Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 6.0.1 Released

Very tiny release this time!

Changes since 6.0.0:

  • Accept strings for load_defaults version (#1784)
  • Bundle latest ruby_parser

Strings for load_defaults

While the default for Rails generators and documentation is to use floats for versions, e.g. load_defaults 6.1, internally it uses strings. It appears quite a few apps also use strings.

Now Brakeman supports and uses strings.

(changes)

Latest RubyParser

Bundled with ruby_parser 3.20.3, which includes additional support for Ruby 3.2 syntax.

Checksums

The SHA256 sums for this release are:

39641c63bc247bbdf993a349de90a13e146c464c872191f2adc12555bde591be  brakeman-6.0.1.gem
e029fbd43c97bbb9c084fa4f0e13ee259bf193b79d66ba7ef94fa9496bab62cd  brakeman-lib-6.0.1.gem
ef2ff1234ba2a9e7216a0a047b9df0def8c3b8d162d29853c907238901353a54  brakeman-min-6.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

Brakeman 6.0.0 Released

Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.

Changes since 5.4.1:

  • Drop support for Ruby 1.8/1.9 syntax
  • Raise minimum Ruby version to 3.0
  • Add obsolete fingerprints to comparison report (#1758)
  • Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
  • Fix false positive with content_tag in newer Rails (#1778)
  • Scan directories that include the word public
  • Fix end-of-life dates for Ruby

Ruby Parsing Version Support

This version of Brakeman no longer supports parsing Ruby 1.8/1.9 syntax.

ruby_parser, the gem Brakeman depends on for parsing Ruby, dropped support quite a while ago. Brakeman was depending on the ruby_parser-legacy gem for these older versions. But since it has been eight years since Ruby 1.9 has been unmaintained… it is time to let go.

(changes)

Minimum Ruby Version

The minimum Ruby version to run Brakeman is now 3.0.0.

Official support for the 2.x line of Ruby has ended, so it is a good time to bump up the minimum requirement and adopt more modern language features.

(changes)

Missing CSRF Protection Warning

Since Rails 5.2.0, new applications have had cross-site request forgery protection enabled. Brakeman assumed the protection was enabled based on the Rails version. However, this was incorrect.

Now Brakeman correctly handles the default configuration values.

(changes)

Content Tag Attributes

Brakeman will no longer warn about user input in content_tag attribute names in Rails 6.1.6+

(changes

Obsolete Warnings in Comparison Report

When using the --compare option, the output JSON will now include an obsolete key with an array of fingerprints.

These fingerprints are warnings that are configured to be ignored, but no longer exist.

Note that the report will include all fingerprints in the ignore configuration that are not in the current report, even if they were already obsolete.

This report format matches the --json output.

The report will resemble:

{
  "new": [ ... ],
  "fixed": [ ... ],
  "obsolete": [
    "abcdef01234567890ba28050e7faf1d54f218dfa9435c3f65f47cb378c18cf98"
  ]
}

(changes)

Scan ‘public’ Directories

In the old days, Brakeman tried to scan only the “standard” Rails directories, mostly within /app/. With the 5.0 release, Brakeman was revised to make very few assumptions about what kinds of files live where, instead making decisions based on the content of files rather than their location.

However, there was a lingering exception. Brakeman would ignore any directories that included /public/.

This exception has been removed.

(changes)

EOL Dates for Ruby

Fixed end-of-life date for Ruby 3.0 and added expected dates for 3.1 and 3.2.

(changes)

Checksums

The SHA256 sums for this release are:

6ff908e5bfca4651d909a31f3d3ae5846e33732284860a23aff454761c4145d0  brakeman-6.0.0.gem
9a5e68e34c1cffe73b51952937ed2b4f427afd5d11d4a1c10c61e971253ba505  brakeman-lib-6.0.0.gem
db1d8e2118af4b4701fbe49bf1177ac5c89a6a956ca037fdc0e62eb062e2dbb9  brakeman-min-6.0.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

Brakeman 5.4.1 Released

Several changes in this release are updates to Brakeman’s open redirect check.

Changes since 5.4.0:

  • Add Rails 6.1 and 7.0 default configuration values
  • Support Rails 7 redirect options
  • Add redirect_back and redirect_back_or_to to open redirect check
  • Revise checking for request.env to only consider request headers
  • Prevent redirects using url_from being marked as unsafe (Lachlan Sylvester)
  • Warn about unscoped find for find_by(id: ...)
  • Support presence, presence_in and in? (#1569)
  • Fix issue with if expressions in when clauses (#1743)
  • Fix file/line location for EOL software warnings

Rails 6.1 and Rails 7.0 Defaults

The default configuration values for Rails 6.1 and Rails 7.0 have been added to Brakeman.

(changes)

Open Redirect Updates

Rails 7 introduced a new protection against open directs.

If config.action_controller.raise_on_open_redirects is set to true, then Rails prevents redirects that redirect to a different domain than request.host. This protection can be bypassed by passing in allow_other_host: true to redirect_to.

(changes)

Lachlan Sylvester pointed out it’s also possible to use url_from to ensure a URL is for the same host. So redirect_to(url_from(params[:url])) is safe.

