Ruby on Rails Static Analysis Security Tool

Brakeman 5.4.0 Released

Special thanks to Bart de Water and Ryan Cartner for proposing new rules!

Changes since 5.3.1:

  • Add check for weak RSA key sizes and padding modes (#1736)
  • Add check for absolute paths issue with Pathname (#1721)
  • Handle multiple values and splats in case/when (#1730)
  • Ignore more model methods in redirects (#1723)
  • Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)
  • Use relative paths for CodeClimate report format (Mike Poage)

Check RSA Key Sizes and Padding Modes

Brakeman now warns on:

  • RSA key sizes less than 2048 bits
  • Use of padding modes other than OAEP (including none)


Unexpected Absolute Paths

When joining paths using Pathname#join, any arguments that start with a forward slash (/) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how File.join works.'a').join('b', '/c', 'd')
 => #<Pathname:/c/d>

(There are more Pathname methods with this issue - to be added in a future release.)


Multiple Values in whens

If a when clause contains only ‘safe’ values, Brakeman will treat the case value as safe:

y = [1, 2, 3]

case x
when *y
  maybe_dangerous(x) # `x` must be an integer, so not dangerous


Ignore More Redirects

More model methods are ignored in redirects:

  • first!
  • last!
  • sole
  • find_by_sole


Rails Defaults

James Gregory-Monk fixed how Rails default configuration values are set so overrides were properly handled.



The SHA256 sums for this release are:

bab990760949e999c5d52b297d8badda376754eb296c91abf829def733ed9d51  brakeman-5.4.0.gem
2b5a0cd5845b8c0e1b83e00122654af48b025ac3e6625c9ecbc5535226068416  brakeman-lib-5.4.0.gem
fcbd60456c5db62767d143696e1edf8e4eaee734f2a039903aeca7bb4e6b3dbf  brakeman-min-5.4.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.