presidentbeef/brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications

Boris

@raidenz_gitlab

I tried brakeman -z3 and even thought all high confidence are ignored [we have an ignore file], brakeman is returning a result code of '7'

err -w3

Justin Collins

@presidentbeef

@raidenz_gitlab 7 means errors were encountered during analysis. It's separate from warnings

if you want to ignore errors, you can use --no-exit-on-error

Justin Collins

@presidentbeef

I should say, if you don't want analysis errors to impact the return code, use that option. The errors will still be in the report.

Chris Thompson

@yegct_twitter

Morning, brakeman folks! A coworker just filed presidentbeef/brakeman#1387 and we'd be happy to provide more information if it would be useful. If you already think it'd be easy to fix and have pointers, we could attempt a fix. No promises (time commitments, no guarantee of ability, etc.), but we fully understand this is open-source software. Very happy to discuss further.

Justin Collins

@presidentbeef

Hi @yegct_twitter - yes, I saw. Haven't poked at it yet, but I'm guessing it's not easy to fix.

Chris Thompson

@yegct_twitter

Yeah. That's our guess, too. :(

Justin Collins

@presidentbeef

Brakeman 4.6.0 is out: https://brakemanscanner.org/blog/2019/07/23/brakeman-4-dot-6-dot-0-released

Justin Collins

@presidentbeef

Brakeman 4.6.1 is out to correct a typo in the reverse tabnabbing warning message: https://brakemanscanner.org/blog/2019/07/24/brakeman-4-dot-6-dot-1-released

Maciej Mensfeld

@mensfeld

Hey @presidentbeef : CVE-2018-3760 is reported for sprockets 4.0.0 - is that correct?

Xabi

@xabi_twitter

Hi there!

Some problems here, but I'm sure if this is a bug after upgrade to 4.7.0 from 4.6.1

config.middleware.use OliveBranch::Middleware,
                      inflection: "dash", dasherize: ->(string) { string.underscore },
                      content_type_check: ->(_content_type) { true },
                      exclude_params: lambda { |env|
                        env["PATH_INFO"].match(%r{^/api-internal}).nil?
                      },
                      exclude_response: lambda { |env|
                        env["PATH_INFO"].match(%r{^/api-internal}).nil?
                      }

== Errors ==

Error: Expected call or attrasgn or safe_call or safe_attrasgn but given s(:lambda) while processing *****/config/application.rb
Location: *****/.gem/ruby/2.6.3/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_config_processor.rb:37:in `process_iter'

Solved replacing the online lambdas into block ones. Is it right? Is it a brakeman bug?

Xabi

@xabi_twitter

config.middleware.use OliveBranch::Middleware,
                      inflection: "dash",
                      dasherize: lambda { |string|
                        string.underscore
                      },
                      content_type_check: lambda { |_content_type|
                        true
                      },
                      exclude_params: lambda { |env|
                        env["PATH_INFO"].match(%r{^/api-internal}).nil?
                      },
                      exclude_response: lambda { |env|
                        env["PATH_INFO"].match(%r{^/api-internal}).nil?
                      }

Justin Collins

@presidentbeef

@xabi_twitter yes, it was addressed in presidentbeef/brakeman#1415

Justin Collins

@presidentbeef

I will probably do a bugfix release early next week

Xabi

@xabi_twitter

@presidentbeef thank you.

Justin Collins

@presidentbeef

Brakeman 4.7.2 released: https://brakemanscanner.org/blog/2019/11/25/brakeman-4-dot-7-dot-2-released

Minor fixes, updated ruby_parser to latest

Justin Collins

@presidentbeef

Brakeman 4.8.0 released: https://brakemanscanner.org/blog/2020/02/18/brakeman-4-dot-8-dot-0-released

New JUnit XML format, updated command injection check, ignore file sorting update, thread-safety fix, other bug fixes.

Justin Collins

@presidentbeef

Brakeman 4.8.1 released: https://brakemanscanner.org/blog/2020/04/06/brakeman-4-dot-8-dot-1-released
New warning for globally permitting all parameters for strong parameters; little bug fixes

Justin Collins

@presidentbeef

Brakeman 4.8.2 released: https://brakemanscanner.org/blog/2020/05/12/brakeman-4-dot-8-dot-2-released

Two new checks and new --text-fields option

Chris Thompson

@yegct_twitter

@presidentbeef the webpage, https://brakemanscanner.org/, shows the changelog for 4.8.2. The hyperlink for CVE-2020-8159 has a typo at the beginning, an i.

It's ihttps instead of https. :)

Justin Collins

@presidentbeef

@yegct_twitter this is quite late... but thanks! Fixed!

