Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.2.0 Released

First release of 2018!

Changes since 4.1.1:

  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
  • Exclude template folders in lib/ (kru0096)
  • Warn about SQL injection with not
  • Avoid warning about symbol DoS on Model#attributes (#1096)
  • Avoid warning about open redirects with model methods ending with _path(#1117)
  • Avoid warning about command injection with Shellwords.escape (#1159)
  • Use ivars from initialize in libraries
  • Fix multiple assignment of globals (#1155)
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0

Update ERb Handling for Ruby 2.5.0

The way ERb templates are compiled changed in Ruby 2.5.0 to use String#<<, so Brakeman has been changed to accomodate.

Please note ERb also changed such that <% # is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is <%#.

(changes)

Exclude Template Folders

Files in lib/**/templates will be ignored, since they are generally ERb files, not actually Ruby.

(changes)

SQL Injection with not

In ActiveRecord, not takes the same arguments as where, making it just as vulnerable to SQL injection.

Thank you to Jobert Abma for reporting this.

(changes)

Symbol DoS False Positive

Brakeman will no longer warn about Model#attributes.symbolize_keys.

(changes)

Open Redirect False Positive

Brakeman will no longer warn about open redirects with Model#something_ending_in_path.

(changes)

Shellwords Escaping

Brakeman will no longer warn about command injection when Shellwords.escape and friends are used.

Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.

(changes)

Use Initialized Environment in Libraries

When processing libraries, instance variables set in initialize will be used in subsequent methods.

(changes)

Update RubyParser

This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to self[...].

(changes)

Checksums

The SHA256 sums for this release are:

c6ad3861920075ccf553343815fcce07aa09d015bc8529c6e4d8a865674530f7  brakeman-4.2.0.gem
94a97496761ddd27974867bde3235cab303761dadec4bd6a8d22260a72aaaa38  brakeman-lib-4.2.0.gem
a071eb6d6e866df0338bcb9c8dd56f5b0d66c68212eb604f551ac8aa196d6923  brakeman-min-4.2.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.1 Released

Just a small fix-up release!

Changes since 4.1.0:

  • Remove check for use of permit with *_id keys
  • Avoid duplicate warnings about permitted attributes
  • Avoid duplicate warnings about division by zero

Checksums

The SHA256 sums for this release are:

7b65d6694b488aaa09e147f5a39d7e544385a11ec52ae93058b04b17999925b6  brakeman-4.1.1.gem
ffb525462d391f9a7f85b9b1ebbf7b165d03cd2eaed7093c3f1b4fdb135947e2  brakeman-lib-4.1.1.gem
b50a7b19d56a7606cd3a625611f8e720d47da8a57d126e7dcf443714cec98194  brakeman-min-4.1.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.0 Released

Wow, it has been too long since the last release!

Happy December!

Changes since 4.0.1:

  • Add check for dangerous keys in permit
  • Add optional check for divide by zero
  • Remove errors about divide by zero
  • Warn about dynamic values in Arel.sql
  • Show better location for Sass errors (Andrew Bromwich)
  • Avoid warning about file access for temp files (#1110)
  • Avoid CSRF warning in Rails 5.2 default config (#1132)
  • Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
  • Handle nested destructuring/multiple assignment
  • Do not warn on params.permit with safe values (#1000)
  • Use HTTPS for warning links
  • Try to guess options for less pager (#1118)
  • Do not page if results fit on screen
  • Leave results on screen after paging
  • Fix upgrade version for CVE-2016-6316
  • Fix include_paths for Code Climate engine (Will Fleming)
  • Support app_path configuration for Code Climate engine (Noah Davis)
  • Refactor Code Climate engine options parsing (Noah Davis)

New Check for Dangerous Permit Keys

Very similar to warning about potentially dangerous keys in attr_accessible, Brakeman now warns about potentially dangerous keys whitelisted for mass assignment via params.permit.

