeff Jarmoc’s awesome research on CVE-2014-0130, he contributed much-needed improvements to detecting use of
*action in routes for Rails 3/4. This may result in more default routes warnings.
Multiple Files for Controllers and Models
(Patrick Toomey) contributed improvements which allow Brakeman to process controllers and models which may be defined in multiple files. The changes also improve how Brakeman handles controllers and models inside modules. This may alter some warnings and how some files are processed. Also, controllers and models may be associated with multiple files instead of just one.
Protected Attributes Gem
Check for CVE-2014-0130
Besides warning about more types of default routes in this release, Brakeman will also warn about CVE-2014-0130 explicitly. If the application uses default routes, the warning will be high confidence, otherwise medium. Note Brakeman will categorize this issue as “Remote Code Execution”, since [Jeff Jarmoc demonstrated]((http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf) rendering arbitrary files can lead to interpreting those files as ERB.
SQL Injection in Find By
Rails 4 added the
find_by! methods which just call
where(*args).take and are therefore vulnerable to the same issues as
where. This release will check these methods for SQL injection now.
No Branching for +=
Code which used
+= heavily in combination with many branches lead to very poor performance. The resulting information from the branches was rarely useful. However, since
+= is buidling up a value (as opposed to replacing it), simply ignoring branches does not lose any of the values involved. Thus, the same vulnerabilities should be able to be detected even when losing flow sensitivity for
+= assignments. For details, see the changes.
This change has improved processing on some files from over 30 minutes to under 1 second. If some files were processing slowly or had to be ignored previously, consider trying again with this release.
Parsing Files Upfront
This release changes when files are parsed. Previously, files were read and parsed as they were processed. Now most files are read and parsed near the beginning of the scan instead. This has allowed for some internal cleanup and easier future changes. However, some bugs were fixed regarding sorting files which may cause warnings to change.
CheckRender had a bug when processing a
render call which contained another call to
render. This has been fixed.
Redirects with Chained Calls
The last release added support for checking if a
redirect_to argument was setting the
:host option. However, it did not work with chained calls like the one reported here. Now it should.
Redirects to Models
More Rails 4 methods have been added and support for chained methods has been improved to prevent false positives when redirecting to a model instance.
The RubyParser dependency has been upgraded to 3.5.0 for Ruby 2.1 support. There are some issues with newlines and line number accuracy in newer versions (it is better for some code and worse for others) which has prevented further upgrades at the moment.
The SHA1 sums for this release are
0aae141108d92040f3553557a31ad117ac1c2ea6 brakeman-2.6.0.gem 70c2353f31d4d04ba8d95c871062db31d5c6e981 brakeman-min-2.6.0.gem