├── source
    ├── CNAME
    ├── _includes
    │   ├── footer.html
    │   ├── header.html
    │   ├── custom
    │   │   ├── footer.html
    │   │   ├── header.html
    │   │   ├── asides
    │   │   │   ├── about.html
    │   │   │   └── github.html
    │   │   ├── navigation.html
    │   │   └── head.html
    │   ├── asides
    │   │   ├── recent_posts.html
    │   │   ├── delicious.html
    │   │   └── pinboard.html
    │   ├── post
    │   │   ├── author.html
    │   │   ├── sharing.html
    │   │   ├── categories.html
    │   │   ├── date.html
    │   │   └── disqus_thread.html
    │   ├── google_plus_one.html
    │   ├── archive_post.html
    │   ├── twitter_sharing.html
    │   ├── google_analytics.html
    │   ├── navigation.html
    │   ├── article.html
    │   └── head.html
    ├── favicon.png
    ├── images
    │   ├── bm-I.png
    │   ├── bmp.png
    │   ├── rss.png
    │   ├── email.png
    │   ├── noise.png
    │   ├── search.png
    │   ├── code_bg.png
    │   ├── line-tile.png
    │   ├── users
    │   │   ├── hix.png
    │   │   ├── carousel.png
    │   │   ├── cigital.png
    │   │   ├── codacy.png
    │   │   ├── codedx.png
    │   │   ├── conviso.png
    │   │   ├── envato.png
    │   │   ├── github.png
    │   │   ├── lrdesign.png
    │   │   ├── lumosity.png
    │   │   ├── newrelic.png
    │   │   ├── nvisium.png
    │   │   ├── opencage.png
    │   │   ├── twitter.png
    │   │   ├── vinted.png
    │   │   ├── winnower.png
    │   │   ├── braintree.png
    │   │   ├── icicletech.png
    │   │   ├── pullreview.png
    │   │   ├── semaphore.png
    │   │   ├── threadfix.png
    │   │   ├── codeclimate.png
    │   │   ├── datacentred.png
    │   │   ├── translatefx.png
    │   │   └── blackhawknetwork.png
    │   ├── brakemanpro.png
    │   ├── logo_medium.png
    │   ├── dotted-border.png
    │   ├── brakeman_header.jpg
    │   ├── brakeman_logo_dark.png
    │   ├── brakeman_logo_small.png
    │   ├── expanded_call_chain.png
    │   ├── brakeman_text_report.png
    │   ├── brakeman_trend_graph.png
    │   ├── unexpanded_call_chain.png
    │   ├── user_input_highlight.png
    │   ├── brakeman_metal_sticker.jpg
    │   ├── jenkins
    │   │   ├── Jenkins-0-overview.png
    │   │   ├── Jenkins-1-build-step.png
    │   │   ├── Jenkins-2-execute-shell.png
    │   │   ├── Jenkins-5-status-result.png
    │   │   ├── Jenkins-6-status-change.png
    │   │   ├── Jenkins-0-install-plugin.png
    │   │   ├── Jenkins-3-post-build-step.png
    │   │   ├── Jenkins-4-select-brakeman.png
    │   │   ├── Jenkins-8-warnings-inline.png
    │   │   └── Jenkins-7-warnings-overview.png
    │   ├── Justin_LARuby_October_2010.jpeg
    │   └── brakeman_anniversary_sticker.png
    ├── video
    │   └── brakeman-intro.swf
    ├── javascripts
    │   ├── lib
    │   │   ├── .htaccess
    │   │   ├── everything.jsgz
    │   │   └── humane.js
    │   └── libs
    │   │   └── jXHR.js
    ├── docs
    │   ├── presentations
    │   │   ├── Brakeman-RailsConf2012.pdf
    │   │   ├── Brakeman and Jenkins - AppSecUSA 2011.pdf
    │   │   └── index.markdown
    │   ├── warning_types
    │   │   ├── evaluation
    │   │   │   └── index.markdown
    │   │   ├── dangerous_evaluation
    │   │   │   └── index.markdown
    │   │   ├── model_validation
    │   │   │   └── index.markdown
    │   │   ├── basic_auth
    │   │   │   └── index.markdown
    │   │   ├── dynamic_render_path
    │   │   │   └── index.markdown
    │   │   ├── dangerous_eval
    │   │   │   └── index.markdown
    │   │   ├── session_settings
    │   │   │   └── index.markdown
    │   │   ├── authentication_whitelist
    │   │   │   └── index.markdown
    │   │   ├── cross-site_scripting
    │   │   │   └── index.md
    │   │   ├── cross-site_scripting_to_json
    │   │   │   └── index.md
    │   │   ├── cross_site_request_forgery
    │   │   │   └── index.markdown
    │   │   ├── link_to
    │   │   │   └── index.markdown
    │   │   ├── divide_by_zero
    │   │   │   └── index.md
    │   │   ├── CVE-2011-0446
    │   │   │   └── index.markdown
    │   │   ├── CVE-2010-3933
    │   │   │   └── index.markdown
    │   │   ├── file_access
    │   │   │   └── index.markdown
    │   │   ├── remote_code_execution
    │   │   │   └── index.markdown
    │   │   ├── format_validation
    │   │   │   └── index.markdown
    │   │   ├── weak_hash
    │   │   │   └── index.md
    │   │   ├── link_to_href
    │   │   │   └── index.markdown
    │   │   ├── session_setting
    │   │   │   └── index.markdown
    │   │   ├── basic_authentication
    │   │   │   └── index.markdown
    │   │   ├── default_routes
    │   │   │   └── index.markdown
    │   │   ├── command_injection
    │   │   │   └── index.markdown
    │   │   ├── CVE-2011-3186
    │   │   │   └── index.markdown
    │   │   ├── dynamic_render_paths
    │   │   │   └── index.markdown
    │   │   ├── unscoped_find
    │   │   │   └── index.markdown
    │   │   ├── remote_code_execution_yaml_load
    │   │   │   └── index.markdown
    │   │   ├── unsafe_deserialization
    │   │   │   └── index.markdown
    │   │   ├── information_disclosure
    │   │   │   └── index.markdown
    │   │   ├── cross-site_request_forgery
    │   │   │   └── index.markdown
    │   │   ├── authentication
    │   │   │   └── index.markdown
    │   │   ├── session_manipulation
    │   │   │   └── index.markdown
    │   │   ├── dangerous_send
    │   │   │   └── index.markdown
    │   │   ├── http_verb_confusion
    │   │   │   └── index.markdown
    │   │   ├── attribute_restriction
    │   │   │   └── index.markdown
    │   │   ├── content_tag
    │   │   │   └── index.markdown
    │   │   ├── denial_of_service
    │   │   │   └── index.markdown
    │   │   ├── sql_injection
    │   │   │   └── index.markdown
    │   │   ├── ssl_verification_bypass
    │   │   │   └── index.markdown
    │   │   ├── index.markdown
    │   │   ├── cross_site_scripting_to_json
    │   │   │   └── index.markdown
    │   │   ├── cross_site_scripting
    │   │   │   └── index.markdown
    │   │   ├── mass_assignment
    │   │   │   └── index.markdown
    │   │   └── redirect
    │   │   │   └── index.markdown
    │   ├── running
    │   │   └── index.markdown
    │   ├── confidence
    │   │   └── index.markdown
    │   ├── troubleshooting
    │   │   ├── index.markdown
    │   │   ├── hanging
    │   │   │   └── index.markdown
    │   │   └── parse_errors
    │   │   │   └── index.markdown
    │   ├── install
    │   │   └── index.markdown
    │   ├── video
    │   │   ├── intro
    │   │   │   └── index.markdown
    │   │   └── index.markdown
    │   ├── index.markdown
    │   ├── rake
    │   │   └── index.markdown
    │   ├── contributing
    │   │   ├── index.markdown
    │   │   └── adding_tests
    │   │   │   └── index.markdown
    │   ├── faq
    │   │   └── index.markdown
    │   └── reducing_false_positives
    │   │   └── index.markdown
    ├── blog
    │   └── archives
    │   │   └── index.html
    ├── _layouts
    │   ├── category_index.html
    │   ├── default.html
    │   ├── post.html
    │   └── page.html
    ├── 404.html
    ├── brakeman_pro
    │   └── index.markdown
    ├── contact
    │   └── index.markdown
    ├── _posts
    │   ├── 2011-11-18-brakeman-0-dot-9-1-released.markdown
    │   ├── 2012-03-22-brakeman-jenkins-plugin-0-dot-7-released.markdown
    │   ├── 2011-11-21-brakeman-0-dot-9-2-released.markdown
    │   ├── 2022-01-30-5-dot-2-dot-1-released.markdown
    │   ├── 2011-08-27-one-year-anniversary-and-a-website.markdown
    │   ├── 2012-01-26-brakeman-1-dot-2-2-released.markdown
    │   ├── 2011-10-20-brakeman-plugin-officially-available-for-jenkins.markdown
    │   ├── 2015-06-19-brakeman-3-dot-0-5-released.markdown
    │   ├── 2019-07-24-brakeman-4-dot-6-dot-1-released.markdown
    │   ├── 2021-06-08-brakeman-5-dot-0-dot-4-released.markdown
    │   ├── 2016-02-24-brakeman-3-dot-2-1-released.markdown
    │   ├── 2017-12-18-brakeman-4-dot-1-1-released.markdown
    │   ├── 2011-11-16-brakeman-0-dot-9-0-released.markdown
    │   ├── 2013-12-12-brakeman-2-dot-3-1-released.markdown
    │   ├── 2017-03-24-brakeman-3-dot-6-1-released.markdown
    │   ├── 2014-03-22-brakeman-2-dot-4-3-released.markdown
    │   ├── 2023-07-17-brakeman-6-dot-0-dot-1-released.markdown
    │   ├── 2018-08-30-happy-8th-birthday.markdown
    │   ├── 2016-06-10-brakeman-3-dot-3-2-released.markdown
    │   ├── 2022-05-01-brakeman-5-dot-2-dot-3-released.markdown
    │   ├── 2011-10-25-brakeman-0-dot-8-3-released.markdown
    │   ├── 2014-07-02-brakeman-2-dot-6-1-released.markdown
    │   ├── 2011-12-21-brakeman-1-dot-1-released.markdown
    │   ├── 2011-12-05-brakeman-1-dot-0-release-candidate-available.markdown
    │   ├── 2012-01-13-brakeman-1-dot-2-released.markdown
    │   ├── 2018-06-28-brakeman-has-been-acquired-by-synopsys.markdown
    │   ├── 2011-11-04-brakeman-0-dot-8-4-released.markdown
    │   ├── 2014-02-19-brakeman-2-dot-4-1-released.markdown
    │   ├── 2020-09-28-brakeman-4-dot-10-dot-0-released.markdown
    │   ├── 2021-12-15-brakeman-5-dot-2-dot-0-released.markdown
    │   ├── 2015-12-22-brakeman-3-dot-1-4-released.markdown
    │   ├── 2012-02-25-brakeman-1-dot-4-0-released.markdown
    │   ├── 2020-04-06-brakeman-4-dot-8-dot-1-released.markdown
    │   ├── 2013-09-18-brakeman-2-dot-1-2-released-important-security-update.markdown
    │   ├── 2015-06-18-brakeman-3-dot-0-4-released.markdown
    │   ├── 2012-03-22-brakeman-1-dot-5-2-released-important-fixes.markdown
    │   ├── 2019-11-25-brakeman-4-dot-7-dot-2-released.markdown
    │   ├── 2012-03-05-brakeman-1-dot-5-1-released.markdown
    │   ├── 2016-08-12-brakeman-3-dot-3-4-released.markdown
    │   ├── 2022-04-06-brakeman-5-dot-2-dot-2-released.markdown
    │   ├── 2012-08-13-brakeman-1-dot-7-1-released.markdown
    │   ├── 2012-10-17-brakeman-1-dot-8-2-released.markdown
    │   └── 2021-10-28-brakeman-5-dot-1-dot-2-released.markdown
    ├── content_license
    │   └── index.markdown
    ├── index.html
    ├── Gemfile
    ├── _config.yml
    ├── Gemfile.lock
    └── brakeman_users
    │   └── index.markdown
├── .gitignore
├── deploy.sh
└── README.markdown


/source/CNAME:
--------------------------------------------------------------------------------
1 | brakemanscanner.org
2 | 


--------------------------------------------------------------------------------
/source/_includes/footer.html:
--------------------------------------------------------------------------------
1 | {% include custom/footer.html %}
2 | 


--------------------------------------------------------------------------------
/source/_includes/header.html:
--------------------------------------------------------------------------------
1 | {% include custom/header.html %}
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | brakeman_site
2 | generated_site
3 | _site/
4 | .sass-cache
5 | 


--------------------------------------------------------------------------------
/source/favicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/favicon.png


--------------------------------------------------------------------------------
/source/images/bm-I.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/bm-I.png


--------------------------------------------------------------------------------
/source/images/bmp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/bmp.png


--------------------------------------------------------------------------------
/source/images/rss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/rss.png


--------------------------------------------------------------------------------
/source/images/email.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/email.png


--------------------------------------------------------------------------------
/source/images/noise.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/noise.png


--------------------------------------------------------------------------------
/source/images/search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/search.png


--------------------------------------------------------------------------------
/source/images/code_bg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/code_bg.png


--------------------------------------------------------------------------------
/source/images/line-tile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/line-tile.png


--------------------------------------------------------------------------------
/source/images/users/hix.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/hix.png


--------------------------------------------------------------------------------
/source/images/brakemanpro.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakemanpro.png


--------------------------------------------------------------------------------
/source/images/logo_medium.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/logo_medium.png


--------------------------------------------------------------------------------
/source/images/dotted-border.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/dotted-border.png


--------------------------------------------------------------------------------
/source/images/users/carousel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/carousel.png


--------------------------------------------------------------------------------
/source/images/users/cigital.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/cigital.png


