[ANN] Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

  • Cross Site Scripting
  • SQL Injection
  • Command Injection
  • Mass Assignment
  • Cross-Site Request Forgery
  • Unprotected Redirects
  • Default Routes
  • Insufficient Format Validation
  • Dynamic Render Paths
  • Dangerous Evaluation
  • Unsafe File Access
  • Unsafe Session Settings
  • Potential Remote Code Execution
  • Symbol Creation Denial of Service
  • Version-specific Rails vulnerabilities
  • …and more!

How to use it

gem install brakeman

brakeman your_app_path

Changes since 1.9.5

  • Add --only-files option to specify files/paths to scan (Ian Ehlert)
  • Add Marshal/CSV deserialization check
  • Combine deserialization checks into single check
  • Avoid duplicate “Dangerous Send” and “Unsafe Reflection” warnings
  • Avoid duplicate results for Symbol DoS check
  • Medium confidence for mass assignment to attr_protected models
  • Remove “timestamp” key from JSON reports
  • Remove deprecated config file locations
  • Relative paths are used by default in JSON reports
  • --absolute-paths replaces --relative-paths
  • Only treat classes with names containing Controller like
    controllers
  • Better handling of classes nested inside controllers
  • Better handling of controller classes nested in classes/modules
  • Handle -> lambdas with no arguments
  • Handle explicit block argument destructuring
  • Skip Rails config options that are real objects
  • Detect Rails 3 JSON escape config option
  • Much better tracking of warning file names
  • Fix errors when using --separate-models (Noah Davis)
  • Fix fingerprint generation to actually use the file path
  • Fix text report console output in JRuby
  • Fix false positives on Model#id
  • Fix false positives on params.to_json
  • Fix model path guesses to use “models/” instead of “controllers/”
  • Clean up SQL CVE warning messages
  • Use exceptions instead of abort in brakeman lib
  • Update to Ruby2Ruby 2.0.5