(changes)

New Optional Check for Division by Zero

Previously, Brakeman would report errors when it encountered potential division by zero. Now, it optionally reports warnings instead.

(changes)

Arel.sql

Arel.sql allows one to add raw SQL to queries. Brakeman now warns about potential SQL injection when using Arel.sql with dynamic values.

(changes)

Sass Error Locations

Thanks to Andrew, Brakeman now reports actual file names for errors involving Sass.

(changes)

Temp Files

Brakeman no longer warns about file access with params[:blah].tempfile.path or params[:blah].path.

(changes)

Rails 5.2 CSRF Configuration

In Rails 5.2, CSRF protection is enabled by default. Brakeman will now respect this.

(changes)

Attribute Combination Assignment

This release handles code like x[:y] += 1 better. Previously, it would not update the value for x[:y].

(changes)

Nested Destructuring

Brakeman now can handle nested multiple assignment, like x, (a, b), y = z, assuming z is known to be an array.

(changes)

Pager Updates

The default pager (less) now leaves the output in the terminal after exiting and now exits immediately if the output fits on the screen.

Additionally, Brakeman attempts to detect if these options are actually supported by less before using them.

(changes and here)

CVE-2016-6316

In case this one was keeping you up at night, Brakeman now reports the correct upgrade version for CVE-2016-6316.

(changes)

Links to brakemanscanner.org in reports are now HTTPS! Only makes sense.

(changes)

Code Climate Updates

The Brakeman engine on Code Climate now supports app_path and include_paths, together.

(changes)

Checksums

The SHA256 sums for this release are:

1dd62ee8aa872acf5d0aace6dc0745b55c78da68640f04754bf11c12a58842bf  brakeman-4.1.0.gem
a16bd3082223655f132ff4c601f5d1930290082116fc256c5c1e652ff3ba933a  brakeman-lib-4.1.0.gem
29d9be77b06195675e6b803141da979438983c0970c182fe8b8ccf3145ecda9f  brakeman-min-4.1.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.0 Released!

This release has breaking changes!

This is the 101st official release of Brakeman! It has been seven years and one month since the first release of Brakeman. To put that into historical context, Rails 3.0 was released a few days later!

How about some more numbers?

Thank you so much to everyone who has used, contributed to, or promoted Brakeman over the past seven years!

As a token of our appreciation, we have a limited edition 2017 Brakeman sticker:

Brakeman Sticker

Just email [email protected] with your name and address (anywhere in the world) and we’ll send you one. While supplies last!

If you have benefited from Brakeman, please consider supporting continued development via Brakeman Pro.

Changes since 3.7.2:

  • --exit-on-warn is now the default (#852)
  • --exit-on-error is now the default (#1083)
  • “Plain” report output is now the default
  • Add simple pager for reports output to terminal
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • Treat request.cookies like cookies (#1090)
  • Treat fail/raise like early returns (#754)
  • Rename “Cross Site Scripting” to “Cross-Site Scripting” (Paul Tetreau)
  • Remove reliance on CONFIDENCE constant in checks
  • Fix --exit-on-error and --exit-on-warn in config files

Changes since 4.0.0:

  • Do not use pager when CI environment variable is set

New Default Exit Codes

--exit-on-warn and --exit-on-error are now default behavior.

If any warnings are found or errors are raised during the scan, Brakeman’s exit code will be non-zero. This may break things! In particular, CI jobs or scripts that assume Brakeman will exit normally.

You may use --no-exit-on-warn and --no-exit-on-error to revert back to previous behavior and always exit with error code 0.

(changes and changes)

New Default Report Format

The “plain” report format is now the default.

To revert back to the table format, use -f tables or -o report.tables.

(changes)

Paged Output

By default, output to the terminal will be paged with less or Highline’s simple pager.

To disable, use --no-pager.

In 4.0.1 Brakeman will automatically disable the pager when the CI environment variable is set to true. This should be compatible with Travis CI, Circle CI, Codeship, and Bitbucket Pipelines.

