Ruby on Rails Static Analysis Security Tool

Brakeman 3.0.1 Released

This is a small release, but may change some fingerprints of warnings in libraries. Also, the Slim dependency has been removed due to conflicts. See below for details.

  • Remove Slim dependency (Casey West)
  • Properly process libraries (Patrick Toomey)
  • Add --add-libs-path for additional libraries (Patrick Toomey)
  • Allow for controllers/models/templates in directories under app/ (Neal Harris)
  • Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base (#573)
  • Properly format command interpolation (again)

Slim Gem Dependency Removed

Since Rails 4.2 requires Slim 3.0.1 and Slim 3.0 dropped support for Ruby 1.8.7, there is no way to satisfy dependencies for Slim, Rails 4.2, and retain support for Ruby 1.8.7 when Brakeman is added as a dependency in a Gemfile.

The only acceptable solution is to not include Slim as a dependency at all and let users sort it out for themselves. Sorry for the unfortunate situation, but there is no way to add Brakeman to a Gemfile and avoid Bundler attempting to resolve Brakeman’s dependencies against the application’s dependencies, despite there being no relation.

Thanks to Casey West for working through solutions for this issue.


Library Processing

Libraries were added to the call index (which meant they were scanned during checks) in the 3.0.0 release, but there were still not being processed like most other code. This led to some checks not finding issues they should have. Patrick Toomey pointed this out and contributed a fix.

This change may affect existing warning fingerprints for warnings in libraries. Apologies for the inconvenience.


Allow Additional Library Paths

Patrick Toomey also added a new option --add-libs-path to treat more paths as if they were in lib/.


Scan Application Subdirectories

Neal Harris contributed a change to support applications with multiple applications under app/, such as app/cool_team/controllers/.


Avoid CSRF Warning for APIs

Brakeman will no longer warn about missing protect_from_forgery if ApplicationController does not inherit from ActionController::Base.


Command Interpolation Format Fix

Previous release had an incomplete fix for this. There should be no impact to warning fingerprints.


Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.