Michael Hagar

@mehagar

Where can I find out why certain checks are optional? Are they just slow, or produce too many false positives? I would like to know more about why some are marked as optional.

Justin Collins

@presidentbeef

@mehagar They are noisier/produce more false positives.

Michael Hagar

@mehagar

Thanks! I'm confused because some of these optional checks have code that would produce a "high" or "medium" confidence level.

Justin Collins

@presidentbeef

Brakeman 4.9.1 released: https://brakemanscanner.org/blog/2020/09/04/brakeman-4-dot-9-dot-1-released

Michael Hagar

@mehagar

Nice, I appreciate the protected_attributes fix. This will reduce a lot of noise in a Rails 4.2 app we're developing.

Justin Collins

@presidentbeef

Brakeman 4.10.0 released: https://brakemanscanner.org/blog/2020/09/28/brakeman-4-dot-10-dot-0-released
Only change here is the new SARIF report format.

Joel Brewer

@joelbrewer

Quick question! I'm working on clearing out some Brakeman warnings on our application and I've run into several File Access warnings. In some instances, we were using the incoming filename as the filename on our end (not good), so I've started using hashes instead. However, I don't want to lose the file extension, but I haven't found a way to tack that on without Brakeman getting upset. Any recommendations?

Here's what Brakeman is mad at because uploaded_io is coming from params[:file]

Victor Azevedo

@victormazevedo

Hello, how are you? I have a question: is it possible in Code attribute in output, that I see all the code including comments?
e.g. I have this line system("ls #{options}") #foo of code that returns Command Injection. In output, I only can see system("ls #{options}") but I need to see the comment too. Is there a way to run brakeman to see comments in code lines, or this does not exist in Brakeman?
Thanks in advance!

Justin Collins

@presidentbeef

@victormazevedo Brakeman doesn't really store comment information. However, if you look at the HTML report, you can expand findings to show nearby code.

@joelbrewer Not sure what to suggest there, really. Do you have a list of allowed extensions? You may be able to remove the Brakeman warning by putting your code behind a condition like

if [".txt", ".pdf", ".png"].include? extension
  path = ...
end

It takes kind of specific code, but for something like the above, Brakeman will know that extension must be one of those values inside the if expression.

Thomas M. DuBuisson

@TomMD

@victormazevedo With muse (https://github.com/marketplace/muse-dev) what you ask is the default behavior. You make PRs, Muse runs Brakeman (among others) and posts new results as line comments so you see the line in the github PR stream. If you look in the console then brakeman results link to the github source view (but the source isn't inline in the console).

For command line behavior I think you're reduced to writing your own shell wrapper that will parse the file name from brakeman results and find the line of interest to then output. If you can assume jq is installed then this shouldn't be too heavy of a lift.

Justin Collins

@presidentbeef

Brakeman 4.10.1 was released Christmas Eve to fix some Ruby 3.0 incompatibilities: https://brakemanscanner.org/blog/2020/12/24/brakeman-4-dot-10-dot-1-released

and a couple other bugs. 4.10.1 was branched from 4.10, so there are still a number of pending changes which will be released in Brakeman 5.0

Andres Camilo Santana

@Niordsid

Good morning, I have a dumb question, but maybe you can help me, I'm implementing brakeman in a project but a question has arisen that I have not been able to solve: this gem can be implemented over an internal gem that is used in the project? any way to implement brakeman on gems?

Justin Collins

@presidentbeef

@Niordsid can you clarify? You want to scan a gem? or you want to include scanning the gem as part of scanning the Rails application? (Brakeman doesn't scan dependencies normally)

Andres Camilo Santana

@Niordsid

@presidentbeef thanks for your answer, answering your question, basically what I want is to scan a gem, is this possible? I've defined a pipeline in gitlab for this gem (internal gem), where I want to implement brakeman to analyze the code of this gem.

Justin Collins

@presidentbeef

@Niordsid yes, it's possible. You'll probably need to use the --force option. But there's no guarantee the results will be useful if it's not a Rails application. (This will improve a little in Brakeman 5.0 if I can ever get it released)

Justin Collins

@presidentbeef

Brakeman 5.0 is now released!! https://brakemanscanner.org/blog/2021/01/26/brakeman-5-dot-0-dot-0-released
The biggest change here is that Brakeman now scans (almost) all Ruby files in an application!
This will relieve a lot of confusion about why Brakeman doesn't "see" some files.
There are also two new checks, support for Sonarqube report format, and a bunch of other updates.

Where communities thrive

People

Repo info

Activity