Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 3.1.1 Released

This release includes two new checks and a number of bug fixes.

Changes since 3.1.0:

  • Add check for user input in session keys
  • Add optional check for use of MD5 and SHA1
  • Fix absolute paths for Windows (Cody Frederick)
  • Allow searching call index methods by regex (Alex Ianus)
  • Consider j/escape_javascript safe inside Haml JavaScript blocks (#708)
  • Better Haml processing of find_and_preserve calls
  • Fix chained assignment
  • Treat a.try(&:b) like a.b()
  • Add more Arel methods to be ignored in SQL (#711)
  • Avoid warning when linking to decorated models (#683)
  • Support newer terminal-table releases (#709)

Session Manipulation Check

As suggested by Joernchen, Brakeman will now look for user input in session keys which can lead to session manipulation.

(changes)

Optional Check for Weak Hashes

An optional check to look for use of MD5 and SHA1 has been added to this release. Run with -t WeakHash to use just this optional check or -A to run all checks.

(changes)

Windows Paths

Cody Frederick fixed an issue with determining absolute paths on Windows.

(changes)

Search for Methods by Regex

Alex Ianus re-introduced the ability to search the CallIndex with regular expressions for methods:

tracker.find_call(method: /_something$/)

(changes)

Haml Processing

Haml users may have noticed warnings with find_and_preserve(Haml::Filters::Javascript.render_with_options(...)) in them. This has been fixed so find_and_preserve is treated as though it just passes through its arguments. Calls to render_with_options will be treated as unescaped output.

Along with this change, j and escape_javascript will be considered safe inside :javascript filters in Haml.

(changes)

Chained Assignment

Chained assignments like a = b = c = 1 will now be handled correctly. This fixes a very old issue from 2012.

(changes)

Trying More

While Brakeman already treated a.try(:b) like a.b(), there is a surprising amount of code which does a.try(&:b). This is totally unncessary, but Brakeman now handles it as well.

(changes)

More Arel Whitelisting

A number of Arel methods have been whitelisted to avoid warning about them inside SQL query building.

(changes)

If the Draper gem is used, Brakeman will ignore calls to decorate in link_to.

(changes)

terminal-table

Newer terminal-table releases are supported now and the dependency has been relaxed.

(changes)

SHAs

The SHA1 sums for this release are

cfd1840116c20b0b8932720fdaac09dd4e47091a  brakeman-3.1.1.gem
603389da732d307a014af445a1f312415b65a682  brakeman-min-3.1.1.gem

Reporting Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.