This is a huge release! (So many changes, I had to look up how to nest lists in Markdown…)
Thank you to the many contributors!
There are several new features, take a look below.
Changes since 5.0.4:
- Report Formats
- Read and parse files in parallel
- Ruby Interpretation
- SQL Injection
- Other Fixes
param?methods (Keenan Brock)
- Better method definition tracking and lookup
Klaus Badelt added support for GitHub Actions annotation format with
Eli Block added support for reporting ignored warnings in SARIF using the “suppressed” property and fixed a SARIF bug.
Elia Schito clarified some text in the
--interactive menu for ignoring warnings.
Parallel File Parsing
Brakeman now uses the
parallel gem to read and parse files in parallel.
parallel will split the reading/parsing into a number of separate processes based on
number of CPUs.
In testing, this has dramatically improved speed for large code bases - around 35% reduction in overall scan time.
However, if you run into weird behavior (e.g. scanning just hangs during file parsing), this feature
can be disabled using
Simple Class Methods
Brakeman will now track and return very simple literal values (e.g. strings, hashes of literals, arrays of literals) from very simple class methods (e.g. single line).
class User def self.path_prefix '/user' end end User.path_prefix # => '/user'
This should help prevent some false positives.
Since ActiveRecord enums essentially generate some class (and instance) methods that return fixed literal values, the above class method return values
is also used to support
class User < ActiveRecord::Base enum status: [:pending, :active, :locked] end User.statuses[:pending] # => 0
Hash and Array Methods
In some ways, Brakeman is a very poor Ruby interpreter.
To “understand” the code it analyzes, Brakeman essentially evaluates some methods.
This release adds and improves support for evaluating a number of
Updates for Rails 6.0/6.1
Some new Rails 6.0 methods were previously added for SQL injection (
delete_by), but this release is more thorough.
Newly vulnerable methods:
No longer vulnerable:
pluck(in Rails 6.1)
Not really vulnerable:
order(in Rails 6.1)
reorder(in Rails 6.1)
(Also, [https://rails-sqli.org/] has also been updated with Rails 6 information!)
Esty Scheiner added the
--sql-safe-methods option to ignore some methods when checking for SQL injection.
Brakeman no longer warns about SQL injection for:
- Dates and methods called on dates (changes)
- Method calls on number literals (changes)
Brad Parker updated the dynamic render path check to ignore “renderables”.
Richard Fitzgerald fixed a command injection false positive when using
Andrew Szczepanski fixed an infinite loop when a mixin appears to include itself.
Brakeman will now warn about user-controlled evaluation even if the evaluation is a call target itself.
Keenan Brock cleaned up the
param? utility methods.
In support of
enum and simple class methods, Brakeman now has a cleaner way of tracking and looking up method definitions.
New and Updated Options
--sql-safe-methods can be used to specify methods that should be ignored in the context of SQL injection.
-f github will output code the annotation format used by GitHub Actions.
-n will disable use of threads (actually forked processes) for reading and parsing files.
(Previously, this method only disabled use of threads when running checks.)
The SHA256 sums for this release are:
2cc7a174bc9ebb90161f218ea35905de8d749210f69a0bfda9fba71429dc5047 brakeman-5.1.0.gem b8182c9fd7d6d116b2b531c5d8fe0bf9c8da14118b755ed00be8de8c4684ad10 brakeman-lib-5.1.0.gem e38ff386530bc5585e2efd183ba73c08abb740c3b26072662025a3d9395b707a brakeman-min-5.1.0.gem
Thank you to everyone who reported bugs and contributed to this release!