Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

Changes since 4.7.0:

  • Address file permission issues in bundled ruby_parser-legacy
  • Sort text report by file and line (Jacob Evelyn)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
  • Check string length against limit before joining
  • Fix flaky rails4 test (Adam Kiczula)
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Add release dates to each version in CHANGES (TheSpartan1980)

File Permissions

A security issue was reported for the ruby_parser-legacy gem, where some files are installed with world-writable permissions. This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy gem.

In this release of the brakeman gem, the permissions on these files have been corrected. However, there has not been a fixed release of ruby_parser-legacy yet, so the brakeman-lib and brakeman-min gems are still affected.

Default Report Format Sorting

Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.

(changes)

Reverse Tabnabbing

Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank.

(changes)

Stabby Lambdas

ruby_parser 3.14.0 changed the AST representation of ->{} lambdas, and Brakeman needed to adjust.

(changes)

String Length Limit

Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah") before joining them. If the joined string would be longer than 50 characters, the strings are not joined.

Note the only change is when the length is checked, the limit was already in place.

(changes)

Flaky Test Fixed

Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!

(changes)

Ruby 2.7 Frozen Strings

In Ruby 2.7, symbols and some other constant values (true/false, etc.) will return frozen strings. This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.

(changes)

Release Dates in Changelog

Brakeman’s changelog now includes release dates thanks to TheSpartan1980.

(changes)

Checksums

The SHA256 sums for this release are:

cdc6f4c86b5b35b5e94798cf443909385aa1b79235da8e1ee1fd4381acf03691  brakeman-4.7.1.gem
2f7a7a6d79b1e5b8c6a390e04642e987c56cced2c8be3d63a1250f7bbc9e504d  brakeman-lib-4.7.1.gem
598431f6bfc90b119fc6883ead7896c1718ba5d9a0e0450893c3e628a6c8e7b0  brakeman-min-4.7.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.7.0 Released

This release updates Haml support to Haml 5.x!

Changes since 4.6.1:

Haml Support Update

Haml 5 introduced a completely different “compiled” format, so adding support was a significant effort taking a few months to complete. Due to the large number of changes, you may expect some changes to warnings for Haml templates.

Please report any bugs or odd behavior with Haml templates!

Haml 3.x and 4.x are no longer supported, although in general Haml is mostly backwards-compatible.

(changes)

Shell Commands

Jacob Evelyn added support for detecting command injection with -c in known-dangerous commands (such as bash or echo).

An example of dangerous code would be:

system("echo", "-c", params[:command])

Of course not all dangerous shell commands are covered - so in general be careful passing any user-controlled input to a shell command.

(changes)

CookieSerialization Bug

Phil Turnbull fixed an issue in CheckCookieSerialization where non-symbol cookie serialization options were handled poorly.

(changes)

Brakeman::Differ Refactor

Benoit Côté-Jodoin refactored Brakeman::Differ to compare warnings more efficiently and remove old fallback behavior. All warnings are compared by fingerprint now when using --compare.

(changes)

Version Comparisons

Andrey Glushkov updated the code for comparing library versions so it uses Gem::Version and handles “beta”/pre-release versions better.

(changes)

%W Interpolation

String interpolation when using %W is no longer considered dangerous in shell commands where regular interpolation would be.

(changes)

form_for

form_for is considered a safe method in XSS checks.

(changes)

String.new

String.new << 'some string' is now treated like '' << 'some string'.

(changes)

Checksums

The SHA256 sums for this release are:

f43d949f1de9c0bb67b7bc7d41000ac70a1fb6c2250c5e7332015f0cc5ce36c5  brakeman-4.7.0.gem
c02dbaa4ad0c7402ef99697c7b1916b7d9558dd5aa45e1a36efed117628498cc  brakeman-lib-4.7.0.gem
3ab80a47bbfbb0f869bb1289292ed62b9643b5e0884a4a79e2c7e44218ce3b07  brakeman-min-4.7.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.6.1 Released

This release corrects a typo in the reverse tabnabbing warning message.

