[ANN] Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

http://brakemanscanner.org

What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

  • Cross Site Scripting
  • SQL Injection
  • Command Injection
  • Mass Assignment
  • Cross-Site Request Forgery
  • Unprotected Redirects
  • Default Routes
  • Insufficient Format Validation
  • Dynamic Render Paths
  • Dangerous Evaluation
  • Unsafe File Access
  • Unsafe Session Settings
  • Potential Remote Code Execution
  • Symbol Creation Denial of Service
  • Version-specific Rails vulnerabilities
  • …and more!

How to use it

gem install brakeman

brakeman your_app_path

Changes since 1.9.5

  • Add --only-files option to specify files/paths to scan (Ian Ehlert)
  • Add Marshal/CSV deserialization check
  • Combine deserialization checks into single check
  • Avoid duplicate “Dangerous Send” and “Unsafe Reflection” warnings
  • Avoid duplicate results for Symbol DoS check
  • Medium confidence for mass assignment to attr_protected models
  • Remove “timestamp” key from JSON reports
  • Remove deprecated config file locations
  • Relative paths are used by default in JSON reports
  • --absolute-paths replaces --relative-paths
  • Only treat classes with names containing Controller like
    controllers
  • Better handling of classes nested inside controllers
  • Better handling of controller classes nested in classes/modules
  • Handle -> lambdas with no arguments
  • Handle explicit block argument destructuring
  • Skip Rails config options that are real objects
  • Detect Rails 3 JSON escape config option
  • Much better tracking of warning file names
  • Fix errors when using --separate-models (Noah Davis)
  • Fix fingerprint generation to actually use the file path
  • Fix text report console output in JRuby
  • Fix false positives on Model#id
  • Fix false positives on params.to_json
  • Fix model path guesses to use “models/” instead of “controllers/”
  • Clean up SQL CVE warning messages
  • Use exceptions instead of abort in brakeman lib
  • Update to Ruby2Ruby 2.0.5