--------------------------------------------------------------------------------
/source/images/users/codacy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/codacy.png


--------------------------------------------------------------------------------
/source/images/users/codedx.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/codedx.png


--------------------------------------------------------------------------------
/source/images/users/conviso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/conviso.png


--------------------------------------------------------------------------------
/source/images/users/envato.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/envato.png


--------------------------------------------------------------------------------
/source/images/users/github.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/github.png


--------------------------------------------------------------------------------
/source/images/users/lrdesign.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/lrdesign.png


--------------------------------------------------------------------------------
/source/images/users/lumosity.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/lumosity.png


--------------------------------------------------------------------------------
/source/images/users/newrelic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/newrelic.png


--------------------------------------------------------------------------------
/source/images/users/nvisium.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/nvisium.png


--------------------------------------------------------------------------------
/source/images/users/opencage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/opencage.png


--------------------------------------------------------------------------------
/source/images/users/twitter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/twitter.png


--------------------------------------------------------------------------------
/source/images/users/vinted.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/vinted.png


--------------------------------------------------------------------------------
/source/images/users/winnower.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/winnower.png


--------------------------------------------------------------------------------
/source/video/brakeman-intro.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/video/brakeman-intro.swf


--------------------------------------------------------------------------------
/source/images/brakeman_header.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_header.jpg


--------------------------------------------------------------------------------
/source/images/users/braintree.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/braintree.png


--------------------------------------------------------------------------------
/source/images/users/icicletech.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/icicletech.png


--------------------------------------------------------------------------------
/source/images/users/pullreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/pullreview.png


--------------------------------------------------------------------------------
/source/images/users/semaphore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/semaphore.png


--------------------------------------------------------------------------------
/source/images/users/threadfix.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/threadfix.png


--------------------------------------------------------------------------------
/source/images/brakeman_logo_dark.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_logo_dark.png


--------------------------------------------------------------------------------
/source/images/brakeman_logo_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_logo_small.png


--------------------------------------------------------------------------------
/source/images/expanded_call_chain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/expanded_call_chain.png


--------------------------------------------------------------------------------
/source/images/users/codeclimate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/codeclimate.png


--------------------------------------------------------------------------------
/source/images/users/datacentred.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/datacentred.png


--------------------------------------------------------------------------------
/source/images/users/translatefx.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/translatefx.png


--------------------------------------------------------------------------------
/source/images/brakeman_text_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_text_report.png


--------------------------------------------------------------------------------
/source/images/brakeman_trend_graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_trend_graph.png


--------------------------------------------------------------------------------
/source/images/unexpanded_call_chain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/unexpanded_call_chain.png


--------------------------------------------------------------------------------
/source/images/user_input_highlight.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/user_input_highlight.png


--------------------------------------------------------------------------------
/source/javascripts/lib/.htaccess:
--------------------------------------------------------------------------------
1 | <files *.jsgz>
2 | AddType "text/javascript;charset=UTF-8" .jsgz
3 | AddEncoding gzip .jsgz
4 | </files>
5 | 


--------------------------------------------------------------------------------
/source/javascripts/lib/everything.jsgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/javascripts/lib/everything.jsgz


--------------------------------------------------------------------------------
/source/images/brakeman_metal_sticker.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_metal_sticker.jpg


--------------------------------------------------------------------------------
/source/images/users/blackhawknetwork.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/users/blackhawknetwork.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-0-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-0-overview.png


--------------------------------------------------------------------------------
/source/images/Justin_LARuby_October_2010.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/Justin_LARuby_October_2010.jpeg


--------------------------------------------------------------------------------
/source/images/brakeman_anniversary_sticker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/brakeman_anniversary_sticker.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-1-build-step.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-1-build-step.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-2-execute-shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-2-execute-shell.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-5-status-result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-5-status-result.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-6-status-change.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-6-status-change.png


--------------------------------------------------------------------------------
/source/docs/presentations/Brakeman-RailsConf2012.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/docs/presentations/Brakeman-RailsConf2012.pdf


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-0-install-plugin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-0-install-plugin.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-3-post-build-step.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-3-post-build-step.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-4-select-brakeman.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-4-select-brakeman.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-8-warnings-inline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-8-warnings-inline.png


--------------------------------------------------------------------------------
/source/images/jenkins/Jenkins-7-warnings-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/images/jenkins/Jenkins-7-warnings-overview.png


--------------------------------------------------------------------------------
/source/_includes/custom/footer.html:
--------------------------------------------------------------------------------
1 | <p>
2 | <span class="credit">Powered by <a href="http://octopress.org">Octopress</a> | <a href="/content_license">Content license</a></span>
3 | </p>
4 | 


--------------------------------------------------------------------------------
/source/docs/presentations/Brakeman and Jenkins - AppSecUSA 2011.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mattbrictson/brakeman-site/master/source/docs/presentations/Brakeman and Jenkins - AppSecUSA 2011.pdf


--------------------------------------------------------------------------------
/source/_includes/custom/header.html:
--------------------------------------------------------------------------------
1 | <hgroup>
2 |   <h1><a href="{{ root_url }}/">{{ site.title }}</a></h1>
3 |   {% if site.subtitle %}
4 |     <h2>{{ site.subtitle }}</h2>
5 |   {% endif %}
6 | </hgroup>
7 | 


--------------------------------------------------------------------------------
/source/_includes/custom/asides/about.html:
--------------------------------------------------------------------------------
1 | <section>
2 |   <p></p>
3 |   <p>Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.</p>
4 |   <p><a href="/docs/quickstart">Get started!</a></p>
5 | </section>
6 | 


--------------------------------------------------------------------------------
/source/_includes/asides/recent_posts.html:
--------------------------------------------------------------------------------
 1 | <section>
 2 |   <h1>Recent Posts</h1>
 3 |   <ul id="recent_posts">
 4 |     {% for post in site.posts limit: site.recent_posts %}
 5 |       <li class="post">
 6 |         <a href="{{ root_url }}{{ post.url }}">{{ post.title }}</a>
 7 |       </li>
 8 |     {% endfor %}
 9 |   </ul>
10 | </section>
11 | 


--------------------------------------------------------------------------------
/source/_includes/post/author.html:
--------------------------------------------------------------------------------
1 | {% if post.author %}
2 |   {% assign author = post.author %}
3 | {% elsif page.author %}
4 |   {% assign author = page.author %}
5 | {% else %}
6 |   {% assign author = site.author %}
7 | {% endif %}
8 | {% if author %}<span class="byline author vcard">Posted by <span class="fn">{{ author }}</span></span>{% endif %}
9 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/evaluation/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dangerous Evaluation"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/dangerous_eval/");
12 | </script>
13 | 
14 | Content moved to [Dangerous Eval](dangerous_eval/).
15 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/dangerous_evaluation/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dangerous Evaluation"
 4 | date: 2011-11-10 16:04
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/dangerous_eval/");
12 | </script>
13 | 
14 | Content moved to [Dangerous Eval](dangerous_eval/).
15 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/model_validation/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Format Validation"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/format_validation/");
12 | </script>
13 | 
14 | Content moved to [Format Validation](format_validation/).
15 | 


--------------------------------------------------------------------------------
/source/_includes/asides/delicious.html:
--------------------------------------------------------------------------------
1 | {% if site.delicious_user %}
2 | <section>
3 |   <h1>On Delicious</h1>
4 |   <script type="text/javascript" src="http://feeds.delicious.com/v2/js/{{ site.delicious_user }}?title=&count={{ site.delicious_count }}&sort=date&extended"></script>
5 |   <p><a href="http://delicious.com/{{ site.delicious_user }}">My Delicious Bookmarks &raquo;</a></p>
6 | </section>
7 | {% endif %}
8 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/basic_auth/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Basic Authentication"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/basic_authentication/");
12 | </script>
13 | 
14 | Content moved to [Basic Authentication](basic_authentication/).
15 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/dynamic_render_path/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dynamic Render Path"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/dynamic_render_paths/");
12 | </script>
13 | 
14 | Content has moved to [Dynamic Render Paths](dynamic_render_paths)
15 | 


--------------------------------------------------------------------------------
/source/_includes/post/sharing.html:
--------------------------------------------------------------------------------
1 | <div class="sharing">
2 |   {% if site.twitter_tweet_button %}
3 |   <a href="https://twitter.com/share" class="twitter-share-button" data-url="{{ site.url }}{{ page.url }}" data-via="{{ site.twitter_user }}" data-counturl="{{ site.url }}{{ page.url }}" >Tweet</a>
4 |   {% endif %}
5 |   {% if site.google_plus_one %}
6 |   <g:plusone size="{{ site.google_plus_one_size }}"></g:plusone>
7 |   {% endif %}
8 | </div>
9 | 


--------------------------------------------------------------------------------
/source/_includes/google_plus_one.html:
--------------------------------------------------------------------------------
 1 | {% if site.google_plus_one %}
 2 |   <script type="text/javascript">
 3 |     (function() {
 4 |       var script = document.createElement('script'); script.type = 'text/javascript'; script.async = true;
 5 |       script.src = 'https://apis.google.com/js/plusone.js';
 6 |       var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(script, s);
 7 |     })();
 8 |   </script>
 9 | {% endif %}
10 | 


--------------------------------------------------------------------------------
/source/_includes/post/categories.html:
--------------------------------------------------------------------------------
 1 | {% capture category %}{% if post %}{{ post.categories | category_links | size }}{% else %}{{ page.categories | category_links | size }}{% endif %}{% endcapture %}
 2 | {% unless category == '0' %}
 3 | <span class="categories">
 4 |   {% if post %}
 5 |     {{ post.categories | category_links }}
 6 |   {% else %}
 7 |     {{ page.categories | category_links }}
 8 |   {% endif %}
 9 | </span>
10 | {% endunless %}
11 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/dangerous_eval/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dangerous Evaluation"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | User input in an `eval` statement is VERY dangerous, so this will always raise a warning. Brakeman looks for calls to `eval`, `instance_eval`, `class_eval`, and `module_eval`.
11 | 
12 | ---
13 | Back to [Warning Types](/docs/warning_types)
14 | 


--------------------------------------------------------------------------------
/source/_includes/custom/navigation.html:
--------------------------------------------------------------------------------
1 | <ul role=main-navigation>
2 |   <li><a href="{{ root_url }}/">Home</a></li>
3 |   <li><a href="{{ root_url }}/docs">Documentation</a></li>
4 |   <li><a href="https://github.com/presidentbeef/brakeman">Source</a></li>
5 |   <li><a href="{{ root_url }}/docs/contributing">Contributing</a></li>
6 |   <li><a href="{{ root_url }}/brakeman_users">Users</a></li>
7 |   <li><a href="{{ root_url }}/contact">Contact</a></li>
8 | </ul>
9 | 


--------------------------------------------------------------------------------
/source/blog/archives/index.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: Blog Archive
 4 | footer: false
 5 | ---
 6 | 
 7 | <div id="blog-archives">
 8 | {% for post in site.posts  %}
 9 | {% capture this_year %}{{ post.date | date: "%Y" }}{% endcapture %}
10 | {% unless year == this_year %}
11 |   {% assign year = this_year %}
12 |   <h2>{{ year }}</h2>
13 | {% endunless %}
14 | <article>
15 |   {% include archive_post.html %}
16 | </article>
17 | {% endfor %}
18 | </div>
19 | 


--------------------------------------------------------------------------------
/source/_layouts/category_index.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | footer: false
 4 | ---
 5 | 
 6 | <div id="blog-archives" class="category">
 7 | {% for post in site.categories[page.category] %}
 8 | {% capture this_year %}{{ post.date | date: "%Y" }}{% endcapture %}
 9 | {% unless year == this_year %}
10 |   {% assign year = this_year %}
11 |   <h2>{{ year }}</h2>
12 | {% endunless %}
13 | <article>
14 |   {% include archive_post.html %}
15 | </article>
16 | {% endfor %}
17 | </div>
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/session_settings/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Session Settings"
 4 | date: 2011-11-10 16:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/session_setting/");
12 | </script>
13 | 
14 | Content has moved to [Session Setting](/docs/warning_types/session_setting/)
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 
19 | 


--------------------------------------------------------------------------------
/source/_includes/archive_post.html:
--------------------------------------------------------------------------------
1 | {% capture category %}{{ post.categories | size }}{% endcapture %}
2 | <h1><a href="{{ root_url }}{{ post.url }}">{{post.title}}</a></h1>
3 | <time datetime="{{ post.date | datetime }}" pubdate>{{ post.date | date: "<span class='month'>%b</span> <span class='day'>%d</span> <span class='year'>%Y</span>"}}</time>
4 | {% if category != '0' %}
5 | <footer>
6 |   <span class="categories">posted in {{ post.categories | category_links }}</span>
7 | </footer>
8 | {% endif %}
9 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/authentication_whitelist/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Authentication Whitelist"
 4 | date: 2013-03-01 11:33
 5 | comments: true
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | When skipping `before_filter`s with security implications, a "whitelist" approach using `only` should be used instead of `except`. This ensures actions are protected by default, and unprotected only by exception.
11 | 
12 | ---
13 | Back to [Warning Types](/docs/warning_types)
14 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross-site_scripting/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross-Site Scripting"
 4 | date: 2017-09-27 12:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/cross_site_scripting/");
12 | </script>
13 | 
14 | Content has moved to [Cross-Site Scripting](/docs/warning_types/cross_site_scripting/)
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 
19 | 


--------------------------------------------------------------------------------
/source/_includes/twitter_sharing.html:
--------------------------------------------------------------------------------
 1 | {% if site.twitter_follow_button or site.twitter_tweet_button %}
 2 |   <script type="text/javascript">
 3 |     (function(){
 4 |       var twitterWidgets = document.createElement('script');
 5 |       twitterWidgets.type = 'text/javascript';
 6 |       twitterWidgets.async = true;
 7 |       twitterWidgets.src = 'https://platform.twitter.com/widgets.js';
 8 |       document.getElementsByTagName('head')[0].appendChild(twitterWidgets);
 9 |     })();
10 |   </script>
11 | {% endif %}
12 | 


