Ruby on Rails Static Analysis Security Tool

Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

Changes since 4.7.0:

  • Address file permission issues in bundled ruby_parser-legacy
  • Sort text report by file and line (Jacob Evelyn)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
  • Check string length against limit before joining
  • Fix flaky rails4 test (Adam Kiczula)
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Add release dates to each version in CHANGES (TheSpartan1980)

File Permissions

A security issue was reported for the ruby_parser-legacy gem, where some files are installed with world-writable permissions. This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy gem.

In this release of the brakeman gem, the permissions on these files have been corrected. However, there has not been a fixed release of ruby_parser-legacy yet, so the brakeman-lib and brakeman-min gems are still affected.

Default Report Format Sorting

Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.


Reverse Tabnabbing

Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank.


Stabby Lambdas

ruby_parser 3.14.0 changed the AST representation of ->{} lambdas, and Brakeman needed to adjust.


String Length Limit

Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah") before joining them. If the joined string would be longer than 50 characters, the strings are not joined.

Note the only change is when the length is checked, the limit was already in place.


Flaky Test Fixed

Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!


Ruby 2.7 Frozen Strings

In Ruby 2.7, symbols and some other constant values (true/false, etc.) will return frozen strings. This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.


Release Dates in Changelog

Brakeman’s changelog now includes release dates thanks to TheSpartan1980.



The SHA256 sums for this release are:

cdc6f4c86b5b35b5e94798cf443909385aa1b79235da8e1ee1fd4381acf03691  brakeman-4.7.1.gem
2f7a7a6d79b1e5b8c6a390e04642e987c56cced2c8be3d63a1250f7bbc9e504d  brakeman-lib-4.7.1.gem
598431f6bfc90b119fc6883ead7896c1718ba5d9a0e0450893c3e628a6c8e7b0  brakeman-min-4.7.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.