Ruby on Rails Static Analysis Security Tool

Brakeman 4.8.2 Released

This release introduces a new option and two new checks!

Changes since 4.8.1:

  • Add --text-fields option
  • Add check for CVE-2020-8159
  • Add check for escaping HTML entities in JSON configuration option
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

Text Fields Option

It is now possible to specify which text fields are reported and their order for the default “text” report format using the --text-fields option.

Possible options are:

  • all
  • category
  • category_id
  • check
  • code
  • confidence
  • file
  • fingerprint
  • line
  • link
  • message
  • render_path

--text-fields accepts a comma-separated list of these options.

Please keep in mind the JSON report should be used for structured reports/parsing.



This release includes a check for CVE-2020-8159 related to the actionpack-page_caching gem. The vulnerability allows arbitrary file writing and may be escalated to remote code execution.

If caches_page is called in any controllers, this will be a High confidence warning. Otherwise, Weak.

Reminder: Brakeman is not a ‘dependency’ scanner. It only includes checks for a small number of Rails-related CVEs. Use bundler-audit or related tools for dependency checking.


JSON Escaping Configuration

Brakeman will now warn if HTML entity escaping in JSON is disabled globally with ActiveSupport.escape_html_entities_in_json = false. This is an unusual configuration.


Basic Auth Check Fix

Hugo Corbucci fixed an error when checking calls to authenticate_or_request_with_http_basic without a block literal.



The SHA256 sums for this release are:

d7bf369896b4a3c41778f39f10b1e1d0844a965bbb582fa0a0566b1df4f07dec  brakeman-4.8.2.gem
c13e9a9e5b213ba95a16803ddb50eb3c7119533ca71444ffec2bb6cea22b926a  brakeman-lib-4.8.2.gem
a422a444b7db48682e1f112c83b1a7a7e3828ec02d52ed91c5b3eff235b801c1  brakeman-min-4.8.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.