--------------------------------------------------------------------------------
/source/404.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | 
 5 | <style type="text/css" media="screen">
 6 |   .container {
 7 |     margin: 10px auto;
 8 |     max-width: 600px;
 9 |     text-align: center;
10 |   }
11 |   h1 {
12 |     margin: 30px 0;
13 |     font-size: 4em;
14 |     line-height: 1;
15 |     letter-spacing: -1px;
16 |   }
17 | </style>
18 | 
19 | <div class="container">
20 |   <h1>404</h1>
21 | 
22 |   <p><strong>Page not found :(</strong></p>
23 |   <p>The requested page could not be found.</p>
24 | </div>
25 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross-site_scripting_to_json/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross-Site Scripting"
 4 | date: 2017-09-27 12:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json/");
12 | </script>
13 | 
14 | Content has moved to [Cross-Site Scripting](/docs/warning_types/cross_site_scripting_to_json/)
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 
19 | 


--------------------------------------------------------------------------------
/source/brakeman_pro/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Support & Pro Version"
 4 | date: 2015-11-21 17:58
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | For regular technical support for Brakeman, please [file an issue on GitHub](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue).
11 | 
12 | ### Brakeman Pro
13 | 
14 | [Brakeman Pro has been acquired by Synopsys](https://brakemanpro.com/2018/06/28/brakeman-pro-acquired-by-synopsys) and is no longer available for purchase.
15 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross_site_request_forgery/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross-Site Request Forgery"
 4 | date: 2011-11-10 16:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <script>
11 | window.location.replace("http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/");
12 | </script>
13 | 
14 | Content has moved to [Cross-Site Request Forgery](/docs/warning_types/cross-site_request_forgery/)
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 
19 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/link_to/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Scripting: link\_to"
 4 | date: 2012-07-11 11:36
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | In the 2.x versions of Rails, `link_to` would not escape the body of the HREF.
11 | 
12 | For example, this will popup an alert box:
13 | 
14 |     link_to "<script>alert(1)</script>", "http://google.com"
15 | 
16 | Brakeman warns on cases where the first parameter contains user input.
17 | 
18 | ---
19 | Back to [Warning Types](/docs/warning_types)
20 | 


--------------------------------------------------------------------------------
/source/_includes/post/date.html:
--------------------------------------------------------------------------------
 1 | {% capture date %}{{ page.date }}{{ post.date }}{% endcapture %}
 2 | {% capture has_date %}{{ date | size }}{% endcapture %}
 3 | {% capture updated %}{{ page.updated }}{{ post.updated }}{% endcapture %}
 4 | {% capture was_updated %}{{ updated | size }}{% endcapture %}
 5 | {% if has_date != '0' %}
 6 | <time datetime="{{ date | datetime }}" pubdate {% if updated %} updated {% endif %}>{{ date | ordinalize }}</time>
 7 | {% endif %}
 8 | {% if was_updated != '0' %}
 9 | <time class="updated" datetime="{{ updated | datetime }}">{{ updated | ordinalize }}</time>
10 | {% endif %}
11 | 


--------------------------------------------------------------------------------
/source/_layouts/default.html:
--------------------------------------------------------------------------------
 1 | {% capture root_url %}{{ site.root | strip_slash }}{% endcapture %}
 2 | {% include head.html %}
 3 | <body {% if page.body_id %} id="{{ page.body_id }}" {% endif %} {% if page.sidebar == false %} class="no-sidebar" {% endif %}>
 4 |   <header>{% include header.html %}</header>
 5 |   <nav role=navigation>{% include navigation.html %}</nav>
 6 |   <div id="main">
 7 |     <div id="content">
 8 |       {{ content | expand_urls: root_url | backtick_codeblock | smart_quotes }}
 9 |     </div>
10 |   </div>
11 |   <footer>{% include footer.html %}</footer>
12 | </body>
13 | </html>
14 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/divide_by_zero/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Divide By Zero"
 4 | comments: false
 5 | sharing: true
 6 | footer: true
 7 | ---
 8 | 
 9 | Integer division by zero (`0`) in Ruby results in a `ZeroDivisionError` exception.
10 | 
11 | While not strictly a security issue, if an attacker can trigger a large number of exceptions it can harm site availability.
12 | 
13 | Brakeman warns when it finds potential division by zero with integers. Dividing a float by zero or `0.0` in Ruby results in `Infinity`, not an exception.
14 | 
15 | ---
16 | Back to [Warning Types](/docs/warning_types)
17 | 


--------------------------------------------------------------------------------
/source/contact/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Contact"
 4 | date: 2012-01-20 12:33
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | ### GitHub Issues
11 | 
12 | For any issues, bugs, or problems, please consider filing an [issue](https://github.com/presidentbeef/brakeman/issues) on GitHub.
13 | 
14 | ### Discussions
15 | 
16 | For discussion and general questions, join in on [GitHub Discussions](https://github.com/presidentbeef/brakeman/discussions/)!
17 | 
18 | ### Twitter
19 | 
20 | Follow Brakeman on Twitter [@Brakeman](http://twitter.com/brakeman) for news and announcements.
21 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/CVE-2011-0446/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Mail Link (CVE-2011-0446)"
 4 | date: 2012-06-19 16:55
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Certain versions of Rails were vulnerable to a cross-site scripting vulnerability mail\_to.
11 | 
12 | Versions of Rails after 2.3.10 or 3.0.3 are not affected. Updating or removing the mail\_to links is advised.
13 | 
14 | For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81).
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/CVE-2010-3933/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Nested Attributes (CVE-2010-3933)"
 4 | date: 2012-06-19 16:59
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Rails 2.3.9 and 3.0.0 are vulnerable to an attack on nested attributes wherein a malicious user could alter data in any record in the system.
11 | 
12 | It is recommended to upgrade to at least 2.3.10 or 3.0.1.
13 | 
14 | For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c).
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/file_access/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "File Access"
 4 | date: 2011-11-10 16:06
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Using user input when accessing files (local or remote) will raise a warning in Brakeman.
11 | 
12 | For example
13 | 
14 |     File.open("/tmp/#{cookie[:file]}")
15 | 
16 | will raise an error like
17 | 
18 |     Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
19 | 
20 | This type of vulnerability can be used to access arbitrary files on a server (including `/etc/passwd`.
21 | 
22 | ---
23 | Back to [Warning Types](/docs/warning_types)
24 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/remote_code_execution/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Remote Code Execution"
 4 | date: 2013-03-01 11:22
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
11 | 
12 | The obvious form of this is the use of `eval` with user input.
13 | 
14 | However, Brakeman also reports on dangerous uses of `send`, `constantize`, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/format_validation/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Format Validation"
 4 | date: 2011-11-10 12:44
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
11 | 
12 | See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#regular-expressions) for details.
13 | 
14 | ---
15 | Back to [Warning Types](/docs/warning_types)
16 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/weak_hash/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Weak Hash"
 4 | comments: false
 5 | sharing: true
 6 | footer: true
 7 | ---
 8 | 
 9 | Brakeman reports a "Weak Hash" warning when it finds uses of hashing algorithms that should not be used for security-sensitive contexts
10 | such as hashing passwords or generating signatures.
11 | 
12 | Currently, Brakeman warns about the use of SHA1 and MD5, which should not be used for anything outside of interacting with Git.
13 | 
14 | The confidence level of a "Weak Hash" warning is based on whether the value being hash looks like user-controlled input or a password.
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/deploy.sh:
--------------------------------------------------------------------------------
 1 | #/bin/bash
 2 | set -e
 3 | 
 4 | echo "- Building site"
 5 | cd source
 6 | bundle install
 7 | bundle exec jekyll build --destination ../generated_site
 8 | cd ..
 9 | 
10 | echo " - Cloning Brakeman repo"
11 | rm -rf brakeman_site
12 | git clone --single-branch --branch gh-pages git@github.com:presidentbeef/brakeman.git brakeman_site
13 | cd brakeman_site
14 | git pull
15 | cd ..
16 | 
17 | echo " - Cleaning repo"
18 | set +e
19 | find ./brakeman_site/ -not -path '*/\.*' -delete
20 | cp -rf generated_site/* brakeman_site/
21 | rm -rf generated_site
22 | 
23 | echo "- Pushing new changes"
24 | set -e
25 | cd ./brakeman_site
26 | git add .
27 | git commit -m "Site updated at $(date)"
28 | git push origin gh-pages
29 | 


--------------------------------------------------------------------------------
/source/_includes/custom/asides/github.html:
--------------------------------------------------------------------------------
 1 | <section>
 2 |   <script type='text/javascript'>
 3 |     $(document).ready(function(){
 4 |       $("#github").GitHubBadge({
 5 |         login: "presidentbeef",
 6 |         kind: "project",
 7 |         repo_name: "brakeman",
 8 |         include_github_logo: false,
 9 |         image_path: "",
10 |         commit_count: "1",
11 |         issue_count: "0",
12 |         repo_count: "0"
13 |       });
14 |     });
15 |   </script>
16 |   <div id="github"></div>
17 |   <a href="https://dl.circleci.com/status-badge/redirect/gh/presidentbeef/brakeman/tree/main"><img src="https://dl.circleci.com/status-badge/img/gh/presidentbeef/brakeman/tree/main.svg?style=svg" /></a>
18 | </section>
19 | 


--------------------------------------------------------------------------------
/source/_posts/2011-11-18-brakeman-0-dot-9-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 0.9.1 Released"
 4 | date: 2011-11-18 10:41
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | [A new vulnerability was disclosed](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5) yesterday in the Rails [translate helper](http://api.rubyonrails.org/classes/ActionView/Helpers/TranslationHelper.html#method-i-translate).
11 | 
12 | This vulnerability affects Rails 2.3.x when using the rails_xss plugin, Rails 3.0 - 3.0.10, and Rails 3.1 - 3.1.1.
13 | 
14 | The only change in the 0.9.1 release is a check for this new vulnerability.
15 | 


--------------------------------------------------------------------------------
/source/_posts/2012-03-22-brakeman-jenkins-plugin-0-dot-7-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman Jenkins Plugin 0.7 Released"
 4 | date: 2012-03-22 13:27
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | The [Jenkins](http://jenkins-ci.org)/[Hudson](http://hudson-ci.org) plugin which tracks, displays, and alerts on Brakeman warnings has been updated to work with the latest static analysis core plugin. In particular, this means warning thresholds for new warnings will no longer disappear.
11 | 
12 | See [here](https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin) for more information about the plugin.
13 | 
14 | Thanks to Nick Green for fixing this!
15 | 


--------------------------------------------------------------------------------
/source/_includes/google_analytics.html:
--------------------------------------------------------------------------------
 1 | {% if site.google_analytics_tracking_id %}
 2 | <!--second website-->
 3 | <script>
 4 | (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
 5 | 
 6 | ga('create', 'UA-57927555-1', 'auto', {'allowLinker': true});
 7 | ga('create', 'UA-12578396-3', 'auto','cdt');
 8 | ga('require', 'linker');
 9 | ga('linker:autoLink', ['brakemanpro.com'] );
10 | ga('send', 'pageview');
11 | ga('cdt.send', 'pageview');
12 | 
13 | </script>
14 | {% endif %}
15 | 


--------------------------------------------------------------------------------
/source/content_license/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Site Content License"
 4 | date: 2012-12-03 09:48
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | <a rel="license" href="http://creativecommons.org/licenses/by/3.0/"><img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by/3.0/80x15.png" /></a>
11 | 
12 | This site is licensed under a [Creative Commons Attribution 3.0 Unported License](http://creativecommons.org/licenses/by/3.0/"). This means you may copy and reuse the content of this site as long as it is clearly attributed to this source (http://brakemanscanner.org).
13 | 
14 | This license does _not_ extend to the Brakeman "lantern" logo.
15 | 


--------------------------------------------------------------------------------
/source/_includes/navigation.html:
--------------------------------------------------------------------------------
 1 | <ul role=subscription data-subscription="rss{% if site.subscribe_email %} email{% endif %}">
 2 |   <li><a href="{{ site.subscribe_rss }}" rel="subscribe-rss" title="subscribe via RSS">RSS</a></li>
 3 |   {% if site.subscribe_email %}
 4 |     <li><a href="{{ site.subscribe_email }}" rel="subscribe-email" title="subscribe via email">Email</a></li>
 5 |   {% endif %}
 6 | </ul>
 7 | <form action="{{ site.simple_search }}" method="get">
 8 |   <fieldset role="site-search">
 9 |     <input type="hidden" name="q" value="site:{{ site.url | shorthand_url }}" />
10 |     <input class="search" type="text" name="q" results="0" placeholder="Search"/>
11 |   </fieldset>
12 | </form>
13 | {% include custom/navigation.html %}
14 | 


--------------------------------------------------------------------------------
/source/docs/running/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Running Brakeman"
 4 | date: 2011-08-27 08:08
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | The simplest way to get started with Brakeman is to just run it with no options in the root directory of your Rails application:
11 | 
12 |     cd your_rails_app/
13 |     brakeman
14 | 
15 | This will scan the application in the current directory and output a report to the command line.
16 | 
17 | Alternatively, you can supply a path as an option to Brakeman:
18 | 
19 |     brakeman your_rails_app
20 | 
21 | Even more specifically:
22 | 
23 |     brakeman -p your_rails_app
24 | 
25 | ---
26 | [Brakeman Options](/docs/options)
27 | 
28 | [More documentation](/docs)
29 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/link_to_href/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Scripting: link\_to HREF"
 4 | date: 2012-07-11 11:36
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Even though Rails will escape the link provided to `link_to`, values starting with "javascript:" or "data:" are unescaped and dangerous.
11 | 
12 | Brakeman will warn on if user values are used to provide the HREF value in `link_to` or if they are interpolated at the beginning of a string.
13 | 
14 | The `--url-safe-methods` option can be used to specify methods which make URLs safe. 
15 | 
16 | See [here](https://github.com/presidentbeef/brakeman/pull/45) for more details.
17 | 
18 | ---
19 | Back to [Warning Types](/docs/warning_types)
20 | 


