Happy new year and apologies for the delay in releases! Brakeman should now return to the normal 1-2 month release cycle. There are already pull requests lined up for the next release.
-
-
This release includes a number of fixes and new features. In particular, please note there are large changes to how reports and warning messages are generated. Please report any issues!
-
-
Also, the brakeman gem version of this release no longer supports use of Slim with Ruby 1.9.3. See below for details.
-
-
As noted previously, due to the Synopsys acquisition Brakeman is now distributed under a non-OSS license. See below for details.
-
-
Changes since 4.3.1:
-
-
- - Add check for CVE-2018-3760
- - Add
--enable option to enable optional checks
- - Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
- - Handle empty
secrets.yml files (Naoki Kimura)
- - Ignore Tempfiles in FileAccess warnings (Christina Koller)
- - Avoid warning about command injection when
String#shellescape and Shellwords.shelljoin are used (George Ogata)
- - Treat
if not like unless (#1225)
- - Fix Rails 4 configuration handling
- - Set default encoding to UTF-8
- - Support reading gem versions from gemspecs
- - Support gem versions which are just major.minor (e.g. 3.0)
- - Correctly set
rel="noreferrer" in HTML reports
- - Fix thread-safety issue in CallIndex
- - Fix trim mode for ERb templates in old Rails versions
- - Avoid
nil errors when concatenating arrays
- - Add rendered template information to render paths
- - Trim some unnecessary files from bundled gems
- - Deadcode and typo fixes found via Coverity
- - Complete overhaul of warning message construction
- - Update to Slim 4.0.1 (Jake Peterson)
- - Update to RubyParser 3.12.0
- - Updated license
-
-
-
CVE-2018-3760
-
-
A new check was added for CVE-2018-3760 (Sprockets path traversal vulnerability).
-Brakeman will warn about use of the affected Sprockets version and config.assets.compile = true.
-
-
(changes)
-
-
Enable Optional Checks
-
-
Brakeman has options to enable all checks, to disable some checks, and to enable a subset of checks, but not to enable default+some optional checks.
-
-
The --enable option has been added to allow enabling individual optional checks.
-
-
(changes)
-
-
Docker Support
-
-
Thanks to Ryan Kemper, Brakeman now has a Dockerfile to enable local building and running of Brakeman inside Docker.
-
-
Additionally, there is now a Docker image available for Brakeman:
-
-
docker pull presidentbeef/brakeman
-docker run -v "$(pwd)":/code brakeman --color
-
-
-
See the Brakeman README for more details.
-
-
Please note the Docker image is built from the master Brakeman branch. The master branch is typically stable, but it will typically be ahead of the gem release.
-
-
(changes)
-
-
Empty Secrets
-
-
Thanks to Naoki Kimura, Brakeman will no longer show an error when the secrets.yml file is empty.
-
-
(changes)
-
-
File Access with Tempfiles
-
-
Thanks to Christina Koller, Brakeman will no longer warn about file access issues when Tempfiles are used.
-
-
(changes)
-
-
Shellescape and Command Injection
-
-
Thanks to George Ogata, Brakeman will no longer warn about command injection when shelljoin or shellescape are used.
-
-
(changes)
-
-
Rails 4 Configuration
-
-
When implementing the check for CVE-2018-3760, it was discovered that Brakeman was not handling the Rails 4 configuration format properly:
-
-
Brakeman was not picking up any configuration options if this format was used:
-
-
<AppName>.application.configure do
- #...
-end
-
-
-
(changes)
-
-
Default Encoding
-
-
Brakeman now sets the default external encoding to UTF-8 to avoid issues where the environment might set a different encoding.
-
-
(changes)
-
-
Gem Versions
-
-
Brakeman can now read gem versions from gemspec files. This is common for Rails engines.
-
-
Additionally, Brakeman now understands versions which only specify major/minor versions (e.g. ~>4.0).
