Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 3.3.1 Released

Changes since 3.3.1:

  • Improved line number accuracy in ERB templates (Patrick Toomey)
  • Allow multiple line regex in validates_format_of (Dmitrij Fedorenko)
  • Avoid overwriting instance/class methods with same name (Tim Wade)
  • Add --force-scan option (Neil Matatall)
  • Only consider if branches in templates
  • Support more safe &. operations
  • Avoid warning about SQL injection with quoted_primary_key (#884)
  • Delay loading vendored gems and modifying load path
  • Added brakeman-lib gem

ERB Template Line Numbers

Patrick Toomey contributed a series of patches to bring Brakeman’s handling of ERB/Erubis templates in line with the Rails implementation. This has the effect of correcting some line numbers and fixed processing of case statements in templates.

(changes)

Multiline Regex Validation

Dmitrij Fedorenko added a change to support multiline extended regular expressions for model validations.

(changes)

Class Methods

Tim Wade fixed an issue where class methods and instance methods with the same name on the same class would overwrite each other. This may cause a few warning fingerprints to change, since all method names are now stored as symbols (some were strings before).

(changes)

Force Scan

Neil Matatall added the --force-scan option to force Brakeman to scan an application even if it doesn’t look like a Rails app.

(changes)

Branches in Templates

When looking at template output, Brakeman will no longer treat the conditional as output, just the branches. This helps find more potential instances of cross-site scripting.

For example:

<%= params[:x].html_safe unless this_is_a_bad_idea? %>

Now Brakeman will just consider the params[:x].html_safe value which is clearly dangerous.

(changes)

More Safe Calls

Brakeman can now handle more instances of the “safe call” or “lonely” operator such as a&.b ||= 1 and x&.y += z 1.

(changes)

Quoted Primary Key

Brakeman will no longer warn about use of quoted_primary_key in SQL strings.

(changes)

Delayed Load Path Modification

Brakeman 3.3.0 started vendoring all its dependencies to avoid conflicts with application dependencies. However, if Brakeman is included in a Gemfile without require: false, it will still modify the load path and potentially cause conflicts.

This version delays loading any dependencies until Brakeman actually runs. This is almost like having require: false automatically.

Please keep in mind it is really not recommended to include Brakeman in Gemfiles unless it is actually being used as a library. Otherwise it’s like mixing your browser’s dependencies with your applications. It doesn’t make sense.

(changes)

brakeman-lib

For those who don’t want Brakeman to bundle and vendor its own dependencies, the brakeman-lib gem is identical to the brakeman gem but without the bundling. Consider using it if the bundling and modified load paths are causing issues.

(changes)

RailsConf Security Talks

Justin Collins gave a lightning talk about Brakeman and a regular talk about real-world examples of vulnerabilities Rails won’t save you from.

Mike Milner spoke about the security breaches of 2015.

Jessica Rudder talked through examples of SQL injection in ActiveRecord.

SHAs

The SHA256 sums for this release are

5c22721c8b486fa9d283cabf65c7e77b2f7428056d4d907b7f74a91dd112616a  brakeman-3.3.1.gem
7aa57ed8b42c0cadef09214f5544424659ab3972912137fad37da1a052d8a792  brakeman-lib-3.3.1.gem
95e68202493d8c504ad72276c8bfa46abb1c78c309bc2b80b433a6220f3722eb  brakeman-min-3.3.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.