--------------------------------------------------------------------------------
/README.markdown:
--------------------------------------------------------------------------------
 1 | # Brakeman Site
 2 | 
 3 | This is the code for building https://brakemanscanner.org
 4 | 
 5 | ## Development
 6 | 
 7 | The site is built using [Jekyll](https://jekyllrb.com/).
 8 | 
 9 | Changes to the site content should be made in `source/`. Markdown is preferred.
10 | 
11 | To build/test:
12 | 
13 |     cd source
14 |     bundle install
15 |     jekyll serve
16 | 
17 | ## License
18 | 
19 | <a rel="license" href="http://creativecommons.org/licenses/by/3.0/"><img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by/3.0/88x31.png" /></a><br />The text content of the site is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/3.0/">Creative Commons Attribution 3.0 Unported License</a>.
20 | 


--------------------------------------------------------------------------------
/source/_includes/post/disqus_thread.html:
--------------------------------------------------------------------------------
 1 | <div id="disqus_thread"></div>
 2 | <script type="text/javascript">
 3 |   var disqus_shortname = '{{ site.disqus_short_name }}';
 4 |   var disqus_identifier = '{{ site.url }}{{ page.url }}';
 5 |   var disqus_url = '{{ site.url }}{{ page.url }}';
 6 |   //var disqus_developer = 1;
 7 |   (function() {
 8 |     var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
 9 |     dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js';
10 |     (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
11 |   })();
12 | </script>
13 | <noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
14 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/session_setting/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Session Settings"
 4 | date: 2011-11-10 16:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | ### HTTP Only
11 | 
12 | It is recommended that session cookies be set to "http-only". This helps prevent stealing of cookies via cross site scripting.
13 | 
14 | ### Secret Length
15 | 
16 | Brakeman will warn if the key length for the session cookies is less than 30 characters.
17 | 
18 | ### Version control inclusion
19 | 
20 | Brakeman will warn if the config/initializers/secret_token.rb is included in the version control. It is recommended that secret_token.rb is excluded from version control, and included in .gitignore
21 | 
22 | ---
23 | Back to [Warning Types](/docs/warning_types)
24 | 
25 | 


--------------------------------------------------------------------------------
/source/docs/confidence/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Confidence Levels"
 4 | date: 2011-08-27 08:18
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.
11 | 
12 | The following guidelines are used:
13 | 
14 |  * High - Either this is a simple warning or user input is very likely being used in unsafe ways.
15 |  * Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
16 |  * Weak - Typically means user input was indirectly used in a potentially unsafe manner.
17 | 
18 | However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.
19 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/basic_authentication/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Basic Authentication"
 4 | date: 2011-11-10 12:52
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | In Rails 3.1, a new feature was added to simplify basic authentication.
11 | 
12 | The example provided in the official [Rails Guide](http://guides.rubyonrails.org/getting_started.html) looks like this:
13 | 
14 |     class PostsController < ApplicationController
15 | 
16 |       http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
17 | 
18 |       #...
19 | 
20 |     end
21 | 
22 | This warning will be raised if `http_basic_authenticate_with` is used and the password is found to be a string (i.e., stored somewhere in the code).
23 | 
24 | ---
25 | Back to [Warning Types](/docs/warning_types)
26 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/default_routes/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Default Routes"
 4 | date: 2011-11-10 12:40
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | The general default routes warning means there is a call to
11 | 
12 |     #Rails 2.x
13 |     map.connect ":controller/:action/:id"
14 | 
15 | or
16 | 
17 |     Rails 3.x
18 |     match ':controller(/:action(/:id(.:format)))'
19 | 
20 | in `config/routes.rb`. This allows any public method on any controller to be called as an action.
21 | 
22 | If this warning is reported for a particular controller, it means there is a route to that controller containing `:action`.
23 | 
24 | Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
25 | 
26 | ---
27 | Back to [Warning Types](/docs/warning_types)
28 | 


--------------------------------------------------------------------------------
/source/_posts/2011-11-21-brakeman-0-dot-9-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 0.9.2 Released"
 4 | date: 2011-11-21 17:12
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Changes:
11 | 
12 |  * Fix Rails 3 configuration parsing
13 |  * Check both t() and translate() for cross-site scripting bug
14 | 
15 | Just a small release to get the Rails 3 config fix out.
16 | 
17 | ### Rails 3 Configuration Parsing
18 | 
19 | There was an issue that would cause Brakeman to crash on certain configurations. This has been fixed.
20 | 
21 | ### Look for t()
22 | 
23 | Both the `translate` and its shorter alias `t` will cause the warning about the cross-site scripting bug in them to be set to high confidence. If neither of these functions are found in the application, the confidence is set to medium.
24 | 


--------------------------------------------------------------------------------
/source/docs/troubleshooting/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Troubleshooting"
 4 | date: 2012-06-22 09:34
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Rails applications tend to be complex and processing all possible scenarios is nearly impossible. Brakeman is built with reliability in mind and always attempts to at least generate a report. Unfortunately, that can some times hide problems. 
11 | 
12 | Hopefully the information on this page can help when things go awry. Remember, you can always [open an issue](https://github.com/presidentbeef/brakeman/issues) or ask on [Gitter](https://gitter.im/presidentbeef/brakeman) to get help.
13 | 
14 | ### Problems
15 | 
16 | * [Parsing Errors](/docs/troubleshooting/parse_errors)
17 | * [Brakeman "Hangs"](/docs/troubleshooting/hanging)
18 | 
19 | ---
20 | 
21 | [More documentation](/docs)
22 | 


--------------------------------------------------------------------------------
/source/_posts/2022-01-30-5-dot-2-dot-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.2.1 Released"
 4 | date: 2022-01-30 11:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Oops! Minor emergency fix release.
11 | 
12 | _Changes since 5.2.0:_
13 | 
14 | * Add warning codes for EOL Ruby and Rails check
15 | 
16 | ### Reporting Issues
17 | 
18 | Thank you to everyone who reported bugs and contributed to this release!
19 | 
20 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
21 | 
22 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
23 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/command_injection/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Command Injection"
 4 | date: 2011-11-09 14:33
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Injection is #1 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A1) web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
11 | 
12 | There are many ways to run commands in Ruby:
13 | 
14 |     `ls #{params[:file]}`
15 | 
16 |     system("ls #{params[:dir]}")
17 | 
18 |     exec("md5sum #{params[:input]}")
19 | 
20 | Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
21 | 
22 | See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#command-line-injection) for details.
23 | 
24 | ---
25 | Back to [Warning Types](/docs/warning_types)
26 | 
27 | 


--------------------------------------------------------------------------------
/source/_includes/asides/pinboard.html:
--------------------------------------------------------------------------------
 1 | {% if site.pinboard_user %}
 2 | <section>
 3 |   <h1>My Pinboard</h1>
 4 |   <ul id="pinboard_linkroll">Fetching linkroll...</ul>
 5 |   <p><a href="http://pinboard.in/u:{{ site.pinboard_user }}">My Pinboard Bookmarks &raquo;</a></p>
 6 | </section>
 7 | <script type="text/javascript">
 8 |   var linkroll = 'pinboard_linkroll'; //id target for pinboard list
 9 |   var pinboard_user = "{{ site.pinboard_user }}"; //id target for pinboard list
10 |   var pinboard_count = {{ site.pinboard_count }}; //id target for pinboard list
11 |   (function(){
12 |     var pinboardInit = document.createElement('script');
13 |     pinboardInit.type = 'text/javascript';
14 |     pinboardInit.async = true;
15 |     pinboardInit.src = '{{ root_url }}/javascripts/pinboard.js';
16 |     document.getElementsByTagName('head')[0].appendChild(pinboardInit);
17 |   })();
18 | </script>
19 | {% endif %}
20 | 


--------------------------------------------------------------------------------
/source/docs/install/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Installing Brakeman"
 4 | date: 2011-08-26 23:18
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | ### gem install
11 | 
12 | Brakeman is best installed via [RubyGems](http://rubygems.org/):
13 | 
14 |     gem install brakeman
15 | 
16 | This will provide the `brakeman` executable.
17 | 
18 | ### bundler
19 | 
20 | Brakeman can be added to a Gemfile:
21 | 
22 |     gem "brakeman"
23 | 
24 | It is recommended to _always_ use the latest version of Brakeman.
25 | 
26 | ### git clone
27 | 
28 | If you must have the latest and greatest, then you can build the gem yourself:
29 | 
30 |     git clone git://github.com/presidentbeef/brakeman.git
31 |     cd brakeman
32 |     gem build brakeman.gemspec
33 |     gem install brakeman-*.gem
34 | 
35 | ---
36 | [Running Brakeman](/docs/running)
37 | 
38 | [More documentation](/docs)
39 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/CVE-2011-3186/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Response Splitting (CVE-2011-3186)"
 4 | date: 2012-06-19 17:02
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Response splitting is a simple attack that can be used as part or a larger exploit chain. A malicious user sends data that causes the HTTP response header to include unintended newline characters which are interpreted as the end of the header. The attacker may then forge their own response body and an entirely false HTTP response, essentailly hijacking the entire page load.
11 | 
12 | Versions of Rails 2 previous to 2.3.13 were vulnerable to this type of attack. The Rails 3 branch is not affected.
13 | 
14 | For more details see [CVE-2011-3186](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768).
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/dynamic_render_paths/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dynamic Render Path"
 4 | date: 2011-11-10 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
11 | 
12 | This warning is shown whenever the path to be rendered is not a static string or symbol.
13 | 
14 | These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/unscoped_find/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Unscoped Find"
 4 | date: 2014-10-14 08:48
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Unscoped `find` (and related methods) are a form of [Direct Object Reference](https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References). Models which belong to another model should typically be accessed via a scoped query.
11 | 
12 | For example, if an `Account` belongs to a `User`, then this may be an unsafe unscoped find:
13 | 
14 |     Account.find(params[:id])
15 | 
16 | Depending on the action, this could allow an attacker to access any account they wish.
17 | 
18 | Instead, it should be scoped to the currently logged-in user:
19 | 
20 |     current_user = User.find(session[:user_id])
21 |     current_user.accounts.find(params[:id])
22 | 
23 | ---
24 | 
25 | Back to [Warning Types](/docs/warning_types)
26 | 


--------------------------------------------------------------------------------
/source/_includes/article.html:
--------------------------------------------------------------------------------
 1 | {% unless page.no_header %}
 2 |   <header>
 3 |     <div class="articlelogo">&nbsp;</div>
 4 |     {% if index %}
 5 |     <h1 class="entry-title"><a href="{{ root_url }}{{ post.url }}">{{ post.title | titlecase }}</a></h1>
 6 |     {% else %}
 7 |       <h1 class="entry-title">{{ page.title | titlecase }}</h1>
 8 |     {% endif %}
 9 |     {% unless page.meta == false %}
10 |       <p class="meta">{% include post/date.html %}</p>
11 |     {% endunless %}
12 |   </header>
13 | {% endunless %}
14 | {% if index %}
15 |   <div class="entry-content">{{ content | excerpt }}</div>
16 |   {% capture excerpted %}{{ content | has_excerpt }}{% endcapture %}
17 |   {% if excerpted == 'true' %}
18 |     <footer>
19 |       <a rel="full-article" href="{{ root_url }}{{ post.url }}">{{ site.excerpt_link }}</a>
20 |     </footer>
21 |   {% endif %}
22 | {% else %}
23 | <div class="entry-content">{{ content }}</div>
24 | {% endif %}
25 | 


--------------------------------------------------------------------------------
/source/_layouts/post.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | single: true
 4 | ---
 5 | 
 6 | <div>
 7 | <article class="hentry">
 8 |   {% include article.html %}
 9 |   <footer>
10 |     <p class="meta">
11 |       {% include post/author.html %}
12 |       {% include post/date.html %}
13 |       {% include post/categories.html %}
14 |     </p>
15 |     {% unless page.sharing == false %}
16 |       {% include post/sharing.html %}
17 |     {% endunless %}
18 |   </footer>
19 | </article>
20 | {% if site.disqus_short_name and page.comments != false %}
21 |   <section>
22 |     <h1>Comments</h1>
23 |     <div id="disqus_thread">{% include post/disqus_thread.html %}</div>
24 |   </section>
25 | {% endif %}
26 | </div>
27 | {% unless page.sidebar == false %}
28 | <aside role=sidebar>
29 |   {% include custom/asides/about.html %}
30 |   {% include custom/asides/github.html %}
31 |   {% include asides/recent_posts.html %}
32 | </aside>
33 | {% endunless %}
34 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/remote_code_execution_yaml_load/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Remote Code Execution in YAML.Load"
 4 | date: 2013-01-18 17:08
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | As seen in [CVE-2013-0156](https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion), calling `YAML.load` with user input can lead to remote execution of arbitrary code. (To see a real point-and-fire exploit, see the [Metasploit payload](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb)). While upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to `YAML.load` remains unsafe.
11 | 
12 | For example:
13 | 
14 |     #Do not do this!
15 |     YAML.load(params[:file])
16 | 
17 | ---
18 | 
19 | Back to [Warning Types](/docs/warning_types)
20 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/unsafe_deserialization/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Unsafe Deserialization"
 4 | date: 2013-05-17 14:37
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Objects in Ruby may be serialized to strings. The main method for doing so is the built-in `Marshal` class. The `YAML`, `JSON`, and `CSV` libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.
11 | 
12 | Deserialization of arbitrary objects can lead to [remote code execution](/docs/warning_types/remote_code_execution), as was demonstrated with [CVE-2013-0156](https://groups.google.com/d/msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ). 
13 | 
14 | Brakeman warns when loading user input with `Marshal`, `YAML`, or `CSV`. `JSON` is covered by the checks for [CVE-2013-0333](https://groups.google.com/d/msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ)
15 | 
16 | ---
17 | Back to [Warning Types](/docs/warning_types)
18 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/information_disclosure/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Information Disclosure"
 4 | date: 2013-10-17 14:37
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Also known as [information leakage](https://www.owasp.org/index.php/Information_Leakage) or [information exposure](http://cwe.mitre.org/data/definitions/200.html), this vulnerability refers to system or internal information (such as debugging output, stack traces, error messages, etc.) which is displayed to an end user.
11 | 
12 | For example, Rails provides detailed exception reports by default in the development environment, but it is turned off by default in production:
13 | 
14 |     # Full error reports are disabled
15 |     config.consider_all_requests_local = false
16 | 
17 | Brakeman warns if this setting is `true` in production or there is a `show_detailed_exceptions?` method in a controller which does not return `false`.
18 | 
19 | ---
20 | Back to [Warning Types](/docs/warning_types)
21 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross-site_request_forgery/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Request Forgery"
 4 | date: 2011-11-10 12:24
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Cross-site request forgery is #5 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A5). CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
11 | 
12 | This warning is raised when no call to `protect_from_forgery` is found in `ApplicationController`. This method prevents CSRF.
13 | 
14 | For Rails 4 applications, it is recommended that you use `protect_from_forgery :with => :exception`. This code is inserted into newly generated applications. The default is to `nil` out the session object, which has been a source of many CSRF bypasses due to session memoization.
15 | 
16 | See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) for details.
17 | 
18 | ---
19 | Back to [Warning Types](/docs/warning_types)
20 | 


