Ruby on Rails Static Analysis Security Tool

Brakeman 3.0.3 Released

This is mostly a bug fix release, but does introduce a new warning code for when protect_from_forgery is not set to raise exceptions in Rails 4.

Changes since 3.0.2:

  • Warn about protect_from_forgery without exceptions (Neil Matatall)
  • Add Rake task to exit with error code on warnings (masarakki)
  • Ignore quoted_table_name in SQL (Gabriel Sobhrinho)
  • Ignore more Arel methods in SQL (#604)
  • Warn about RCE and file access with open
  • Handle Array#include? guard conditionals (#604)
  • Handle lambdas as filters
  • Do not ignore targets of to_s in SQL (#638)

New CSRF Warning

Neil Matatall has added a warning for Rails 4 applications that do not pass the with: :exception option to protect_from_forgery. The default behavior of clearing out the session (but still processing the request) has lead to vulnerabilities in some applications. GitHub recently awarded a bug bounty for a vulnerability caused by this behavior.


Additional Rake Task

Masarakki added a Rake task that will exit with an error code if any warnings are found (like brakeman -z). The task can be run with rake brakeman:check.

However, please note the use of Rake tasks to run Brakeman is discouraged, since it loads the entire Rails application which is unnecessary and may cause conflicts with Brakeman dependencies.


Reduce SQL Injection False Positives

A patch from Gabriel Sobhrinho removes warnings about quoted_table_name in SQL queries.


An additional change was made to ignore more Arel methods nested inside of other queries. This should reduce many of the false positives seen with combining Arel and ActiveRecord queries.


Remote Code Execution in open()

As noted in Egor Homakov’s blog post, open can actually be used to spawn new processes by starting the argument with a pipe |. Brakeman will now warn about remote code execution via open.


Simple Guard Conditions

Brakeman should now recognize guard conditions that look exactly like this:

if [1, 2, "a", "b"].include? x
  do_something_dangerous_with x

This may resolve some false positives. If you have code similar to this, please consider opening an issue and perhaps it can be handled similarly.


Lambda Filters

Filters that use lambdas instead of blocks should now be handled correctly.


Handle to_s in SQL

Values with to_s called on them were being ignored when checking for SQL injection. This has been fixed.



The SHA1 sums for this release are

170c3dd6925373b7da2e27fd1decf2957b35dc43  brakeman-3.0.3.gem
f126e305404a61e99f9ddb848996d87325d1485a  brakeman-min-3.0.3.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and joining the mailing list.