Brakeman 4.8.2 Released

This release introduces a new option and two new checks!

Text Fields Option

It is now possible to specify which text fields are reported and their order for the default “text” report format using the --text-fields option.

Possible options are:

• all
• category
• category_id
• check
• code
• confidence
• file
• fingerprint
• line
• link
• message
• render_path

--text-fields accepts a comma-separated list of these options.

Please keep in mind the JSON report should be used for structured reports/parsing.

(changes)

CVE-2020-8159

This release includes a check for CVE-2020-8159 related to the actionpack-page_caching gem. The vulnerability allows arbitrary file writing and may be escalated to remote code execution.

If caches_page is called in any controllers, this will be a High confidence warning. Otherwise, Weak.

Reminder: Brakeman is not a ‘dependency’ scanner. It only includes checks for a small number of Rails-related CVEs. Use bundler-audit or related tools for dependency checking.

(changes)

JSON Escaping Configuration

Brakeman will now warn if HTML entity escaping in JSON is disabled globally with ActiveSupport.escape_html_entities_in_json = false. This is an unusual configuration.

(changes)

Basic Auth Check Fix

Hugo Corbucci fixed an error when checking calls to authenticate_or_request_with_http_basic without a block literal.

(changes)