Ruby on Rails Static Analysis Security Tool
●RSS
●Home
●Documentation
●Source
●Contributing
●Users
●Contact
Finally, just a small release!
Changes since 6.1.1:
●Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
●Avoid detecting ViewComponentCo
ntrib::Base
as dynamic render paths (vividmuimui)
●Avoid copying Sexps that are too large (#1818, #1546)
●Add EOL date for Ruby 3.3.0
●Remove deprecated use of Kernel
#open("|...")
●Remove safe_yaml
gem dependency
●Update Highline to 3.0 (#1812)
Components in Render Paths
Thanks to Máximo Mussini and vividmuimui, there will be fewer false positives
warning about dynamic render paths when using components.
(changes)
(changes)
Brakeman has a very hard time with code like
x = thing
x = foo(x)
if x
x = bar(x)
else
x = baz(x)
end
x = do_thing(x)
# etc.
Because to Brakeman it looks like
x = thing
x = foo(thing)
if foo(thing)
x = bar(foo(thing))
else
x = baz(foo(thing))
end
x = do_thing(bar(foo(thing)) || baz(foo(thing)))
This can quickly snowball into gigantic chunks of code, causing Brakeman to use lots of memory and essentially freeze up.
In the past, limits on how many times a value is “branched” have helped with this (and is configurable with --branch-limit
).
However, it is not sufficient.
Now Brakeman has a limit on how large these chunks of code can get. This has improved performance without any noticable impact on true positives.
(changes)
Checksums
The SHA256 sums for this release are:
7716769c18f2c4a52d7a74d2cb5a614be0c46d8aad3fbe7ca089dbb7c98bd4d3 brakeman-6.1.2.gem
38939998eb695b82932c207ef766356bc21e57199e18c4d8f000a005d294e587 brakeman-lib-6.1.2.gem
dbc2f9a3b61760c03737cf701f5a1dfe634fb14e8388968e056a0f77effab018 brakeman-min-6.1.2.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on Github for questions and discussion.
It’s been a while!
Changes since 6.0.1:
●Add check for unfiltered search with Ransack
●Add --timing
to add timing duration for scan steps
●Add PG::Connection.escape_strin
g
as a SQL sanitization method (Joévin Soulenq)
●Handle class << self
●Fix class method lookup in parent classes
●Fix keyword splats in filter arguments
Ransack Searches
Ransack is a popular library for enabling search against ActiveRecord attributes.
It was originally intended for administrative interfaces (like those provided by ActiveAdmin).
Use usually looks like
Car.ransack(params[:q])
And a url might look like
example.com?q[make_start]=vol
This might generate a query like
SELECT make FROM cars WHERE make LIKE 'vol%';
The library does clever things with the query parameter key.
In this case, make
is the column and start
means match values that start with the search term
passed in.
However, it’s also possible to specify columns on related tables, such as
example.com?q[owner_name_start]=just
Which would search the name
column on the owners
table (assuming Car
has an association to Owner
).
Prior to Ransack 4.0, the default configuration allowed searching all columns on a table as
well as all columns on associated tables.
Some folks figured out this can be used to extract secret values by brute-forcing the value one character at a time.
To fix this issue, explicitly allow list the attributes and associations available to search.
In Ransack 4.0 and later, it is required to set up an allowlist.
Brakeman will warn about unrestricted use of ransack
:
●High if no allow-listing methods are found in the class hierarchy of the model on which ransa
ck
is called
●Medium if the use happens to be in a file with admin
in the path
●Low if the call to ransack
is not on a class
(changes)
Timing Output
Use --timing
to output duration of various steps during the scan.
Useful for debugging slowness.
(changes)
Another SQL Escaping Method
Brakeman will not warn about use of escape_string
in SQL queries.
(changes)
Class Methods
Brakeman will now treat methods defined inside of class << self
as class methods.
This does mean fingerprints of warnings found inside those methods will change.
(changes)
Class Method Lookups
Searching for class method definitions in parent classes will now actually look for class methods, not instance methods.
(changes)
Keyword Splats in Filters
Code like
before_action(**kwargs) do
# ...
end
Will no longer cause an error.
(changes)
Checksums
The SHA256 sums for this release are:
0d4066936dd58f0fe757d0ff1ec0744479be9ff06c771be4b581bdf0cb8d7403 brakeman-6.1.0.gem
e7c9e739a43ec719d981e9b401b980c11cbe81a333ccb166965b9264ef413cc8 brakeman-lib-6.1.0.gem
709813eff010c9605dc09b9fcbe60742dd3b9e757ec7131808988a14b83eee23 brakeman-min-6.1.0.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on Github for questions and discussion.
Very tiny release this time!
Changes since 6.0.0:
●Accept strings for load_default
s
version (#1784)
●Bundle latest ruby_parser
Strings for load_defaults
While the default for Rails generators and documentation is to use floats for versions, e.g. loa
d_defaults 6.1
, internally it uses strings. It appears quite a few apps also use strings.
Now Brakeman supports and uses strings.
(changes)
Latest RubyParser
Bundled with ruby_parser
3.20.3, which includes additional support for Ruby 3.2 syntax.
Checksums
The SHA256 sums for this release are:
39641c63bc247bbdf993a349de90a13e146c464c872191f2adc12555bde591be brakeman-6.0.1.gem
e029fbd43c97bbb9c084fa4f0e13ee259bf193b79d66ba7ef94fa9496bab62cd brakeman-lib-6.0.1.gem
ef2ff1234ba2a9e7216a0a047b9df0def8c3b8d162d29853c907238901353a54 brakeman-min-6.0.1.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.
Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.