-
-
The order of precedence is Gemfile.lock > Gemfile > *.gemspec.
-
-
(changes)
-
-
No Referrer in HTML Reports
-
-
Brakeman has unfortunately been setting rel="no-referrer" instead of rel="noreferrer" in HTML reports.
-
-
(changes)
-
-
Thread-Safety in Call Index
-
-
In rare cases (heavy CPU load?), accessing the CallIndex when running checks caused thread-unsafe behavior. This would have been reflected in a Ruby error about modifying the index during iteration, although checks don’t actual modify the CallIndex.
-
-
(changes)
-
-
ERb Trim Mode
-
-
Brakeman has been accidentally setting the “trim mode” to the template file path (oops!) which silently (!) worked in tests. This only affects Rails 2.x.
-
-
This has been corrected and Ruby will now warn about incorrect trim modes.
-
-
(changes)
-
-
Array Joins
-
-
This release fixes a nil error when attempting to concatenate arrays.
-
-
(changes)
-
-
-
-
Template “render paths” now include which template was rendered.
-
-
This is reflected in the JSON report:
-
-
"render_path": [
- {
- "type": "controller",
- "class": "HomeController",
- "method": "test_to_json",
- "line": 148,
- "file": "app/controllers/home_controller.rb",
- "rendered": {
- "name": "home/test_to_json",
- "file": "app/views/home/test_to_json.html.erb"
- }
- }
- ]
-
-
-
In the future this information may be used to improve other report formats as well.
-
-
(changes
-
-
Reduced Gem Size
-
-
The brakeman gem bundles all its dependencies, which makes the gem a bit big.
-
-
This change removes some of the unneeded files (such as tests) and reduces the file size by about a third.
-
-
(changes)
-
-
Dead Code and Typos
-
-
A few bits of dead code and minor typos were found via Coverity and fixed.
-
-
Warning Message Overhaul
-
-
Brakeman warning messages were previously just strings.
-
-
In order to introduce some formatting flexibility, Brakeman warning messages are now constructed as arrays of Message objects.
-These objects specify the type of the message string (e.g. “code” or “plain”). At report generation time, the messages can be converted to a particular format,
-such as HTML, plaintext, etc.
-
-
Along with this change, quite a bit of cleanup was performed on report generation in general.
-
-
These changes make it easier to produce consistent messages as well as potentially supporting translation in the future.
-
-
You may notice warning message text and/or formatting has changed as a result of these changes.
-Please report any issues.
-
-
(changes)
-
-
Dependency Updates
-
-
Thanks to Jake Peterson, the Slim dependency has been updated to 4.0.1 to support newer syntax.
-
-
Note that Slim 4.x not longer supports Ruby 1.9.3. You may need to use the brakeman-lib gem or update your Ruby version.
-
-
(changes)
-
-
RubyParser has been updated to 3.12.0 which includes some added syntax support and is faster!
-
-
-
-
-
(changes)
-
-
New License
-
-
Brakeman is now distributed under the Brakeman Public Use License which restricts commercial use of Brakeman.
-
-
It does not restrict use of Brakeman to scan your own code or your organization’s code, regardless of whether that code is proprietary, commercial, free, open source, etc.
-
-
Feel free to message @presidentbeef if you have questions.
-
-
(changes)
-
-
Checksums
-
-
The SHA256 sums for this release are:
-
-
d3204cfe9d26782954ee8805fd748d11e8f950d2c1aee7c806c1856f273ee3b9 brakeman-4.4.0.gem
-88849f05b1c85756fee8974b8061383493714676187af3b94b6a7978a7e1e58d brakeman-lib-4.4.0.gem
-0417c20b0b6dab00c5cf5e9341868dc5d8139bca463bf45fefa925cac286127e brakeman-min-4.4.0.gem
-
-
-
Reporting Issues
-
-
Thank you to everyone who reported bugs and contributed to this release!
-
-
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
-
-
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.
-
-