The latest Brakeman Pro is here!
Among many updates, this release adds a new rule to warn about XSS via unquoted attributes in ERB templates.
<p class=<%= @user_class %> >
Since Rails will not escape spaces, this code is vulnerable to injection if an attacker can control
@user_class and insert a space.
This release also expands the SSL verification rule to check if SSL verification is disabled with HTTParty, Excon, Faraday, RestClient, or Savon libraries.
Among many other improvements, our Engine received a data flow analysis upgrade! Now
case expressions will be handled similarly to
if expressions. This should eliminate some false positives when
case is used for whitelisting as well as increasing accuracy.
In Brakeman Pro Desktop, along with a couple bug fixes, warning descriptions will now update even if nothing else about the warning changes. That is good news, because this release also includes improved enhanced descriptions for SQL injection and unescaped outputs!
Brakeman Pro Desktop:
Brakeman Pro Engine:
brakeman-procommand (alias for
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!