Changes since 4.6.0:

Checksums

The SHA256 sums for this release are:

6e31f8c8dbdea7b198c591d44b73aee067cca5612db191fe04d8d8c2a8eb9011  brakeman-4.6.1.gem
6879d5175e5f20bf5ac1bd20dad0ef9a1e4c72d9774114d752b19c7e7d7d69fc  brakeman-lib-4.6.1.gem
72a0ef7b91b11bea925b365645096a186ec3929024066792957006c46355560e  brakeman-min-4.6.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.6.0 Released

This release has two new checks!

Changes since 4.5.1:

  • Add check for cookie serialization with Marshal (#1316)
  • Add reverse tabnabbing check (Linos Giannopoulos)
  • Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
  • Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
  • Warn people that Haml 5 is not fully supported (Jared Beck)
  • Index calls in initializers
  • Improve template output handling in conditional branches
  • Avoid assigning nil line numbers to Sexps
  • Add special warning code for custom checks
  • Add call matching by regular expression
  • Skip calls to dup (#1374)
  • Restore Warning#relative_path
  • Better handling of gems with no version declared

Brakeman will now warn if Rails.application.config.action_dispatch.cookies_serializer is set to :marshal or :json.

This options allow cookies to be deserialized via Marshal. If an attacker is able to construct a valid encrypted cookie, this could lead to arbitrary code execution.

(changes)

Reverse Tabnabbing Check

Linos Giannopoulos has added an optional check for cases of “reverse tabnabbing”. This occurs when a link is opened in a new window/tab via a link (with target: '_blank'). The new window can control the location of the old window. If an attacker controls the new window, they can redirect the old window to a malicious site. This is especially useful for phishing attacks. These kinds of attacks are most likely on applications that allow arbitrary links to external sites.

To completely remove the ability of an attacker to control the old window, add rel: "noreferrer noopener" to the link_to call. Note: this will cause the new window to lose referrer information.

To enable this new check, use --enable ReverseTabnabbing or -A to enable all optional checks.

(changes)

File Access False Positive

Tejas Bubane provided a fix to ignore use of ActiveStorage::Filename#sanitized inside file access calls.

(changes)

Fixed Loofah Version

Markus Nölle corrected the “fixed” version of Loofah for CVE-2018-8048 from 2.1.2 to 2.2.1. Oops!

(changes)

Haml 5 Support

Jared Beck added a notification when Haml 5 is in use by an application. At the moment, Brakeman does not support Haml 5.x. There appear to be only a few syntax differences between Haml 4.x and 5.x, so most users are unaffected.

Support is planned for a future release.

(changes)

Initializers More Fully Supported

When Brakeman scans an application, it “indexes” all method calls of interest. Most checks then operated on those indexed calls.

However, for historical reasons, initializers (files in config/initializers/) were not included in that index.

Now they are! Besides some modest speed gains and simpler/more consistent checks, now regular old checks can “see” initializers. This may result in previously-unreported warnings now popping up in initializers.

(changes)

Conditional Branches in Templates

Very obvious code like this:

<%= blah ? x : params[:x].html_safe %>

Was not being handled correctly and the cross-site scripting issue would not be reported. This is now fixed!

(changes)

Empty Line Numbers

A change in sexp_processor causes it to raise an exception if an Sexp is assigned a nil line. Brakeman was a bit cavalier when assigning line numbers, so this caused an issue for some users.

As a result, line numbers should be assigned a bit more consistently now.

(changes)

Custom Check Warning Code

Every warning reported by Brakeman refers to an integer “warning code”. This is so the “warning type” or category can be a bit more flexible if we want to change the name or formatting. However, this list of warning codes is hardcoded into Brakeman. The hardcoding makes it hard for users to add their own checks, because they need to either use an existing code or monkey-patch in a new one.

