The latest Brakeman Pro is here!
Among many updates, this release adds a new rule to warn about XSS via unquoted attributes in ERB templates.
For example:
<p class=<%= @user_class %> >
Since Rails will not escape spaces, this code is vulnerable to injection if an attacker can control @user_class and insert a space.
This release also expands the SSL verification rule to check if SSL verification is disabled with HTTParty, Excon, Faraday, RestClient, or Savon libraries.
Among many other improvements, our Engine received a data flow analysis upgrade! Now case expressions will be handled similarly to if expressions. This should eliminate some false positives when case is used for whitelisting as well as increasing accuracy.
In Brakeman Pro Desktop, along with a couple bug fixes, warning descriptions will now update even if nothing else about the warning changes. That is good news, because this release also includes improved enhanced descriptions for SQL injection and unescaped outputs!
Full Changes
Brakeman Pro Desktop:
- Better text wrapping in the info drawer
- Fix right-click renaming of groups
- Enable project menu options on manual project creation
- Update warning descriptions in DB if they change in the Engine
Brakeman Pro Engine:
- Added rule for unquoted attributes
- Expanded rule for disabled SSL verification
- Plain report format includes enhanced descriptions
- Added
brakeman-procommand (alias forbrakeman) - Updated enhanced descriptions for SQLi, command injection, and XSS
- Branch inside of
caseexpressions - Check targetless SQL calls outside of known models
- Fix issue with nested interpolation inside SQL strings
- Add
--exit-on-erroroption - Limit number of parsing threads to avoid too many open files
- Identify as “pro” when displaying engine version
- Only report CVE-2015-3227 when exact version is known
- Print command line option errors without modification
- Ignore GraphQL tags inside ERB templates
- Handle recursive Concerns
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
Brakeman Pro can be used as a desktop application, Ruby Gem, and as a Code Climate engine.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!