It’s been a while! This will (probably) be the last minor release before 5.0.

Changes since 4.8.2:

• Add --ensure-ignore-notes (Eli Block)
• Add check for user input in ERB.new (Matt Hickman)
• Add check for CVE-2020-8166 (Jamie Finnigan)
• Always scan environment.rb
• Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
• Do not warn about mass assignment with params.permit!.slice
• Ignore params.permit! in path helpers
• Treat Dir.glob as safe source of values in guards
• Remove whitelist/blacklist language, add clarifications
• Add “full call” information to call index results
• Updated Slim dependency (Jeremiah Church)

Ensuring Notes Are Added For Ignored Warnings

Eli Block has added a new option to ensure all ignored warnings have notes.

If --ensure-ignore-notes is set and the configured “ignore” file does not have notes for all warnings, a non-zero exit code will be set.

(changes)

Check for Template Injection

Matt Hickman added a new check for user input in calls to ERB.new which can lead to remote code execution.

(changes)

Check for CVE-2020-8166

Jamie Finnigan added a new check for CVE-2020-8166.

(Note, in general you should not rely on Brakeman for vulnerable dependency checks. There are much better tools available now!)

(changes)

Always Scan Environment

Brakeman used to conditionally scan config/environment.rb based on the Rails version, since in newer versions there’s nothing of interest in that file.

However, some applications do use that file for important constant definitions. Since there is no harm in doing so, Brakeman will now always scan config/environment.rb.

(changes)

More Safe YAML

Brakeman will no longer warn about deserialization if the safe_yaml gem is used with YAML.load(..., safe: true).

(changes)

Mass Assignment False Positives

Brakeman will no longer warn about mass assignment with params.permit!.slice or when params.permit! is used as an argument to a path helper (e.g. something_path(params.permit!)).

(changes and changes)

Dir.glob in Guards

Brakeman will now consider Dir.glob to be a safe source of values in guard statements.

In other words, code like this:

  def show
    template = params[:template]
    files = Dir.glob("/some/template/path/*")

    # Guard condition using Dir.glob results
    return redirect_to '/groups' unless files.include? template

    # Will not warn because we are checking `files` for `params[:template]` above
    render "groups/#{template}"
  end

(changes)

Updated Warning Messages

Updated a few warning messages to be clearer instead of just using ‘whitelist’/’blacklist’ as a verb.

(changes)

Checksums

The SHA256 sums for this release are:

3afcfee962907361cbc5047b7089eaa7c31546cc4de201939faba6d3a1b07a18  brakeman-4.9.0.gem
dc6a50321170e83e61ae75d1bb2dade53392a44b614d4068553f1425539a3b8f  brakeman-lib-4.9.0.gem
4c8ea640925bf33a775729b000b91312abe42ea7945dac1a6bfcc0347fb6323d  brakeman-min-4.9.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

This release introduces a new option and two new checks!

Changes since 4.8.1:

• Add --text-fields option
• Add check for CVE-2020-8159
• Add check for escaping HTML entities in JSON configuration option
• Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

Text Fields Option

It is now possible to specify which text fields are reported and their order for the default “text” report format using the --text-fields option.

Possible options are:

• all
• category
• category_id
• check
• code
• confidence
• file
• fingerprint
• line
• link
• message
• render_path

--text-fields accepts a comma-separated list of these options.

Please keep in mind the JSON report should be used for structured reports/parsing.

(changes)

CVE-2020-8159

This release includes a check for CVE-2020-8159 related to the actionpack-page_caching gem. The vulnerability allows arbitrary file writing and may be escalated to remote code execution.

If caches_page is called in any controllers, this will be a High confidence warning. Otherwise, Weak.

Reminder: Brakeman is not a ‘dependency’ scanner. It only includes checks for a small number of Rails-related CVEs. Use bundler-audit or related tools for dependency checking.

(changes)

JSON Escaping Configuration

Brakeman will now warn if HTML entity escaping in JSON is disabled globally with ActiveSupport.escape_html_entities_in_json = false. This is an unusual configuration.

(changes)

Basic Auth Check Fix

Hugo Corbucci fixed an error when checking calls to authenticate_or_request_with_http_basic without a block literal.

(changes)

Checksums

The SHA256 sums for this release are:

d7bf369896b4a3c41778f39f10b1e1d0844a965bbb582fa0a0566b1df4f07dec  brakeman-4.8.2.gem
c13e9a9e5b213ba95a16803ddb50eb3c7119533ca71444ffec2bb6cea22b926a  brakeman-lib-4.8.2.gem
a422a444b7db48682e1f112c83b1a7a7e3828ec02d52ed91c5b3eff235b801c1  brakeman-min-4.8.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Just a little bug fix release.