Changes since 5.4.1:
●Drop support for Ruby 1.8/1.9 syntax
●Raise minimum Ruby version to 3.0
●Add obsolete fingerprints to comparison report (#1758)
●Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
●Fix false positive with content
_tag
in newer Rails (#1778)
●Scan directories that include the word public
●Fix end-of-life dates for Ruby
Ruby Parsing Version Support
This version of Brakeman no longer supports parsing Ruby 1.8/1.9 syntax.
ruby_parser
, the gem Brakeman depends on for parsing Ruby, dropped support quite a while ago. Brakeman was depending on the ruby
_parser-legacy
gem for these older versions. But since it has been eight years since Ruby 1.9 has been unmaintained… it is time to let go.
(changes)
Minimum Ruby Version
The minimum Ruby version to run Brakeman is now 3.0.0.
Official support for the 2.x line of Ruby has ended, so it is a good time to bump up the minimum requirement and adopt more modern language features.
(changes)
Missing CSRF Protection Warning
Since Rails 5.2.0, new applications have had cross-site request forgery protection enabled. Brakeman assumed the protection was enabled based on the Rails version. However, this was incorrect.
Now Brakeman correctly handles the default configuration values.
(changes)
Content Tag Attributes
Brakeman will no longer warn about user input in content_tag
attribute names in Rails 6.1.6+
(changes
Obsolete Warnings in Comparison Report
When using the --compare
option, the output JSON will now include an obsolete
key with an array of fingerprints.
These fingerprints are warnings that are configured to be ignored, but no longer exist.
Note that the report will include all fingerprints in the ignore configuration that are not in the current report, even if they were already obsolete.
This report format matches the -
-json
output.
The report will resemble:
{
"new": [ ... ],
"fixed": [ ... ],
"obsolete": [
"abcdef01234567890ba28050e7faf1d54f218dfa9435c3f65f47cb378c18cf98"
]
}
(changes)
Scan ‘public’ Directories
In the old days, Brakeman tried to scan only the “standard” Rails directories, mostly within /ap
p/
. With the 5.0 release, Brakeman was revised to make very few assumptions about what kinds of files live where, instead making decisions based on the content of files rather than their location.
However, there was a lingering exception. Brakeman would ignore any directories that included /p
ublic/
.
This exception has been removed.
(changes)
EOL Dates for Ruby
Fixed end-of-life date for Ruby 3.0 and added expected dates for 3.1 and 3.2.
(changes)
Checksums
The SHA256 sums for this release are:
6ff908e5bfca4651d909a31f3d3ae5846e33732284860a23aff454761c4145d0 brakeman-6.0.0.gem
9a5e68e34c1cffe73b51952937ed2b4f427afd5d11d4a1c10c61e971253ba505 brakeman-lib-6.0.0.gem
db1d8e2118af4b4701fbe49bf1177ac5c89a6a956ca037fdc0e62eb062e2dbb9 brakeman-min-6.0.0.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.
Several changes in this release are updates to Brakeman’s open redirect check.
Changes since 5.4.0:
●Add Rails 6.1 and 7.0 default configuration values
●Support Rails 7 redirect options
●Add redirect_back
and redirect_
back_or_to
to open redirect check
●Revise checking for request.env
to only consider request headers
●Prevent redirects using url_fro
m
being marked as unsafe (Lachlan Sylvester)
●Warn about unscoped find for fi
nd_by(id: ...)
●Support presence
, presence_in
and in?
(#1569)
●Fix issue with if
expressions in when
clauses (#1743)
●Fix file/line location for EOL software warnings
Rails 6.1 and Rails 7.0 Defaults
The default configuration values for Rails 6.1 and Rails 7.0 have been added to Brakeman.
(changes)
Open Redirect Updates
Rails 7 introduced a new protection against open directs.
Ifconfig.action_controller.raise_
on_open_redirects
is set to true
, then Rails prevents redirects that redirect to a different domain than request.host
.
This protection can be bypassed by passing in allow_other_host: true
toredire
ct_to
.
(changes)
Lachlan Sylvester pointed out it’s also possible to use url_from
to ensure a URL is for the same host. So redirect_to(url_from(p
arams[:url]))
is safe.
(changes)
This release also expands the open redirect check to redirect_ba
ck
and redirect_back_or_to
which have options for a fallback URL.
(changes)
More Unscoped Finds
Brakeman will now warn about use of find_by(id: ...)
the same way it would warn about find_by_id
for “unscoped finds” (i.e., possible insecure direct object references).
(changes)
Presence Method Support
Brakeman now handles presence
, p
resence_in
, and in?
methods.
Since presence_in
and in?
are often used for guard clauses, this fixes some false positives.
(changes)
File/Line for End-Of-Life Warnings
March is nearly here, which means support for Ruby 2.7 is ending!
Thanks to Jon Burns for pointing out Brakeman was reporting the wrong file and/or line number for EOL Ruby warnings.
(changes)
Checksums
The SHA256 sums for this release are:
dc664d4b5d01dd81608db02ec9b7c383beb65a3169049df2939c4bbbd4edfb73 brakeman-5.4.1.gem
c1bf7e4cec5bde1d53122b41743343d3e38e4aa30145707b902278dd3b588fd4 brakeman-lib-5.4.1.gem
94d24f3ea881bfc213ead8fbf3568aa37b301272ccbecf383394c9d7d7f43eeb brakeman-min-5.4.1.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.
Blog Archives
Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
Get started!
Recent Posts
●
Brakeman 6.1.2 Released
●
Brakeman 6.1.0 Released
●
Brakeman 6.0.1 Released
●
Brakeman 6.0.0 Released
●
Brakeman 5.4.1 Released
Powered by Octopress | Content license