--------------------------------------------------------------------------------
/source/_layouts/page.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | 
 5 | <div>
 6 | <article>
 7 |   {% if page.title %}
 8 |   <header>
 9 |     <h1 class="entry-title">{{ page.title | titlecase }}</h1>
10 |   </header>
11 |   {% endif %}
12 |   {{ content }}
13 |   {% unless page.footer == false %}
14 |     <footer>
15 |       {% if page.date or page.author %}<p class="meta">
16 |         {% if page.author %}{% include post/author.html %}{% endif %}
17 |         {% if page.categories %}{% include post/categories.html %}{% endif %}
18 |       </p>{% endif %}
19 |     </footer>
20 |   {% endunless %}
21 | </article>
22 | {% if site.disqus_short_name and page.comments == true %}
23 |   <section>
24 |     <h1>Comments</h1>
25 |     <div id="disqus_thread">{% include post/disqus_thread.html %}</div>
26 |   </section>
27 | {% endif %}
28 | </div>
29 | {% unless page.sidebar == false %}
30 | <aside role=sidebar>
31 |   {% include custom/asides/about.html %}
32 |   {% include custom/asides/github.html %}
33 |   {% include asides/recent_posts.html %}
34 | </aside>
35 | {% endunless %}
36 | 


--------------------------------------------------------------------------------
/source/_includes/custom/head.html:
--------------------------------------------------------------------------------
 1 | <!--Fonts from Google's Web font directory at http://google.com/webfonts -->
 2 | <link href='https://fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic' rel='stylesheet' type='text/css'>
 3 | <link href='https://fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic' rel='stylesheet' type='text/css'>
 4 | <script language="javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js" type="text/javascript"></script>
 5 | <script src="/javascripts/jquery.github_badge.js"></script>
 6 | <meta property="twitter:account_id" content="23978537" />
 7 | 
 8 | <meta name="twitter:card" content="summary" />
 9 | <meta name="twitter:site" content="@brakeman" />
10 | <meta name="twitter:title" content="Brakeman{% if page.title %} - {{page.title}}{% else %} Security Scanner{% endif %}" />
11 | <meta name="twitter:description" content="Brakeman Static Analysis Security Scanner for Ruby on Rails" />
12 | <meta name="twitter:image" content="https://brakemanscanner.org/images/brakeman_logo_dark.png" />
13 | 


--------------------------------------------------------------------------------
/source/index.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | 
 5 | <div class="blog-index">
 6 | {% assign index = true %}
 7 | {% for post in paginator.posts %}
 8 | {% assign content = post.content %}
 9 |   <article>
10 |     {% include article.html %}
11 |   </article>
12 | {% endfor %}
13 | <nav role="pagination">
14 |   <div>
15 |     <a href="/blog/archives">Blog Archives</a>
16 |   </div>
17 | </nav>
18 | {% if site.disqus_short_name %}
19 | <script type="text/javascript">
20 |     var disqus_shortname = '{{ site.disqus_short_name }}';
21 |     (function () {
22 |       var s = document.createElement('script'); s.async = true;
23 |       s.type = 'text/javascript';
24 |       s.src = 'https://' + disqus_shortname + '.disqus.com/count.js';
25 |       (document.getElementsByTagName('HEAD')[0] || document.getElementsByTagName('BODY')[0]).appendChild(s);
26 |     }());
27 | </script>
28 | {% endif %}
29 | </div>
30 | <aside role=sidebar>
31 |   {% include custom/asides/about.html %}
32 |   {% include custom/asides/github.html %}
33 |   {% include asides/recent_posts.html %}
34 | </aside>
35 | 


--------------------------------------------------------------------------------
/source/docs/presentations/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Presentations"
 4 | date: 2011-12-05 10:40
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | OWASP NoVa 2013 - [Brakeman - Static Analysis Security Tool for Rails](https://docs.google.com/presentation/d/1Iu_fVWVSuD_37lR-17xBVsrCWiryodTwWbU070xpN88/pub?start=false&loop=false&delayms=3000)
11 | 
12 | RailsConf 2012 - [Keeping Rails Applications on Track with Brakeman](/docs/presentations/Brakeman-RailsConf2012.pdf) (PDF)
13 | 
14 | AppSec USA 2011 - [Brakeman and Jenkins](/docs/presentations/Brakeman%20and%20Jenkins%20-%20AppSecUSA%202011.pdf) (PDF)
15 | 
16 | OWASP LA, June 2011 - [Automated Detection of Security Vulnerabilities in Ruby on Rails Applications](http://cs.ucla.edu/~collins/documents/Justin_Collins-OWASPLA-Brakeman.pdf) (PDF)
17 | 
18 | LA Ruby Meetup, October 2010 - [Brakeman - Vulnerability Scanner for Ruby on Rails](http://cs.ucla.edu/~collins/documents/Justin_Collins-Brakeman-10-14-10.pdf) (PDF)
19 | 
20 | ---
21 | 
22 | [Videos](/docs/video)
23 | 
24 | [More documentation](/docs)
25 | 


--------------------------------------------------------------------------------
/source/docs/video/intro/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Starting off with Brakeman"
 4 | date: 2011-12-22 12:24
 5 | comments: true
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | <center><OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH="808" HEIGHT="519" CODEBASE="http://active.macromedia.com/flash5/cabs/swflash.cab#version=7,0,0,0">
11 | <PARAM NAME=movie VALUE="brakeman-intro.swf">
12 | <PARAM NAME=play VALUE=false>
13 | <PARAM NAME=loop VALUE=false>
14 | <PARAM NAME=wmode VALUE=transparent>
15 | <PARAM NAME=quality VALUE=high>
16 | 
17 | <EMBED SRC="/video/brakeman-intro.swf" WIDTH=808 HEIGHT=519 quality=high loop=false wmode=transparent TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
18 | </EMBED></OBJECT></center>
19 | 
20 | <SCRIPT src='/javascript/brakeman-intro.js'></script>
21 | 
22 | This video shows how easy it is to get started with Brakeman by demonstrating its use on a brand-new Rails application.
23 | 
24 | ---
25 | [More Videos](/docs/video)
26 | 
27 | 
28 | [Other documentation](/docs)
29 | 


--------------------------------------------------------------------------------
/source/_posts/2011-08-27-one-year-anniversary-and-a-website.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "One Year Anniversary"
 4 | date: 2011-08-27 01:00
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | One year ago, Brakeman 0.0.1 was released as a gem. Then it was promptly yanked and replaced with [Brakeman 0.0.2](http://rubygems.org/gems/brakeman/versions/0.0.2).
11 | 
12 | In celebration of this grand anniversary, there have been several new releases today.
13 | 
14 | The first is [Brakeman 0.7.2](http://rubygems.org/gems/brakeman/versions/0.7.2), a minor release adding CVE numbers for the [latest vulnerabilities](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f878a33159ac9967) and fixing how nested params/cookie accesses are handled (e.g., `params[:user][:name]` is now considered a direct use of a parameter).
15 | 
16 | Next up, Brakeman has its own Twitter feed [@BrakemanScanner](https://twitter.com/brakemanscanner).
17 | 
18 | Lastly, there is this new website. Look forward to tutorials and more in-depth information about how to use Brakeman effectively.
19 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/authentication/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Authentication"
 4 | date: 2016-06-29 16:15
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | "Authentication" is the act of verifying that a user or client is who they say they are.
11 | 
12 | Right now, the only Brakeman warning in the authentication category is regarding hardcoded passwords.
13 | Brakeman will warn about constants with literal string values that appear to be passwords.
14 | 
15 | Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code.
16 | Typically source code is available to a wide number of people inside an organization, and there have been many instances of source
17 | code leaking to the public. Passwords and secrets should be stored in a separate, secure location to limit access.
18 | 
19 | Additionally, it is recommended not to use a single password for accessing sensitive information.
20 | Each user should have their own password to make it easier to audit and revoke access.
21 | 
22 | ---
23 | Back to [Warning Types](/docs/warning_types)
24 | 


--------------------------------------------------------------------------------
/source/_posts/2012-01-26-brakeman-1-dot-2-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.2.2 Released"
 4 | date: 2012-01-26 13:58
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | *Changes since 1.2.1:*
11 | 
12 |  * --no-progress works again
13 |  * Make CheckLinkTo a separate check
14 |  * Don't fail on unknown options to resource(s)
15 |  * Handle empty resource(s) blocks
16 |  * Add RescanReport#existing_warnings
17 | 
18 | ### No Progress Option
19 | 
20 | The last release broke the `--no-progress` option for hiding the `1/100 files processed` type messages. Now it works again!
21 | 
22 | ### Separate Check for link_to
23 | 
24 | For no great reason, `CheckLinkTo` was bundled with `CheckCrossSiteScripting`. It has now been moved out to a separate file, allowing it to be treated as a regular check. This means it can be explicitly skipped using `-x CheckLinkTo` (if desired).
25 | 
26 | ### Better Rails 2 Route Handling
27 | 
28 | Brakeman was raising an exception if a hash option to `resource` or `resources` did not match a set of known options. Now it will only warn instead of aborting route processing.
29 | 


--------------------------------------------------------------------------------
/source/_posts/2011-10-20-brakeman-plugin-officially-available-for-jenkins.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman Plugin 'Officially' Available for Jenkins"
 4 | date: 2011-10-21 11:54
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | While a Brakeman plugin for the [Jenkins](http://jenkins-ci.org)/[Hudson](http://hudson-ci.org) continuous integration tool has been available since January, thanks to [some prodding](https://github.com/presidentbeef/brakeman-jenkins-plugin/issues/1) the plugin is now available through the official Jenkins plugin manager.
11 | 
12 | ![Example Plugin Graph](/images/brakeman_trend_graph.png "Example Plugin Graph")
13 | 
14 | Installation of the plugin is no longer an arduous manual process. Just go to `Manage Jenkins -> Manage Plugins -> Available` and search for "Brakeman". Check the box and then click the "Install" button down at the bottom of the page.
15 | 
16 | Some more information about the plugin can be found on the [Jenkins wiki](https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin).
17 | 
18 | See the [instructions](docs/jenkins/setup) for how to set up a job to use the Brakeman plugin.
19 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/session_manipulation/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Session Manipulation"
 4 | date: 2015-12-28 07:43
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Session manipulation can occur when an application allows user-input in session keys.
11 | Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens),
12 | allowing an attacker to manipulate the session may lead to unintended behavior.
13 | 
14 | For example:
15 | 
16 |     user_id = session[params[:name]]
17 |     current_user = User.find(user_id)
18 | 
19 | In this scenario, the attacker can point the `name` parameter to some other session value (for example, `_csrf_token`) that will be interpreted
20 | as a user ID. If the ID matches an existing account, the attacker will now have access to that account.
21 | 
22 | To prevent this type of session manipulation, avoid using user-supplied input as session keys.
23 | 
24 | ([See here for a tiny, self-contained challenge demonstrating this issue](https://gist.github.com/joernchen/9dfa57017b4732c04bcc).)
25 | 
26 | ---
27 | 
28 | Back to [Warning Types](/docs/warning_types)
29 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/dangerous_send/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Dangerous Send"
 4 | date: 2012-06-19 16:49
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
11 | 
12 | It is much safer to whitelist the desired target or method.
13 | 
14 | Unsafe use of method:
15 | 
16 |     method = params[:method]
17 |     @result = User.send(method.to_sym)
18 | 
19 | Safe:
20 | 
21 |     method = params[:method] == 1 ? :method_a : :method_b
22 |     @result = User.send(method, *args)
23 | 
24 | Unsafe use of target:
25 | 
26 |     table = params[:table]
27 |     model = table.classify.constantize
28 |     @result = model.send(:method)
29 | 
30 | Safe:
31 | 
32 |     target = params[:target] == 1 ? Account : User
33 |     @result = target.send(:method, *args)
34 | 
35 | Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.
36 | 
37 | Safe:
38 |   
39 |     args = params["args"] || []
40 |     @result = User.send(:method, *args)
41 | 
42 | 
43 | ---
44 | Back to [Warning Types](/docs/warning_types)
45 | 


