This release is mostly bug fixes and updates, but does include two new options.
Changes since 2.6.1:
- Add check for CVE-2014-3514
--add-checks-pathoption for external checks (Clint Gibler)
-4option to force Rails 4 mode
- Fix SQL injection detection in deep nested string building
- Check entire call for
- Check for .gitignore of secrets in subdirectories (#519)
- Avoid warning about symbolizing safe parameters (#536)
- Fix block statment endings in Erubis (#518)
- Update ruby2ruby dependency to 2.1.1
- Expand app path in one place instead of all over (Jeff Rafter)
- Fix undefined variable in controller processing error (Jason Barnabe)
Mass Assignment Bypass (CVE-2014-3514)
CVE-2014-3514 describes an issue where
create_with does not implement strong parameters, allowing mass assignment in Rails 4.x. For vulnerable versions, Brakeman warns about instances of
create_with or a generic warning if no uses are found.
External Check Option
Clint Gibler has added the
--add-checks-path option to provide an path to search for additional checks. This is useful if you wish to write your own custom rules for Brakeman to run.
Option to Force Rails 4
If the Rails version for an application cannot be determined automatically for some reason, the
-4 option will force Brakeman to treat it like a Rails 4 application.
Included with this change are some fixes when a Rails 4 app is detected but the exact version number cannot be determined. This may change the output for some scans.
SQL Injection in Nested Strings
This release fixes some SQL injection detection when there is lots of string building mixing concatenation and interpolation. These changes may also affect which value Brakeman warns about within the string.
Better Send Call Detection
Previously, Brakeman was ignored calls to
send when they were nested inside a chain of calls. This has been fixed.
Brakeman now checks subdirectories for
.gitignore files which determing if the secrets configuration is being ignored.
Symbolizing Safe Paramaters
params[:action] are quite difficult (possibly impossible) to DoS, Brakeman will not warn about symbolizing them.
Some ERB templates were not parsing correctly due to how Brakeman was handling the end of blocks. This should be resolved now.
Ruby2Ruby Dependency Updated
Brakeman now depends on the latest version of Ruby2Ruby due to the fix here.
Expand App Path Once
Jeff Rafter refactored a bunch of code which was converting the application path to an absolute path and instead moved it to one (okay, maybe two) spots. This should not affect any reports.
Error in Controller Processing
Jason Barnabe fixed an error…in the error handling when processing controllers.
The SHA1 sums for this release are
f225541559d2fbe5374d481b6105b66053f9710a brakeman-2.6.2.gem 67882d467b6a8fc6e504b6dcb9605f79a0c6a22c brakeman-min-2.6.2.gem
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and joining the mailing list.