Changes since 4.8.0:

• Warn about global(!) mass assignment
• Check SQL query strings using String#strip or String.squish (#1459)
• Handle non-symbol keys in locals hash for render (#1465)
• Index calls in render arguments (#1459)

Global Mass Assignment

Strong parameters can be disabled with:

ActionController::Parameters.permit_all_parameters = true

Brakeman will now warn about this (very rare) configuration.

(changes)

Squished and Stripped SQL

Brakeman will now check string targets of squish or strip.

For example:

ActiveRecord::Base.connection.execute "SELECT * FROM #{user_input}".squish

(changes)

Non-Symbol Keys in Locals Hash

Using a value other than symbol literals as keys in the locals hash for render will no longer cause an error.

(changes)

Render Arguments

Calls made as arguments to render will be indexed and checked for all vulnerability types, like every other method call.

(changes)

Checksums

The SHA256 sums for this release are:

5f3cc763fce471434adc33aa251298fa24ea2a1c01ef2549aec55be4b5b14d46  brakeman-4.8.1.gem
c4a95b450fb7ec2440e68640a0821e3a6b62ea34f665e78264ba0b332e98e5df  brakeman-lib-4.8.1.gem
ada41dbfc3a436c062cd44161893249654caf43296801599303952f6261f2e5e  brakeman-min-4.8.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

First release of 2020! This release comes with a brand new report format: JUnit XML.

Changes since 4.7.2:

• Add JUnit XML report format (Naoki Kimurai)
• Sort ignore files by fingerprint and line (Ngan Pham)
• Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
• User-friendly message when ignore config file has invalid JSON (D. Hicks)
• Freeze call index results, fix thread-safety issue
• Properly render confidence in Markdown report (#1446)
• Report old warnings as fixed if zero warnings reported

JUnit XML Report

Thanks to Naoki Kimura, Brakeman can now generate a JUnit XML format. JUnit XML is produced and consumed by a number of different testing tools, including CircleCI.

Supporting this format makes it possible for Brakeman warnings to be consumed by general test infrastructure tools.

To use the new format, either use -f junit or -o report.junit.

changes

Sort Ignore Files

Warnings in “ignore files” were previously only sorted by fingerprint. Thanks to Ngan Pham they are now sorted by fingerprint then line number, to maintain stable ordering between warnings with the same fingerprint.

changes

Dangerous Concatenation in Commands

Jacob Evelyn has updated the command injection check (CheckExecute) to also consider string concatenation with dangerous values.

For example:

system("ls " + maybe_dangerous)

changes

Fix Thread-safety Issue

Two checks were modifying shared data (call site results), which introduced a race condition. Sometimes a result would strangely become nil and cause intermittent errors. Note this only popped up when using real threads on JRuby.

Now results from the CallIndex are frozen to help prevent this kind of modification of shared data in the future.

changes

Render Confidence in Markdown

Due to a previous refactoring, confidence levels were not being rendered in Markdown reports.

changes

Report Comparison Fix

Due to a very old bug, when comparing an old report with some warnings to a new report with zero warnings, the old warnings were not reported as fixed. Now they will be.

Probably no one noticed because we generally only care about new warnings.

changes

Checksums

The SHA256 sums for this release are:

2febb3ce4111fe14f57a8ea447c5770eeb32ba43333955b4ed27864ef045c277  brakeman-4.8.0.gem
c513373a37576d8107af724bf9f8a47e8d76253c85bdd6fdb4d3e93471a47ee6  brakeman-lib-4.8.0.gem
d82206b9a60ef1eb4c96d32ba0157774db301e3ca10dcbdd7b4171044b28eccf  brakeman-min-4.8.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Some minor fixes for a minor release.

Changes since 4.7.1:

• Add request.params as query parameters (#1398)
• Handle more permit! cases (#1426)
• Remove version guard for named_scope vs. scope
• Find SQL injection in String#strip_heredoc target (#1433)
• Ensure file name is set when processing models
• Bundle ruby_parser version 3.14.1 (#1429)

More Query Parameters

request.params has been added as a query parameters method.

(changes)

More permit!

More cases of permit! will be identified, particularly when it is the target of a method call.

(changes)

More Scopes

Both named_scope and scope will be handled regardless of detected Rails version.

(changes)

SQL Injection with strip_heredoc

strip_heredoc is now treated as returning a string. This fixes false positives if the target is a plain string and fixes false negatives if the target has interpolation.

(changes)

Model File Names

In some cases, warnings were missing file names because the file name was not being passed to the model processor.

The file name will now be passed along, and there is a new test in the test suite for file names on warnings.

(changes)

Checksums

The SHA256 sums for this release are:

339d6f3707a2c0a32003536a231255b839a0b87bd6a7ebef3c82aedd1bdd3ac8  brakeman-4.7.2.gem
39ce3a5fe248dee8c78fe671441d2abbfec66cec923ee9f56c62018229d3c9b0  brakeman-lib-4.7.2.gem
efa07aa8476ef5553c91734093349a3ed55e2ef05b469d3dcecfdaabede37296  brakeman-min-4.7.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.