--------------------------------------------------------------------------------
/source/docs/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Documentation"
 4 | date: 2011-08-26 23:30
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | New to Brakeman? See our [quickstart guide](/docs/quickstart)!
11 | 
12 | ## Getting Started
13 | 
14 | * [Introduction]({{ root_url }}/docs/introduction)
15 | * [Installation]({{ root_url }}/docs/install)
16 | * [Running Brakeman]({{ root_url }}/docs/running)
17 | * [Brakeman Options]({{ root_url }}/docs/options)
18 | 
19 | ## Next Steps
20 | 
21 | * [Confidence Levels]({{ root_url }}/docs/confidence)
22 | * [Warning Types]({{ root_url }}/docs/warning_types)
23 | * [Reducing False Positives](/docs/reducing_false_positives)
24 | * [Ignoring False Positives](/docs/ignoring_false_positives)
25 | * [Using Brakeman as a Library](/docs/brakeman_as_a_library)
26 | * [Brakeman and Rake](/docs/rake)
27 | 
28 | ## More Information
29 | 
30 | * [Video](/docs/video)
31 | * [Presentations](/docs/presentations)
32 | * [FAQ]({{ root_url }}/docs/faq)
33 | * [Troubleshooting](/docs/troubleshooting)
34 | * [Testing Brakeman](/docs/testing_brakeman)
35 | * [Contributing](/docs/contributing)
36 | 
37 | ## Continuous Integration 
38 | 
39 | * [Brakeman with Jenkins]({{ root_url }}/docs/jenkins)
40 | 
41 | 


--------------------------------------------------------------------------------
/source/Gemfile:
--------------------------------------------------------------------------------
 1 | source "https://rubygems.org"
 2 | 
 3 | ruby "3.2.0"
 4 | 
 5 | # Hello! This is where you manage which Jekyll version is used to run.
 6 | # When you want to use a different version, change it below, save the
 7 | # file and run `bundle install`. Run Jekyll with `bundle exec`, like so:
 8 | #
 9 | #     bundle exec jekyll serve
10 | #
11 | # This will help ensure the proper Jekyll version is running.
12 | # Happy Jekylling!
13 | gem "jekyll", "~> 3.9"
14 | 
15 | # This is the default theme for new Jekyll sites. You may change this to anything you like.
16 | gem "minima", "~> 2.0"
17 | 
18 | # If you want to use GitHub Pages, remove the "gem "jekyll"" above and
19 | # uncomment the line below. To upgrade, run `bundle update github-pages`.
20 | # gem "github-pages", group: :jekyll_plugins
21 | 
22 | # If you have any plugins, put them here!
23 | group :jekyll_plugins do
24 |   gem "jekyll-feed", "~> 0.6"
25 |   gem "jekyll-paginate"
26 | end
27 | 
28 | gem "kramdown-parser-gfm"
29 | 
30 | # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
31 | gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw, :jruby]
32 | 
33 | # Performance-booster for watching directories on Windows
34 | gem "wdm", "~> 0.1.0" if Gem.win_platform?
35 | 
36 | 


--------------------------------------------------------------------------------
/source/docs/rake/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Brakeman with Rake"
 4 | date: 2012-01-14 17:48
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | **Running Brakeman via Rake is discouraged because it loads the entire Rails application.** This is unnecessary and can cause strange behavior.
11 | 
12 | ### Example
13 | 
14 | Here is a simple Rake task to run Brakeman. It can be added to your `Rakefile` or in the `tasks/` directory.
15 | 
16 |     namespace :brakeman do
17 | 
18 |       desc "Run Brakeman"
19 |       task :run, :output_files do |t, args|
20 |         require 'brakeman'
21 | 
22 |         files = args[:output_files].split(' ') if args[:output_files]
23 |         Brakeman.run :app_path => ".", :output_files => files, :print_report => true
24 |       end
25 |     end
26 | 
27 | This task will run Brakeman with no options. If given an output file, it will save the report in that file. Otherwise, it will print the report out to the console.
28 | 
29 | To use this task:
30 | 
31 |     rake brakeman:run
32 | 
33 | or
34 | 
35 |     rake brakeman:run[report.html]
36 | 
37 | This task can easily be customized. See [Brakeman as a Library](/docs/brakeman_as_a_library) for more information.
38 | 
39 | ---
40 | 
41 | [More documentation](/docs)
42 | 


--------------------------------------------------------------------------------
/source/_posts/2015-06-19-brakeman-3-dot-0-5-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.0.5 Released"
 4 | date: 2015-06-19 18:09
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | And this is why you don't rush out releases.
11 | 
12 | *Changes since 3.0.4*:
13 | 
14 | * Fix check for CVE-2015-3227 ([#667](https://github.com/presidentbeef/brakeman/issues/667))
15 | 
16 | ### Fix CVE-2015-3227 Check
17 | 
18 | Includes information that Rails 3.2.22 is the fix version for anything before Rails 4.0. Fixes warning message when exact Rails version cannot be determined. Fixes link URL to point to the CVE announcement.
19 | 
20 | ([changes](https://github.com/presidentbeef/brakeman/pull/668))
21 | 
22 | ### SHAs
23 | 
24 | The SHA1 sums for this release are
25 | 
26 |     b78e11b745128ed7f9acd5d0c4f5e0e3a81f4d07  brakeman-min-3.0.5.gem
27 |     c62cc782595d4995aa385b6bd96c2485ac932077  brakeman-3.0.5.gem
28 | 
29 | ### Reporting Issues
30 | 
31 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
32 | 
33 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and joining the [mailing list](http://brakemanscanner.org/contact/). 
34 | 
35 | 


--------------------------------------------------------------------------------
/source/_posts/2019-07-24-brakeman-4-dot-6-dot-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 4.6.1 Released"
 4 | date: 2019-07-24 09:14
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This release corrects a typo in the reverse tabnabbing warning message.
11 | 
12 | _Changes since 4.6.0:_
13 | 
14 | * Fix Reverse Tabnabbing warning message ([Steffen Schildknecht](https://github.com/stsc3000) / [Jörg Schiller](https://github.com/joergschiller))
15 | 
16 | ### Checksums
17 | 
18 | The SHA256 sums for this release are:
19 | 
20 |     6e31f8c8dbdea7b198c591d44b73aee067cca5612db191fe04d8d8c2a8eb9011  brakeman-4.6.1.gem
21 |     6879d5175e5f20bf5ac1bd20dad0ef9a1e4c72d9774114d752b19c7e7d7d69fc  brakeman-lib-4.6.1.gem
22 |     72a0ef7b91b11bea925b365645096a186ec3929024066792957006c46355560e  brakeman-min-4.6.1.gem
23 | 
24 | ### Reporting Issues
25 | 
26 | Thank you to everyone who reported bugs and contributed to this release!
27 | 
28 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
29 | 
30 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
31 | 
32 | 


--------------------------------------------------------------------------------
/source/_posts/2021-06-08-brakeman-5-dot-0-dot-4-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.0.4 Released"
 4 | date: 2021-06-08 10:50
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a tiny bugfix release!
11 | 
12 | _What happened to 5.0.2 and 5.0.3??_
13 | 
14 | They were messed up. Sorry. Don't use them.
15 | 
16 | _Changes since 5.0.1:_
17 | 
18 | * Fix Loofah version check ([#1603](https://github.com/presidentbeef/brakeman/issues/1603))
19 | 
20 | ### Checksums
21 | 
22 | The SHA256 sums for this release are:
23 | 
24 |     4d1af5c3e65a0c2319396a796bd9a587a13317faff92bd09b74c44ba70aef8b3  brakeman-5.0.4.gem
25 |     6b529ae8f1e16aed711759c3b52fc01c60befeb896042de02aaa5aabf5c24cb5  brakeman-lib-5.0.4.gem
26 |     5a402076af48fc526211212d70a751c80c27cae535077c1c7a63dadc314efe97  brakeman-min-5.0.4.gem
27 | 
28 | ### Reporting Issues
29 | 
30 | Thank you to everyone who reported bugs and contributed to this release!
31 | 
32 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
33 | 
34 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
35 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/http_verb_confusion/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "HTTP Verb Confusion"
 4 | date: 2020-10-23 15:21
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Ruby on Rails treats `HEAD` requests just like `GET` requests, except it drops the
11 | response body and does not return it to the client _and_ `request.get?` returns `false`.
12 | 
13 | If code is assuming a request is either a `GET` or a `POST` and uses `request.get?` to check,
14 | then a `HEAD` request will be treated like a `POST` instead of a `GET`.
15 | This may trigger the wrong logic or allow a request to bypass CSRF protection
16 | (since `GET`/`HEAD` requests are not protected).
17 | 
18 | [This post explains a vulnerability in GitHub](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html)
19 | arising from this confusion.
20 | 
21 | To avoid introducing a vulnerabilty with `request.get?`,
22 | either use completely separate routes and actions for `GET` vs `POST` (preferred!):
23 | 
24 | ```ruby
25 | get '/some/path', to: 'my_controller#some_action'
26 | post '/some/path', to: 'my_controller#a_different_action'
27 | ```
28 | 
29 | 
30 | or else check `request.post?` explicitly:
31 | 
32 | ```ruby
33 | if request.get?
34 |   # do something
35 | elsif request.post?
36 |   # do something else
37 | end
38 | ```
39 | 
40 | 
41 | ---
42 | Back to [Warning Types](/docs/warning_types)
43 | 


--------------------------------------------------------------------------------
/source/_posts/2016-02-24-brakeman-3-dot-2-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.2.1 Released"
 4 | date: 2016-02-24 21:36
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | _Changes since 3.2.0_:
11 | 
12 | * Remove `multi_json` dependency from `bin/brakeman`
13 | 
14 | As pointed out by [Benjamin Fleischer](https://github.com/bf4), there was a lingering use of `multi_json` in `bin/brakeman`. This only caused a problem when using the `--compare` option.
15 | 
16 | ([changes](https://github.com/presidentbeef/brakeman/pull/831))
17 | 
18 | ### SHAs
19 | 
20 | The SHA256 sums for this release are
21 | 
22 |     4a7e7a6e9ad9fed22f727fb8d471de145f55d97465b4dfb4935e3e8379667425  brakeman-min-3.2.1.gem
23 |     901202b04b1cae0a781b5a6bae2db3eecd35e9f0a044fbfaa31cac63ab636449  brakeman-3.2.1.gem
24 | 
25 | ### Reporting Issues
26 | 
27 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
28 | 
29 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and hanging out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.
30 | 


--------------------------------------------------------------------------------
/source/_posts/2017-12-18-brakeman-4-dot-1-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 4.1.1 Released"
 4 | date: 2017-12-18 23:16
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Just a small fix-up release!
11 | 
12 | _Changes since 4.1.0_:
13 | 
14 | * Remove check for use of `permit` with `*_id` keys
15 | * Avoid duplicate warnings about permitted attributes
16 | * Avoid duplicate warnings about division by zero
17 | 
18 | ### Checksums
19 | 
20 | The SHA256 sums for this release are:
21 | 
22 |     7b65d6694b488aaa09e147f5a39d7e544385a11ec52ae93058b04b17999925b6  brakeman-4.1.1.gem
23 |     ffb525462d391f9a7f85b9b1ebbf7b165d03cd2eaed7093c3f1b4fdb135947e2  brakeman-lib-4.1.1.gem
24 |     b50a7b19d56a7606cd3a625611f8e720d47da8a57d126e7dcf443714cec98194  brakeman-min-4.1.1.gem
25 | 
26 | ### Reporting Issues
27 | 
28 | Thank you to everyone who reported bugs and contributed to this release.
29 | 
30 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
31 | 
32 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
33 | 
34 | If you find Brakeman valuable and want to support its development (and get more features!), check out [Brakeman Pro](https://brakemanpro.com/).
35 | 


--------------------------------------------------------------------------------
/source/_includes/head.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]-->
 3 | <!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]-->
 4 | <!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="no-js" lang="en"><!--<![endif]-->
 5 | <head>
 6 |   <meta charset="utf-8">
 7 |   <title>{{site.title}}{% if page.title %}: {{page.title}}{% endif %}</title>
 8 |   <meta name="description" content="Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications."/>
 9 | 
10 |   <!-- http://t.co/dKP3o1e -->
11 |   <meta name="HandheldFriendly" content="True">
12 |   <meta name="MobileOptimized" content="320">
13 |   <meta name="viewport" content="width=device-width, initial-scale=1">
14 | 
15 |   <meta name="keywords" content="brakeman,ruby on rails,security,scanner,vulnerabilities,static analysis"/>
16 | 
17 |   <link rel="canonical" href="{{ site.url }}{{ page.url }}"/>
18 |   <link href="{{ root_url }}/favicon.png" rel="shortcut icon" />
19 |   <link href="{{ root_url }}/stylesheets/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
20 |   <script src="{{ root_url }}/javascripts/modernizr-2.0.js"></script>
21 |   <script src="{{ root_url }}/javascripts/octopress.js" type="text/javascript"></script>
22 |   <link href="{{ site.subscribe_rss }}" rel="alternate" title="{{site.title}}" type="application/atom+xml"/>
23 |   {% include google_analytics.html %}
24 |   {% include twitter_sharing.html %}
25 |   {% include custom/head.html %}
26 | </head>
27 | 


