Changes since 3.3.1:
- Improved line number accuracy in ERB templates (Patrick Toomey)
- Allow multiple line regex in
- Avoid overwriting instance/class methods with same name (Tim Wade)
--force-scanoption (Neil Matatall)
- Only consider
ifbranches in templates
- Support more safe
- Avoid warning about SQL injection with
- Delay loading vendored gems and modifying load path
ERB Template Line Numbers
Patrick Toomey contributed a series of patches to bring Brakeman’s handling of ERB/Erubis templates in line with the Rails implementation. This has the effect of correcting some line numbers and fixed processing of
case statements in templates.
Multiline Regex Validation
Dmitrij Fedorenko added a change to support multiline extended regular expressions for model validations.
Tim Wade fixed an issue where class methods and instance methods with the same name on the same class would overwrite each other. This may cause a few warning fingerprints to change, since all method names are now stored as symbols (some were strings before).
Neil Matatall added the
--force-scan option to force Brakeman to scan an application even if it doesn’t look like a Rails app.
Branches in Templates
When looking at template output, Brakeman will no longer treat the conditional as output, just the branches. This helps find more potential instances of cross-site scripting.
<%= params[:x].html_safe unless this_is_a_bad_idea? %>
Now Brakeman will just consider the
params[:x].html_safe value which is clearly dangerous.
More Safe Calls
Brakeman can now handle more instances of the “safe call” or “lonely” operator such as
a&.b ||= 1 and
x&.y += z 1.
Quoted Primary Key
Brakeman will no longer warn about use of
quoted_primary_key in SQL strings.
Delayed Load Path Modification
Brakeman 3.3.0 started vendoring all its dependencies to avoid conflicts with application dependencies. However, if Brakeman is included in a Gemfile without
require: false, it will still modify the load path and potentially cause conflicts.
This version delays loading any dependencies until Brakeman actually runs. This is almost like having
require: false automatically.
Please keep in mind it is really not recommended to include Brakeman in Gemfiles unless it is actually being used as a library. Otherwise it’s like mixing your browser’s dependencies with your applications. It doesn’t make sense.
For those who don’t want Brakeman to bundle and vendor its own dependencies, the brakeman-lib gem is identical to the
brakeman gem but without the bundling. Consider using it if the bundling and modified load paths are causing issues.
RailsConf Security Talks
Justin Collins gave a lightning talk about Brakeman and a regular talk about real-world examples of vulnerabilities Rails won’t save you from.
Mike Milner spoke about the security breaches of 2015.
Jessica Rudder talked through examples of SQL injection in ActiveRecord.
The SHA256 sums for this release are
5c22721c8b486fa9d283cabf65c7e77b2f7428056d4d907b7f74a91dd112616a brakeman-3.3.1.gem 7aa57ed8b42c0cadef09214f5544424659ab3972912137fad37da1a052d8a792 brakeman-lib-3.3.1.gem 95e68202493d8c504ad72276c8bfa46abb1c78c309bc2b80b433a6220f3722eb brakeman-min-3.3.1.gem
Thank you to everyone who reported bugs and contributed improvements in this release.
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.