Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 2.6.0 Released

This release introduces significant changes to how and when files are parsed, which may introduce changes in existing warnings and errors.

Changes since 2.5.0:

  • Improve default route detection in Rails 3/4 (Jeff Jarmoc)
  • Handle controllers and models split across files (Patrick Toomey)
  • Fix handling of protected_attributes gem in Rails 4 (Geoffrey Hichborn)
  • Add check for CVE-2014-0130
  • Add find_by/find_by! to SQLi check for Rails 4
  • Do not branch values for +=
  • Parse most files upfront instead of on demand
  • Fix CheckRender with nested render calls (#484)
  • Fix detection of :host setting in redirects (#506)
  • Ignore more model methods in redirects
  • Update to use RubyParser 3.5.0 (Patrick Toomey)

Improved Default Route Detection

In addition to Jeff Jarmoc’s awesome research on CVE-2014-0130, he contributed much-needed improvements to detecting use of :action and *action in routes for Rails 3/4. This may result in more default routes warnings.

(changes)

Multiple Files for Controllers and Models

(Patrick Toomey) contributed improvements which allow Brakeman to process controllers and models which may be defined in multiple files. The changes also improve how Brakeman handles controllers and models inside modules. This may alter some warnings and how some files are processed. Also, controllers and models may be associated with multiple files instead of just one.

(changes here and here)

Protected Attributes Gem

Thanks to (Geoffrey Hichborn), Brakeman will now treat Rails 4 apps which use the protected_attributes gem like a Rails 3 app in regards to mass assignment.

(changes)

Check for CVE-2014-0130

Besides warning about more types of default routes in this release, Brakeman will also warn about CVE-2014-0130 explicitly. If the application uses default routes, the warning will be high confidence, otherwise medium. Note Brakeman will categorize this issue as “Remote Code Execution”, since [Jeff Jarmoc demonstrated]((http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf) rendering arbitrary files can lead to interpreting those files as ERB.

(changes)

SQL Injection in Find By

Rails 4 added the find_by/find_by! methods which just call where(*args).take and are therefore vulnerable to the same issues as where. This release will check these methods for SQL injection now.

(changes)

No Branching for +=

Code which used += heavily in combination with many branches lead to very poor performance. The resulting information from the branches was rarely useful. However, since += is buidling up a value (as opposed to replacing it), simply ignoring branches does not lose any of the values involved. Thus, the same vulnerabilities should be able to be detected even when losing flow sensitivity for += assignments. For details, see the changes.

This change has improved processing on some files from over 30 minutes to under 1 second. If some files were processing slowly or had to be ignored previously, consider trying again with this release.

(changes)

Parsing Files Upfront

This release changes when files are parsed. Previously, files were read and parsed as they were processed. Now most files are read and parsed near the beginning of the scan instead. This has allowed for some internal cleanup and easier future changes. However, some bugs were fixed regarding sorting files which may cause warnings to change.

(changes)

Nested Renders

CheckRender had a bug when processing a render call which contained another call to render. This has been fixed.

(changes)

Redirects with Chained Calls

The last release added support for checking if a redirect_to argument was setting the :host option. However, it did not work with chained calls like the one reported here. Now it should.

(changes)

Redirects to Models

More Rails 4 methods have been added and support for chained methods has been improved to prevent false positives when redirecting to a model instance.

(changes)

RubyParser Upgrade

The RubyParser dependency has been upgraded to 3.5.0 for Ruby 2.1 support. There are some issues with newlines and line number accuracy in newer versions (it is better for some code and worse for others) which has prevented further upgrades at the moment.

(changes)

SHAs

The SHA1 sums for this release are

0aae141108d92040f3553557a31ad117ac1c2ea6  brakeman-2.6.0.gem
70c2353f31d4d04ba8d95c871062db31d5c6e981  brakeman-min-2.6.0.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.