--------------------------------------------------------------------------------
/source/_posts/2011-11-16-brakeman-0-dot-9-0-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 0.9.0 Released"
 4 | date: 2011-11-16 16:23
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Changes:
11 | 
12 |  * Process Rails 3 configuration files
13 |  * Check for config.active_record.whitelist_attributes = true
14 |  * Always produce a warning for without_protection => true
15 |  * Fix CSV output
16 | 
17 | This is just a small release on the way to 1.0.
18 | 
19 | ### Rails 3 Configs
20 | 
21 | Configurations in `config/application` and `config/environments/production.rb` will now be parsed.
22 | 
23 | ### Check for Disabled Mass Assignment
24 | 
25 | A new option was added in Rails 3.1 to globally disable mass assignment using `config.active_record.whitelist_attributes = true`. Brakeman will now turn off mass assignment warnings if this configuration setting is detected.
26 | 
27 | ### Always Warn on without_protection
28 | 
29 | Rails 3.1 adds a way to bypass attribute protection when doing mass assignment.
30 | 
31 | For example:
32 | 
33 |     User.new(params, :without_protection => true)
34 | 
35 | Brakeman will now _always_ warn when `without_protection` is used, even if mass assignment is disabled or attributes are protected on that model.
36 | 
37 | ### Fix CSV Output
38 | 
39 | Brakeman reports using the CSV format should work once again.
40 | 
41 | There is a bug in Ruport when using Ruby 1.9.2 and CSV output. A temporary patch has been added until this is resolved.
42 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/attribute_restriction/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Attribute Restriction"
 4 | date: 2011-11-10 12:46
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | This warning type only applies to Ruby on Rails applications which are not using [strong parameters](https://guides.rubyonrails.org/action_controller_overview.html#strong-parameters).
11 | 
12 | Note that disabling mass assignment globally will suppress these warnings.
13 | 
14 | #### Missing Protection
15 | 
16 | This warning comes up if a model does not limit what attributes can be set through [mass assignment](https://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment).
17 | 
18 | In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
19 | 
20 | #### Use of Blacklist
21 | 
22 | Brakeman also warns on use of `attr_protected` - especially since it was found to be [vulnerable to bypass](https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion). Warnings for mass assignment on models using `attr_protected` will be reported, but at a lower confidence level.
23 | 
24 | #### Suggested Remediation
25 | 
26 | For newer Ruby on Rails applications, query parameters should be whitelisted before use via strong parameters.
27 | 
28 | For older Ruby on Rails applications, each model should use `attr_accessible` to carefully whitelist which attributes may be set via mass assignment, if any.
29 | 
30 | ---
31 | 
32 | Back to [Warning Types](/docs/warning_types)
33 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/content_tag/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Scripting (Content Tag)"
 4 | date: 2012-09-04 12:44
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
11 | 
12 | [content\_tag](http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) is a view helper which generates an HTML tag with some content:
13 | 
14 |     >> content_tag :p, "Hi!"
15 |     => "<p>Hi!</p>"
16 | 
17 | In Rails 2, this content is unescaped (although attribute values are escaped):
18 | 
19 |     >> content_tag :p, "<script>alert(1)</script>"
20 |     => "<p><script>alert(1)</script></p>"
21 | 
22 | In Rails 3, the content is escaped. However, only the *content* and the tag attribute *values* are escaped. The tag and attribute names are never escaped in Rails 2 or 3.
23 | 
24 | This is more dangerous than a typical method call because `content_tag` marks its output as "HTML safe", meaning the `rails_xss` plugin and Rails 3 auto-escaping will not escape its output. Due to this, `content_tag` should be used carefully if user input is provided as an argument.
25 | 
26 | Note that while `content_tag` does have an `escape` parameter, this only applies to tag attribute *values* and is true by default.
27 | 
28 | ---
29 | Back to [Warning Types](/docs/warning_types)
30 | 
31 | 


--------------------------------------------------------------------------------
/source/docs/troubleshooting/hanging/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Brakeman Hangs"
 4 | date: 2012-06-22 09:34
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Sometimes Brakeman appears to "hang" while processing. Memory usage typically climbs until it has exhausted all resources.
11 | 
12 | The steps below should help pinpoint the problem.
13 | 
14 | ### Run in Debug Mode
15 | 
16 | Run Brakeman with the `-d` option which will output the name of each file as it is processed.
17 | 
18 | This usually pinpoints a single file which is causing the problem. In rare cases, Brakeman might be looping between two files.
19 | 
20 | Additionally, the `-d` option will cause Brakeman to output a stack trace when the process is stopped with an interrupt (e.g., pressing Ctrl-c).
21 | 
22 | ### Run in 'Fast' Mode
23 | 
24 | Run Brakeman with the `--fast` option to turn off some features which have historically had some problems.
25 | 
26 | In particular, if Brakeman appears to hang while processing "data flow", this may be an issue with how branching in `if` statements is handled.
27 | 
28 | ### Skip Problem Files
29 | 
30 | Run Brakeman with `--skip-files` and skip the file(s) which is suspected of causing the hang.
31 | 
32 | If this works, then the problem is definitely narrowed down to that file(s).
33 | 
34 | ### Report an Issue
35 | 
36 | Please file [an issue](https://github.com/presidentbeef/brakeman/issues) so the problem can be fixed. Include a stack trace and, if possible, the contents of the file. The file can also be shared privately.
37 | 
38 | ---
39 | 
40 | [Other Problems](/docs/troubleshooting)
41 | 


--------------------------------------------------------------------------------
/source/docs/troubleshooting/parse_errors/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Parsing Errors"
 4 | date: 2012-06-22 09:34
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Brakeman relies on [ruby\_parser](https://github.com/seattlerb/ruby_parser) for parsing Ruby code.
11 | 
12 | The steps below should help narrow down the source of the problem.
13 | 
14 | ### Check Ruby Syntax
15 | 
16 | If the file is a Ruby file, then the syntax can be checked directly.
17 | 
18 | Run `ruby -c` against the file that caused the error to check the syntax of the file using the Ruby interpreter.
19 | 
20 | Run `ruby_parse` against the file that caused the error to check the syntax of the file using ruby\_parser.
21 | 
22 | ### Check ERB Output
23 | 
24 | If the file is an ERB template, then the output of `erb` or `erubis` must be checked.
25 | 
26 | Run `erubis -x file_name.html.erb | ruby -c` to check using Erubis.
27 | 
28 | _Important:_ Rails uses a slightly modified version of ERB, so the output from these tools is not exactly the same as what Rails sees. Brakeman attempts to emulate the Rails version.
29 | 
30 | ### Check Haml Output
31 | 
32 | If the file is a Haml template, then the output of `haml` needs to be checked.
33 | 
34 | Run `haml -e --debug file_name.html.haml` to check the output. Note that this will attempt to execute the code, which will likely fail. However, it will also indicate syntax problems.
35 | 
36 | ### File an Issue
37 | 
38 | Please file [an issue](https://github.com/presidentbeef/brakeman/issues/new?template=parsing-error.md) with an example of the syntax which fails to parse.
39 | 
40 | ---
41 | 
42 | [Other Problems](/docs/troubleshooting)
43 | 


--------------------------------------------------------------------------------
/source/_config.yml:
--------------------------------------------------------------------------------
 1 | # Welcome to Jekyll!
 2 | #
 3 | # This config file is meant for settings that affect your whole blog, values
 4 | # which you are expected to set up once and rarely edit after that. If you find
 5 | # yourself editing this file very often, consider using Jekyll's data files
 6 | # feature for the data you need to update frequently.
 7 | #
 8 | # For technical reasons, this file is *NOT* reloaded automatically when you use
 9 | # 'bundle exec jekyll serve'. If you change this file, please restart the server process.
10 | 
11 | # Site settings
12 | # These are used to personalize your new site. If you look in the HTML files,
13 | # you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
14 | # You can create any custom variable you would like, and they will be accessible
15 | # in the templates via {{ site.myvariable }}.
16 | title: Brakeman
17 | subtitle: Ruby on Rails Static Analysis Security Tool 
18 | baseurl: "" # the subpath of your site, e.g. /blog
19 | url: "https://brakemanscanner.org" # the base hostname & protocol for your site, e.g. http://example.com
20 | 
21 | # Build settings
22 | markdown: kramdown
23 | theme: minima
24 | plugins:
25 |   - jekyll-feed
26 |   - jekyll-paginate
27 | subscribe_rss: feed.xml
28 | 
29 | paginate: 5
30 | paginate_path: "/blog/page/:num/"
31 | recent_posts: 5       # Posts in the sidebar Recent Posts section
32 | 
33 | # Exclude from processing.
34 | # The following items will not be processed, by default. Create a custom list
35 | # to override the default setting.
36 | # exclude:
37 | #   - Gemfile
38 | #   - Gemfile.lock
39 | #   - node_modules
40 | #   - vendor/bundle/
41 | #   - vendor/cache/
42 | #   - vendor/gems/
43 | #   - vendor/ruby/
44 | 


--------------------------------------------------------------------------------
/source/docs/video/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Video Documentation"
 4 | date: 2011-12-22 12:24
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | <iframe width="560" height="315" src="https://www.youtube.com/embed/DHHHnPwSY5I?start=3306" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
11 | 
12 | [Brakeman Lightning Talk at RailsConf 2016](https://youtu.be/DHHHnPwSY5I?t=55m6s)
13 | 
14 | <iframe width="560" height="315" src="https://www.youtube.com/embed/kda8RZ5NIlM?start=2603" frameborder="0" allowfullscreen></iframe>
15 | 
16 | [Using Brakeman and Automation in Practice in the SDLC and Stuff - Netflix 2014](https://www.youtube.com/embed/kda8RZ5NIlM?start=2603)
17 | 
18 | <iframe width="560" height="315" src="https://www.youtube.com/embed/p3VMf3oQWKg" frameborder="0" allowfullscreen></iframe>
19 | 
20 | [Keeping Rails on Track with Brakeman - RailsConf 2012](http://confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman)
21 | 
22 | <iframe width="560" height="315" src="https://www.youtube.com/embed/2MzrnBiNgZ4" frameborder="0" allowfullscreen></iframe>
23 | 
24 | [Tech Talk at AT&T Interactive](https://www.youtube.com/watch?v=2MzrnBiNgZ4)
25 | 
26 | <iframe width="420" height="315" src="https://www.youtube.com/embed/CMgYcr9_ONs" frameborder="0" allowfullscreen></iframe>
27 | 
28 | [Guard Brakeman](https://www.youtube.com/watch?v=CMgYcr9_ONs)
29 | 
30 | <iframe src="https://player.vimeo.com/video/32696936?title=1&amp;byline=1&amp;portrait=1" width="500" height="281" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen> </iframe>
31 | 
32 | [AppSec USA 2011 Presentation](https://vimeo.com/32696936)
33 | 
34 | ---
35 | 
36 | [More documentation](/docs)
37 | 


--------------------------------------------------------------------------------
/source/_posts/2013-12-12-brakeman-2-dot-3-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 2.3.1 Released"
 4 | date: 2013-12-12 23:24
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Two minor bugs were fixed in this release. Please see the [2.3.0 release post](http://brakemanscanner.org/blog/2013/12/11/brakeman-2-dot-3-0-released/) if you are upgrading from an earlier version.
11 | 
12 | ([changes](https://github.com/presidentbeef/brakeman/pull/415))
13 | 
14 | _Changes since 2.3.0_:
15 | 
16 |  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
17 |  * Fix link for CVE-2013-6415 (number_to_currency)
18 | 
19 | ### i18n XSS Workaround
20 | 
21 | Brakeman 2.3.0 included a check for the [official i18n XSS workaround](https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ), but it was commented out during testing and unfortunately left that way.
22 | 
23 | ### CVE-2013-6415 Link
24 | 
25 | The link provided for [CVE-2013-6415](https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ) in Brakeman 2.3.0 was copy-pasted from an older check. This has been fixed.
26 | 
27 | ### SHAs
28 | 
29 | The SHA sums for this release are
30 | 
31 |     469b209a4c72f5a1133d696575caeee1675837e7  brakeman-2.3.1.gem
32 |     827e1cdefba543f59ed5070aaa3f587d8c7d9513  brakeman-min-2.3.1.gem
33 | 
34 | ### Reporting Issues
35 | 
36 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
37 | 
38 | Also consider joining the [mailing list](http://brakemanscanner.org/contact/) or following [@brakeman](https://twitter.com/brakeman) on Twitter.
39 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/denial_of_service/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Denial of Service"
 4 | date: 2013-05-16 12:47
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Denial of Service (DoS) is any attack which causes a service to become unavailable for legitimate clients.
11 | 
12 | Denial of Service can be caused by consuming large amounts of network, memory, or CPU resources.
13 | 
14 | ### Regex DoS
15 | 
16 | If an attacker can control the content of a regular expression, they may be able to construct a regular expression that requires exponential time to run.
17 | 
18 | Brakeman will warn about dynamic regular expressions that inject user-supplied values.
19 | 
20 | For example:
21 | 
22 |     some.values.any? { |v| v.match /#{params[:query]}/ }
23 | 
24 | More information:
25 | 
26 | * [ReDoS](https://en.wikipedia.org/wiki/ReDoS)
27 | * [Catastrophic Backtracking](https://www.regular-expressions.info/catastrophic.html)
28 | * [Regular Expression Matching Can Be Simple And Fast](https://swtch.com/~rsc/regexp/regexp1.html)
29 | 
30 | ### Symbol DoS
31 | 
32 | [Prior to Ruby 2.2](https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/), Symbols were not garbage collected. Creation of large numbers of Symbols could lead to a server running out of memory.
33 | 
34 | If the application appears to be using an older version of Ruby, Brakeman checks for code where user input which is converted to a Symbol. When this is not restricted, an attacker could create an unlimited number of Symbols.
35 | 
36 | Note: This is an optional check which can be enabled with `--enable SymbolDoS` or `--run-all-checks`.
37 | 
38 | ---
39 | 
40 | [More Information](https://owasp.org/www-community/attacks/Denial_of_Service)
41 | 
42 | Back to [Warning Types](/docs/warning_types)
43 | 


