Ruby on Rails Static Analysis Security Tool

Brakeman 3.4.1 Released

  • Configurable engines path (Jason Yeo)
  • Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo)
  • Pull Ruby version from .ruby-version or Gemfile
  • Use Ruby version to turn off SymbolDoS check (#928)
  • Fix ignoring link interpolation not at beginning of string (#939)
  • Show action help at start of interactive ignore (#949)
  • Avoid warning about where_values_hash in SQLi (#942)

Engine Paths Option

Thanks to the work of Jason Yeo, Brakeman now supports custom paths to Rails engines uses the --add-engines-path option.

Multiple comma-separated paths may be configured. To include all subdirectories, use * (e.g. my_engines/*). Absolute paths may be used for engines outside the application.


Expanded CSRF Check

Also thanks to Jason Yeo, any controller with ActionController::Base as a direct parent will be checked for a protect_from_forgery call.


Ruby Version Info

Brakeman will now pull information about the Ruby version used for an application either from the Gemfile or .ruby-version. Right now this is only used for disabling (the already optional) Symbol DoS check for versions of Ruby that have symbol garbage collection.


Brakeman’s warning about interpolating user input into URLs has always checked to see if the interpolation was at the beginning of the string. However, that check didn’t work if the first thing in the string was another interpolation. This has been fixed.


More Help in Interactive Ignore

For clarity, “interactive ignore” mode will now display the action options before going through each warning.



Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.