(changes)

This release also expands the open redirect check to redirect_back and redirect_back_or_to which have options for a fallback URL.

(changes)

More Unscoped Finds

Brakeman will now warn about use of find_by(id: ...) the same way it would warn about find_by_id for “unscoped finds” (i.e., possible insecure direct object references).

(changes)

Presence Method Support

Brakeman now handles presence, presence_in, and in? methods.

Since presence_in and in? are often used for guard clauses, this fixes some false positives.

(changes)

File/Line for End-Of-Life Warnings

March is nearly here, which means support for Ruby 2.7 is ending!

Thanks to Jon Burns for pointing out Brakeman was reporting the wrong file and/or line number for EOL Ruby warnings.

(changes)

Checksums

The SHA256 sums for this release are:

dc664d4b5d01dd81608db02ec9b7c383beb65a3169049df2939c4bbbd4edfb73  brakeman-5.4.1.gem
c1bf7e4cec5bde1d53122b41743343d3e38e4aa30145707b902278dd3b588fd4  brakeman-lib-5.4.1.gem
94d24f3ea881bfc213ead8fbf3568aa37b301272ccbecf383394c9d7d7f43eeb  brakeman-min-5.4.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

Brakeman 5.4.0 Released

Special thanks to Bart de Water and Ryan Cartner for proposing new rules!

Changes since 5.3.1:

  • Add check for weak RSA key sizes and padding modes (#1736)
  • Add check for absolute paths issue with Pathname (#1721)
  • Handle multiple values and splats in case/when (#1730)
  • Ignore more model methods in redirects (#1723)
  • Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)
  • Use relative paths for CodeClimate report format (Mike Poage)

Check RSA Key Sizes and Padding Modes

Brakeman now warns on:

  • RSA key sizes less than 2048 bits
  • Use of padding modes other than OAEP (including none)

(changes)

Unexpected Absolute Paths

When joining paths using Pathname#join, any arguments that start with a forward slash (/) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how File.join works.

Pathname.new('a').join('b', '/c', 'd')
 => #<Pathname:/c/d>

(There are more Pathname methods with this issue - to be added in a future release.)

(changes)

Multiple Values in whens

If a when clause contains only ‘safe’ values, Brakeman will treat the case value as safe:

y = [1, 2, 3]

case x
when *y
  maybe_dangerous(x) # `x` must be an integer, so not dangerous
end

(changes)

Ignore More Redirects

More model methods are ignored in redirects:

  • first!
  • last!
  • sole
  • find_by_sole

(changes)

Rails Defaults

James Gregory-Monk fixed how Rails default configuration values are set so overrides were properly handled.

(changes)

Checksums

The SHA256 sums for this release are:

bab990760949e999c5d52b297d8badda376754eb296c91abf829def733ed9d51  brakeman-5.4.0.gem
2b5a0cd5845b8c0e1b83e00122654af48b025ac3e6625c9ecbc5535226068416  brakeman-lib-5.4.0.gem
fcbd60456c5db62767d143696e1edf8e4eaee734f2a039903aeca7bb4e6b3dbf  brakeman-min-5.4.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.

Brakeman 5.3.0 Released

This release adds CWE information to reports - the first JSON report change in a long time!

Changes since 5.2.3:

  • Add CWE information to warnings (Stephen Aghaulor)
  • Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
  • Add check for CVE-2022-32209
  • Load rexml as a Brakeman dependency
  • Fix “full call” information propagating unnecessarily

CWE Information

Thanks to Stephen Aghaulor for taking on the arduous task of adding CWE information to every Brakeman warning type!

CWE information is now available in most report formats. In particular, it is a new field for the JSON report.

Example:

    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 124,
      "fingerprint": "c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d",
      "check_name": "SanitizeConfigCve",
      "message": "rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)",
      "file": "config/initializers/sanitizers.rb",
      "line": 1,
      "link": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
      "code": "Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"a\", \"style\"]",
      "render_path": null,
      "location": null,
      "user_input": null,
      "confidence": "High",
      "cwe_id": [
        79
      ]
    }

(changes)

Explicit Paths in Vendor Directory

By default, Brakeman does not scan any code in the vendor/ directory.

But it was also ignoring any paths in vendor/, even if the user explicitly included them via --add-libs-path or --add-engines-path.

Thanks to Joe Rafaniello this is now changed to respect the explicit additional paths, even if they reside in vendor/.

(changes)

CVE-2022-32209

As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!

A check was added for CVE-2022-32209.

If the vulnerable configuration is detected, the warning will be high confidence.

If only the vulnerable version of rails-html-sanitizer is detected, the warning will be weak confidence.

(changes)

Checksums

The SHA256 sums for this release are:

4fe584ef37c16e1011a0f2db36ebab540fef403ff8e26afed212e2d7ff5a3176  brakeman-5.3.0.gem
1f5caa0bd05fd8ea5b4f5791371dd0911f96d804612c7be986bab3ed0163a8cf  brakeman-lib-5.3.0.gem
4a4ccef090c4eb5857140c15fa69ff65167f3eb550f7a0ca555012642aafe7e9  brakeman-min-5.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.