(changes)

Fewer Mass Assignment Warnings

Low confidence mass assignment warnings have been removed in this release. Brakeman should now only warn when user input is used directly in the instantiation or update of a model.

(changes)

Warnings about XSS in link_to have confused quite a few people over the years. The danger is that links may have javascript: or data: values with XSS payloads.

Brakeman should now only warn when directly using user input or when using what looks like a URL from the database.

(changes)

More Cookies

request.cookies will now be treated like cookies in general.

(changes)

More Early Returns

Calls to raise or fail will be treated like early returns when considering simple guard expressions.

(changes)

Cross-Site Scripting

Messages about “Cross Site Scripting” will now include a hyphen. This does not affect warning fingerprints.

(changes)

CONFIDENCE

Brakeman checks previously used the CONFIDENCE hash when creating warnings, e.g. :confidence => CONFIDENCE[:high]. Now it’s possible to use :confidence => :high instead.

For those with custom checks, the CONFIDENCE hash is still available and nothing should break.

(changes)

Checksums

The SHA256 sums for these releases are:

0038932b43dcf2bf698ad6637500f69b5e4226b10c011a4a6bcce93a77a5e045  brakeman-4.0.0.gem
3688303859a7c9b452ddcef00f00f97789ce103774446d42851a763ecbf8df87  brakeman-lib-4.0.0.gem
559196c6e41e5b180448564d9aca84fb775a39b77dd7d8d880a0ce0e77df8ae2  brakeman-min-4.0.0.gem

d93d6f8e9c2655520153fe0512b338753cc36fac56b80947f652fd33e9f80dfb  brakeman-4.0.1.gem
82ab1e51f712ad10109a4fe080f6389b28bbbef83e0ecd6c33defa90319b4bc5  brakeman-lib-4.0.1.gem
579f240cb8e5357fe5e45c09eb43f3512481f7086052337437e5c436c617da8b  brakeman-min-4.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.

Brakeman 3.7.1/3.7.2 Released

Just a little release. Next up: 4.0!

Changes since 3.7.1:

Changes since 3.7.0:

  • Handle simple guard with return at end of branch (#1073)
  • Add more collection methods for iteration detection
  • Modularize bin/brakeman
  • Improve multi-value Sexp error message
  • Update ruby2ruby and ruby_parser dependencies

Another Simple Guard

Brakeman will now handle when the branch in a simple guard condition ends in return.

For example:

unless [:valid, :value].include? params[:x]
  do_stuff
  more_stuff
  return
end

x.send(params[:x]) # Will no longer warn because `params[:x]` must be 'safe'

(changes)

More Collection Methods

Brakeman attempts to detect when a template is iterating over records from a database query.

This release adds a few more methods that might return a collection of records.

(changes)

Modularize Commandline

The logic in the brakeman executable has now entirely been moved to Brakeman::Commandline for easier testing and custom behavior.

(changes)

Checksums

The SHA256 sums for this release are:

9ad563247cc6a57b965e59e5bbbaefa202ce34ceb6d10e97ce500406d60cdb6e  brakeman-3.7.2.gem
5b753206f8e5937c33494edd323a9e6573e07958d9f8f5bb662b0f6085eafe19  brakeman-lib-3.7.2.gem
517a074cb92ece8a7e426ea221d63ddbcae6e3b851664083b7e73e6d7e0dd138  brakeman-min-3.7.2.gem

Brakeman 4.0 Plans

If all goes well, Brakeman 4.0 will be released on August 27th, which is also the 7th anniversary of Brakeman’s first release. It will also be the 101st release of Brakeman!

At least two major changes will be coming in Brakeman 4.0:

  • The plain report format will be the default instead of tables
  • -z or --exit-on-warn (sets exit code if any warnings are found) will be on by default

There will likely be other changes, but these two will be the most obvious.

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.