Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.3.0 Released

Did you know we recently broke 11 million gem downloads? Wow!

Changes since 4.2.1:

  • Add --parser-timeout option
  • Improve timeout error messages
  • Check exec-type calls even if they are targets (#1199)
  • Index Kernel#` calls even if they are targets (#1183)
  • BaseCheck#include_interp? should return first string interpolation (#1189)
  • Ignore Process.pid in system calls
  • Warn about dangerous link_to href with sanitize() (#1187)
  • Ignore params#to_h and params#to_hash in SQL checks (#1180)
  • Convert Array#join to string interpolation (#1179)
  • Change "".freeze to just "" (#1182)
  • --color can be used to force color output (#1175)
  • Track parent calls in call index
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
  • Code Climate: omit leading dot from only_files (Todd Mazierski)

--color Option

Previously, --no-color could be used to turn off ANSI color in text reports. Now, --color can be used to force color output.

(changes)

--parser-timeout Option

The default timeout for parsing a single file is 10 seconds. For some files, this may not be enough.

The --parser-timeout option can be used to specify a per-file timeout (in seconds).

Additionally, the error message for parsing timeouts has been improved considerably.

(changes)

Command Injection Fixes

Thanks to Jacob Evelyn reporting a number of issues around command injection, there are several improvements.

Use of backticks as targets of a call will now be checked for command injection.

For example:

`blah #{something}` == "expected output"

Previously, use of backticks was not being indexed in this case.

(changes)

Somewhat similarly, other calls (such as system) would not warn if they were targets of a call.

(changes)

Brakeman will no longer warn about Process.pid in system calls.

(changes)

Also fixed an issue where searching for string interpolation would return the innermost instance instead of the first instance (typically you want the first one).

(changes)

Freeze Calls

Calls to String#freeze will essentially be ignored.

"blah".freeze

will be treated like

"blah"

(changes)

More Strong Parameters in SQL

Calls to to_h and to_hash on params will be ignored in the context of SQL injection.

(changes)

Brakeman will now warn on uses of sanitize in attempts to avoid XSS in link_to. Unfortunately, it does not work that way.

(changes)

Array#join to String Interpolation

Uses of Array#join will now be converted to string interpolation.

For example:

[1, thing, "here"].join(' ')

will be changed to

"1 #{thing} here"

This both fixes some false positives and helps detect more vulnerabilities in checks that are looking at string interpolation.

(changes)

Parent Calls

Brakeman now tracks the parent method call (I’m sure there’s a better way to say that) of an argument. While this ended up not being needed for this release, it will help improve checks and messages in the future.

(changes)

Checksums

The SHA256 sums for this release are:

9284a1a9413743b4c915eda40312395e0ee574c6286893a27074b6f9527648f4  brakeman-4.3.0.gem
89ba3385fab967114c31da1462401c03caa8847d1115566a77039d0bda95181e  brakeman-lib-4.3.0.gem
1834031c1e949242ea6d08b3b1036d3f7c12c28257cdfa94cf3d0459b6f851b6  brakeman-min-4.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.2.1 Released

This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.

Changes since 4.2.0:

  • Add warning for CVE-2018-3741
  • Add warning for CVE-2018-8048
  • Scan app/jobs/ directory
  • Handle template_exists? in controllers (#1124)

CVE-2018-3741

CVE-2018-3741 is a vulnerability in the rails-html-sanitizer gem which may allow bypassing attribute whitelists and therefore cross-site scripting.

(changes)

CVE-2018-8048

CVE-2018-8048 is a similar vulnerability in the loofah gem.

(changes)

Scan Jobs

Brakeman will now scan files in the app/jobs/ directory and treat them as additional libraries.

(changes)

Template Guard Condition

Brakeman will no longer warn about dynamic render paths if template_exists? is used as a guard condition.

(changes)

A Note on Vulnerabilities in Depdendencies

Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.

Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.

Checksums

The SHA256 sums for this release are:

3ba1cd39d98edcae7a0802ef0206de1438439cfdf4edb559c676877e2c253498  brakeman-4.2.1.gem
54a4aa336f3c21477a9bab12eeba6bb79ffa34a015e89a748621f7fd037d1943  brakeman-lib-4.2.1.gem
d53f2275320dfe5609234e74ce3a73a7d8c44dfae824fb938a9bae2077a9aecf  brakeman-min-4.2.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.2.0 Released

First release of 2018!

Changes since 4.1.1:

  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
  • Exclude template folders in lib/ (kru0096)
  • Warn about SQL injection with not
  • Avoid warning about symbol DoS on Model#attributes (#1096)
  • Avoid warning about open redirects with model methods ending with _path(#1117)
  • Avoid warning about command injection with Shellwords.escape (#1159)
  • Use ivars from initialize in libraries
  • Fix multiple assignment of globals (#1155)
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0

Update ERb Handling for Ruby 2.5.0

The way ERb templates are compiled changed in Ruby 2.5.0 to use String#<<, so Brakeman has been changed to accomodate.

Please note ERb also changed such that <% # is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is <%#.