To help with this situation, custom checks/rules can now use the :custom_check warning code.

A tutorial on writing custom checks is in progress.

(changes)

Call Matching via Regex

It is now possible to search for call targets by regular expression, although it is discouraged for performance reasons.

(changes)

Dup Calls

Brakeman now skips calls to #dup as if they aren’t there.

(changes)

Warning#relative_path

Warning#relative_path has been added back for dependencies that might need it, such as guard-brakeman.

(changes)

Checksums

The SHA256 sums for this release are:

48be7f5a8d814ad42bbb9a2222a331e59a8ece9b50103d8e809a0bbc9d128ef9  brakeman-4.6.0.gem
ff81f5d6fb258a1b83c78ba4144163d1183bd9f31536782722617e880ff85917  brakeman-lib-4.6.0.gem
ef3ad0f59dc32630b1e39f289257cf33a882f2838f455e6009c0cb973ee1d378  brakeman-min-4.6.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

Brakeman 4.5.1 Released

This release adds initial support for Rails 6!

Changes since 4.5.0:

  • Add initial Rails 6 support
  • Add optional check for config.force_ssl (#1181)
  • Add deserialization warning for Oj.load/object_load
  • Add SQL injection checks for destroy_by/delete_by
  • Add SQL injection checks for find_or_create_by and friends
  • Check link_to with block for href XSS (#1339)
  • Convert !! calls to boolean value (#1343)
  • Use relative paths for __FILE__
  • Represent file paths internally as Brakeman::FilePath
  • Handle empty partial names
  • Handle trailing comma in block args
  • Remove code for Ruby versions prior to 1.9

Initial Rails 6 Support

Rails 6 is (almost?) here!

This release adds basic support internally for Rails 6 as well as the -6 option to force Rails 6 mode.

(changes)

Optional Check for Force SSL Option

In Rails, config.force_ssl = true turns on HSTS, redirects HTTP to HTTPS, and sets the secure flag on all cookies.

A new optional check has been added to check if this option is enabled.

To enable this new check, use -A or --enable ForceSSL.

(changes)

Deserialization with Oj

The deserialization check now looks for unsafe use of the Oj JSON library.

(changes)

New SQL Injection Sinks

The SQL injection check has been expanded to check for unsafe use of destroy_by/delete_by (new in Rails 6) and find_or_create_by and related methods.

(changes)

Brakeman now checks link_to calls with blocks for javascript: links.

(changes)

Convert !! to Boolean

Use of !! to convert values to booleans will be treated as safe (turned into true or false).

(changes)

Relative Path for __FILE__

When ruby_parser parses __FILE__, it replaces it with the name of the current file. Unfortunately, Brakeman was passing in absolute paths for the current file. This meant that the fingerprints for warnings including __FILE__ would vary based on the path where the code was scanned.

Now a relative path is used instead, so fingerprints should stabilize.

(changes)

Brakeman::FilePath

Internally, file paths are now represented with Brakeman::FilePath to make it easier to manage absolute/relative paths as needed. This was a pretty huge change, so please report any issues.

As a result, the --no-separate-models option no longer works (it used to combine all model-level mass assignment warnings into one warning). That old option used to report a completely messed-up file name, which is incompatible with Brakeman::FilePath. Also, it was weird and wrong.

(changes)

Empty Partial Names

If any empty string ends up as a partial name in a render call, Brakeman will ignore it.

(changes)

Checksums

The SHA256 sums for this release are:

c8c48a88e9cd837122a590837ff5dbb4bd8214ad72baaffb75e5e5cd3585166f  brakeman-4.5.1.gem
48eaff4eb661f63d43c2f8b33da8efbabc6196ae5ff2ec58ad711e1649eff686  brakeman-lib-4.5.1.gem
c6fcfc5c32ec79a50281b0b97be5b703385ffb20ef45f770e7888ca6ba0b1666  brakeman-min-4.5.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.