Ruby on Rails Static Analysis Security Tool

Brakeman 4.5.1 Released

This release adds initial support for Rails 6!

Changes since 4.5.0:

  • Add initial Rails 6 support
  • Add optional check for config.force_ssl (#1181)
  • Add deserialization warning for Oj.load/object_load
  • Add SQL injection checks for destroy_by/delete_by
  • Add SQL injection checks for find_or_create_by and friends
  • Check link_to with block for href XSS (#1339)
  • Convert !! calls to boolean value (#1343)
  • Use relative paths for __FILE__
  • Represent file paths internally as Brakeman::FilePath
  • Handle empty partial names
  • Handle trailing comma in block args
  • Remove code for Ruby versions prior to 1.9

Initial Rails 6 Support

Rails 6 is (almost?) here!

This release adds basic support internally for Rails 6 as well as the -6 option to force Rails 6 mode.


Optional Check for Force SSL Option

In Rails, config.force_ssl = true turns on HSTS, redirects HTTP to HTTPS, and sets the secure flag on all cookies.

A new optional check has been added to check if this option is enabled.

To enable this new check, use -A or --enable ForceSSL.


Deserialization with Oj

The deserialization check now looks for unsafe use of the Oj JSON library.


New SQL Injection Sinks

The SQL injection check has been expanded to check for unsafe use of destroy_by/delete_by (new in Rails 6) and find_or_create_by and related methods.


Brakeman now checks link_to calls with blocks for javascript: links.


Convert !! to Boolean

Use of !! to convert values to booleans will be treated as safe (turned into true or false).


Relative Path for __FILE__

When ruby_parser parses __FILE__, it replaces it with the name of the current file. Unfortunately, Brakeman was passing in absolute paths for the current file. This meant that the fingerprints for warnings including __FILE__ would vary based on the path where the code was scanned.

Now a relative path is used instead, so fingerprints should stabilize.



Internally, file paths are now represented with Brakeman::FilePath to make it easier to manage absolute/relative paths as needed. This was a pretty huge change, so please report any issues.

As a result, the --no-separate-models option no longer works (it used to combine all model-level mass assignment warnings into one warning). That old option used to report a completely messed-up file name, which is incompatible with Brakeman::FilePath. Also, it was weird and wrong.


Empty Partial Names

If any empty string ends up as a partial name in a render call, Brakeman will ignore it.



The SHA256 sums for this release are:

c8c48a88e9cd837122a590837ff5dbb4bd8214ad72baaffb75e5e5cd3585166f  brakeman-4.5.1.gem
48eaff4eb661f63d43c2f8b33da8efbabc6196ae5ff2ec58ad711e1649eff686  brakeman-lib-4.5.1.gem
c6fcfc5c32ec79a50281b0b97be5b703385ffb20ef45f770e7888ca6ba0b1666  brakeman-min-4.5.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.