(changes)

Exclude Template Folders

Files in lib/**/templates will be ignored, since they are generally ERb files, not actually Ruby.

(changes)

SQL Injection with not

In ActiveRecord, not takes the same arguments as where, making it just as vulnerable to SQL injection.

Thank you to Jobert Abma for reporting this.

(changes)

Symbol DoS False Positive

Brakeman will no longer warn about Model#attributes.symbolize_keys.

(changes)

Open Redirect False Positive

Brakeman will no longer warn about open redirects with Model#something_ending_in_path.

(changes)

Shellwords Escaping

Brakeman will no longer warn about command injection when Shellwords.escape and friends are used.

Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.

(changes)

Use Initialized Environment in Libraries

When processing libraries, instance variables set in initialize will be used in subsequent methods.

(changes)

Update RubyParser

This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to self[...].

(changes)

Checksums

The SHA256 sums for this release are:

c6ad3861920075ccf553343815fcce07aa09d015bc8529c6e4d8a865674530f7  brakeman-4.2.0.gem
94a97496761ddd27974867bde3235cab303761dadec4bd6a8d22260a72aaaa38  brakeman-lib-4.2.0.gem
a071eb6d6e866df0338bcb9c8dd56f5b0d66c68212eb604f551ac8aa196d6923  brakeman-min-4.2.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.1 Released

Just a small fix-up release!

Changes since 4.1.0:

  • Remove check for use of permit with *_id keys
  • Avoid duplicate warnings about permitted attributes
  • Avoid duplicate warnings about division by zero

Checksums

The SHA256 sums for this release are:

7b65d6694b488aaa09e147f5a39d7e544385a11ec52ae93058b04b17999925b6  brakeman-4.1.1.gem
ffb525462d391f9a7f85b9b1ebbf7b165d03cd2eaed7093c3f1b4fdb135947e2  brakeman-lib-4.1.1.gem
b50a7b19d56a7606cd3a625611f8e720d47da8a57d126e7dcf443714cec98194  brakeman-min-4.1.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.

Brakeman 4.1.0 Released

Wow, it has been too long since the last release!

Happy December!

Changes since 4.0.1:

  • Add check for dangerous keys in permit
  • Add optional check for divide by zero
  • Remove errors about divide by zero
  • Warn about dynamic values in Arel.sql
  • Show better location for Sass errors (Andrew Bromwich)
  • Avoid warning about file access for temp files (#1110)
  • Avoid CSRF warning in Rails 5.2 default config (#1132)
  • Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
  • Handle nested destructuring/multiple assignment
  • Do not warn on params.permit with safe values (#1000)
  • Use HTTPS for warning links
  • Try to guess options for less pager (#1118)
  • Do not page if results fit on screen
  • Leave results on screen after paging
  • Fix upgrade version for CVE-2016-6316
  • Fix include_paths for Code Climate engine (Will Fleming)
  • Support app_path configuration for Code Climate engine (Noah Davis)
  • Refactor Code Climate engine options parsing (Noah Davis)

New Check for Dangerous Permit Keys

Very similar to warning about potentially dangerous keys in attr_accessible, Brakeman now warns about potentially dangerous keys whitelisted for mass assignment via params.permit.

(changes)

New Optional Check for Division by Zero

Previously, Brakeman would report errors when it encountered potential division by zero. Now, it optionally reports warnings instead.

(changes)

Arel.sql

Arel.sql allows one to add raw SQL to queries. Brakeman now warns about potential SQL injection when using Arel.sql with dynamic values.

(changes)

Sass Error Locations

Thanks to Andrew, Brakeman now reports actual file names for errors involving Sass.

(changes)

Temp Files

Brakeman no longer warns about file access with params[:blah].tempfile.path or params[:blah].path.

(changes)

Rails 5.2 CSRF Configuration

In Rails 5.2, CSRF protection is enabled by default. Brakeman will now respect this.

(changes)

Attribute Combination Assignment

This release handles code like x[:y] += 1 better. Previously, it would not update the value for x[:y].

(changes)

Nested Destructuring

Brakeman now can handle nested multiple assignment, like x, (a, b), y = z, assuming z is known to be an array.

(changes)

Pager Updates

The default pager (less) now leaves the output in the terminal after exiting and now exits immediately if the output fits on the screen.

Additionally, Brakeman attempts to detect if these options are actually supported by less before using them.

(changes and here)

CVE-2016-6316

In case this one was keeping you up at night, Brakeman now reports the correct upgrade version for CVE-2016-6316.

(changes)

Links to brakemanscanner.org in reports are now HTTPS! Only makes sense.

(changes)

Code Climate Updates

The Brakeman engine on Code Climate now supports app_path and include_paths, together.

(changes)

Checksums

The SHA256 sums for this release are:

1dd62ee8aa872acf5d0aace6dc0745b55c78da68640f04754bf11c12a58842bf  brakeman-4.1.0.gem
a16bd3082223655f132ff4c601f5d1930290082116fc256c5c1e652ff3ba933a  brakeman-lib-4.1.0.gem
29d9be77b06195675e6b803141da979438983c0970c182fe8b8ccf3145ecda9f  brakeman-min-4.1.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.