--------------------------------------------------------------------------------
/source/_posts/2017-03-24-brakeman-3-dot-6-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.6.1 Released"
 4 | date: 2017-03-24 13:15
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a small bug fix release to fix an issue when using `--compare`.
11 | 
12 | *Changes since 3.6.0*:
13 | 
14 | * * Fix error when using `--compare` ([Sean Gransee](https://github.com/seangransee))
15 | 
16 | ### Error With Compare
17 | 
18 | Although comparison scans using `--compare` would complete successfully, an exception was being thrown afterwards.
19 | 
20 | Thanks to [Anthony Lamorte](https://github.com/anthlam) for reporting and [Sean Gransee](https://github.com/seangransee) for the fix!
21 | 
22 | ([changes](https://github.com/presidentbeef/brakeman/pull/1024))
23 | 
24 | ### Checksums
25 | 
26 | The SHA256 sums for this release are:
27 | 
28 |     3c10b2a9fd8b7b3baab956e6fcc2c7780768f1905433297e8dd940591f1bbb3b  brakeman-3.6.1.gem
29 |     98f6bd7531e0e3fbe273b9d185446bd28602176a392d5df8f9c52c36460afdaa  brakeman-lib-3.6.1.gem
30 |     44342c843867fce585f6fef09cd093a0544510adfeec15217efe44c6120e3192  brakeman-min-3.6.1.gem
31 | 
32 | ### Reporting Issues
33 | 
34 | Thank you to everyone who reported bugs and contributed to this release.
35 | 
36 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
37 | 
38 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
39 | 
40 | If you find Brakeman valuable and want to support its development, check out [Brakeman Pro](https://brakemanpro.com/).
41 | 


--------------------------------------------------------------------------------
/source/_posts/2014-03-22-brakeman-2-dot-4-3-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 2.4.3 Released"
 4 | date: 2014-03-22 17:49
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | A new gem version has been released because the 2.4.2 gem was not signed. No other changes were introduced.
11 | 
12 | ### Signed Gems
13 | 
14 | As a reminder, the Brakeman gems are (supposed to be) signed and can be verified with [this certificate](https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem).
15 | 
16 | To verify on installation:
17 | 
18 |     gem cert --add <(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)
19 |     gem install brakeman -P MediumSecurity
20 | 
21 | "HighSecurity" requires all dependencies to be signed as well, which is unlikely.
22 | 
23 | There is some weirdness around `-P MediumSecurity` currently. The simplest solution seems to be:
24 | 
25 |     gem install brakeman   # Install Brakeman and all dependencies
26 |     gem uninstall brakeman # Remove the Brakeman gem
27 |     gem install brakeman -P MediumSecurity  # Install Brakeman gem and check signature
28 | 
29 | ### SHAs
30 | 
31 | The SHA1 sums for this release are
32 | 
33 |     16b4890fa8ee6bad1d429a12bf3f0cb8e76cb2d8  brakeman-2.4.3.gem
34 |     be5743d77140e64b75eefc53f8697f767ab370d9  brakeman-min-2.4.3.gem 
35 | 
36 | ### Reporting Issues
37 | 
38 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
39 | 
40 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and joining the [mailing list](http://brakemanscanner.org/contact/). 
41 | 


--------------------------------------------------------------------------------
/source/_posts/2023-07-17-brakeman-6-dot-0-dot-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 6.0.1 Released"
 4 | date: 2023-07-20 13:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Very tiny release this time!
11 | 
12 | _Changes since 6.0.0:_
13 | 
14 | * Accept strings for `load_defaults` version ([#1784](https://github.com/presidentbeef/brakeman/issues/1784))
15 | * Bundle latest `ruby_parser`
16 | 
17 | ### Strings for `load_defaults`
18 | 
19 | While the default for Rails generators and documentation is to use floats for versions, e.g. `load_defaults 6.1`, internally it uses strings. It appears quite a few apps also use strings.
20 | 
21 | Now Brakeman supports and uses strings.
22 | 
23 | ([changes](https://github.com/presidentbeef/brakeman/pull/1785))
24 | 
25 | ### Latest RubyParser
26 | 
27 | Bundled with `ruby_parser` 3.20.3, which includes additional support for Ruby 3.2 syntax.
28 | 
29 | ### Checksums
30 | 
31 | The SHA256 sums for this release are:
32 | 
33 |     39641c63bc247bbdf993a349de90a13e146c464c872191f2adc12555bde591be  brakeman-6.0.1.gem
34 |     e029fbd43c97bbb9c084fa4f0e13ee259bf193b79d66ba7ef94fa9496bab62cd  brakeman-lib-6.0.1.gem
35 |     ef2ff1234ba2a9e7216a0a047b9df0def8c3b8d162d29853c907238901353a54  brakeman-min-6.0.1.gem
36 | 
37 | ### Reporting Issues
38 | 
39 | Thank you to everyone who reported bugs and contributed to this release!
40 | 
41 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
42 | 
43 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Github](https://github.com/presidentbeef/brakeman/discussions) for questions and discussion.
44 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/sql_injection/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "SQL Injection"
 4 | date: 2011-11-09 14:12
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Injection is #1 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A1) web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
11 | 
12 | Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
13 | 
14 | A basic (Rails 2.x) example looks like this:
15 | 
16 |     User.first(:conditions => "username = '#{params[:username]}'")
17 | 
18 | Brakeman would produce a warning like this:
19 | 
20 |     Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'")) 
21 | 
22 | The safe way to do this query is to use a parameterized query:
23 | 
24 |     User.first(:conditions => ["username = ?", params[:username]])
25 | 
26 | Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatentation):
27 | 
28 |     username = params[:user][:name].downcase
29 |     password = params[:user][:password]
30 | 
31 |     User.first.where("username = '" + username + "' AND password = '" + password + "'")
32 | 
33 | This results in this kind of warning:
34 | 
35 |     Possible SQL injection near line 37:
36 |     User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
37 | 
38 | See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#sql-injection) for more information and [Rails-SQLi.org](http://rails-sqli.org) for many examples of SQL injection in Rails.
39 | 
40 | ---
41 | Back to [Warning Types](/docs/warning_types)
42 | 


--------------------------------------------------------------------------------
/source/_posts/2018-08-30-happy-8th-birthday.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Happy 8th Birthday, Brakeman!"
 4 | date: 2018-08-30 09:37
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title/index.html
 8 | ---
 9 | 
10 | In celebration of Brakeman's 8th birthday this week, we'd like to share an update to keep you apprised of what we’ve been up to since our acquisition by Synopsys in June of this year.
11 | 
12 | Stemming from the acquisition, Synopsys welcomed Justin Collins of the original Brakeman core team. He is working closely with the Synopsys Static Analysis division to integrate the Brakeman Pro Engine into the Coverity proprietary product offering. This is an exciting opportunity to build Ruby on Rails support into an enterprise-class engine that is [quickly emerging as a leader](https://www.synopsys.com/software-integrity/resources/analyst-reports/2018-gartner-magic-quadrant.html) in static application security testing.
13 | 
14 | As for the Brakeman project, we'd like to assure you that Synopsys is committed to the continued success of the project.
15 | 
16 | Synopsys has a rich history of working with the open source community through [Coverity Scan](https://scan.coverity.com/), providing testing as a free service to support building quality and security into the open source software (OSS) development process. To-date since its inception in 2006, Coverity Scan has provided scanning support to over 4,600 open source projects. The December 2017 acquisition of Black Duck Software is another testament to Synopsys’ dedication to securing the growing use of open source.
17 | 
18 | Rest easy knowing that Brakeman will continue to be maintained by the same team. Code will remain available on [GitHub](https://github.com/presidentbeef/brakeman), and Ruby gems will continue being distributed via [RubyGems.org](https://rubygems.org/gems/brakeman).
19 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/ssl_verification_bypass/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "SSL Verification Bypass"
 4 | date: 2014-01-06 17:27
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle (MITM) attacks are well known and widely used. In some cases, these attacks rely on the client to establish a connection that doesn't check the validity of the SSL certificate presented by the server. In this case, the attacker can present their own certificate and act as a man in the middle.
11 | 
12 | In Ruby, this happens when the OpenSSL verification mode is set to `VERIFY_NONE`
13 | 
14 |     require "net/https"
15 | 	require "uri"
16 | 
17 | 	uri = URI.parse("https://ssl-site.com/")
18 | 	http = Net::HTTP.new(uri.host, uri.port)
19 | 	http.use_ssl = true
20 | 	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
21 | 
22 | 	request = Net::HTTP::Get.new(uri.request_uri)
23 | 
24 | 	response = http.request(request)
25 | 
26 | In this case, if an invalid certificate was presented, no verification would occur, providing an opportunity for attack. When successful, the data transmitted (cookies, request parameters, POST bodies, etc.) would all be able to be intercepted by the MITM.
27 | 
28 | Brakeman would produce a warning like this:
29 | 
30 |     SSL certificate verification was bypassed near line 24: http.verify_mode = OpenSSL::SSL::VERIFY_NONE
31 | 
32 | To ensure that SSL verification happens use the following mode:
33 | 
34 |     http.verify_mode = OpenSSL::SSL::VERIFY_PEER
35 | 
36 | If the server certificate is invalid or context.ca_file is not set when verifying peers an OpenSSL::SSL::SSLError will be raised.
37 | 
38 | For more information on the impact of this issue, see the paper [The Most Dangerous Code in the World](https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf).
39 | 
40 | ---
41 | Back to [Warning Types](/docs/warning_types)
42 | 


--------------------------------------------------------------------------------
/source/_posts/2016-06-10-brakeman-3-dot-3-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.3.2 Released"
 4 | date: 2016-06-10 08:49
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a bug fix release.
11 | 
12 | *Changes since 3.3.2*:
13 | 
14 | * Fix performance regression in global constant tracking 
15 | 
16 | Brakeman 3.3.0 introduced a new feature to track constant values across the application. This helped reduce false positives, for example when checking a value against a constant array of values. However, the lookup of constant values was very slow for moderate to large numbers of constants. In some test cases it added up to a minute of scan time. This has been resolved along with some changes to how dynamic constant names are handled.
17 | 
18 | Additionally, the `--faster` option will turn off global constant tracking entirely.
19 | 
20 | ([changes](https://github.com/presidentbeef/brakeman/pull/891))
21 | 
22 | ### SHAs
23 | 
24 | The SHA256 sums for this release are
25 | 
26 |     58bb2179de2bd479d32dc2d2018e40caf478916e283ea88089fe0bcb30a55e6c  brakeman-3.3.2.gem
27 |     4f72ff02a163d78244554c4a26ea35e88d76dd6b60c3d21573db8518abcba6fc  brakeman-min-3.3.2.gem
28 |     c0beeabe95aa693a5273bd48922028f48a190940b18c795813bd0f96068452b4  brakeman-lib-3.3.2.gem
29 | 
30 | ### Reporting Issues
31 | 
32 | Thank you to the reporters of the performance issue in the 3.3.0 release.
33 | 
34 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
35 | 
36 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and hanging out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
37 | 
38 | For commercial support, please consider [Brakeman Pro](https://brakemanpro.com/).
39 | 


--------------------------------------------------------------------------------
/source/_posts/2022-05-01-brakeman-5-dot-2-dot-3-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.2.3 Released"
 4 | date: 2022-05-01 08:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | _Changes since 5.2.2:_
11 | 
12 | * Fix error with hash shorthand syntax ([#1700](https://github.com/presidentbeef/brakeman/issues/1700))
13 | * Match order of interactive options with help message ([Rory O'kane](https://github.com/roryokane))
14 | 
15 | ### Hash Shorthand Syntax 
16 | 
17 | Parsing shorthand hash syntax like this was added with RubyParser 3.19:
18 | 
19 | ```ruby
20 | thing = 1
21 | 
22 | blah(thing:)
23 | ```
24 | 
25 | but Brakeman needed to handle it properly, too. 
26 | 
27 | ([changes](https://github.com/presidentbeef/brakeman/pull/1701))
28 | 
29 | ### Interative Options 
30 | 
31 | [Rory O'kane](https://github.com/roryokane) updated the ordering of options in the help message for interative ignore so
32 | the help message matches the order of the options in the prompt!
33 | 
34 | ([changes](https://github.com/presidentbeef/brakeman/pull/1702))
35 | 
36 | ### Checksums
37 | 
38 | The SHA256 sums for this release are:
39 | 
40 |     5b6efb6a1e5c2b79063553647638e17239d2d2f4d50561230c8b0acaae4728d4  brakeman-5.2.3.gem
41 |     3104abc8ac2b6558d9610ede40f4cac2ebc7ae45569876b8e5907b7422c4e3af  brakeman-lib-5.2.3.gem
42 |     10d743c930c03ed1d2bea021ade8fac10f1229d02b8f65bf2214f7f09ec7a0ff  brakeman-min-5.2.3.gem
43 | 
44 | ### Reporting Issues
45 | 
46 | Thank you to everyone who reported bugs and contributed to this release!
47 | 
48 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
49 | 
50 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
51 | 


--------------------------------------------------------------------------------
/source/docs/contributing/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Contributing to Brakeman"
 4 | date: 2011-11-28 16:29
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | The simplest way to contribute to the improvement of Brakeman is to run it against your own applications and then report any issues [here](http://github.com/presidentbeef/brakeman/issues).
11 | 
12 | Suggestions are welcome, too!
13 | 
14 | ### Testing on Different Platforms
15 | 
16 | Brakeman should work on most platforms without a problem. It is typically tested against MRI 1.8.7 and 1.9.3, so any problems outside those two should definitely be [reported](http://github.com/presidentbeef/brakeman/issues).
17 | 
18 | ### Contributing Features
19 | 
20 | New feature implementations should be submitted as a pull request on [GitHub](https://github.com/presidentbeef/brakeman).
21 | 
22 | ### Contributing Documentation
23 | 
24 | Documentation patches can be submitted as pull requests to the [brakeman-site](https://github.com/presidentbeef/brakeman-site) repository.
25 | 
26 | ### False Negatives and False Positives
27 | 
28 | If you have code that raises warnings when it shouldn't, or does not raise warnings when it should, please consider reporting them with code which reproduces the problem.
29 | 
30 | See [here](/docs/contributing/adding_tests) for how to add tests to demonstrate these issues.
31 | 
32 | ### Creating New Checks
33 | 
34 | Each check that Brakeman runs is a separate class contained in `lib/brakeman/checks/check_*.rb`. Some of these are very simple. For example, see the [StripTags](https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_strip_tags.rb) check.
35 | 
36 | New checks can be added simply by writing a new check and placing it in that directory. For best results, subclass from `BaseCheck` and follow the naming convention of starting the class name with `Check`.
37 | 
38 | 
39 | ### Reporting Success
40 | 
41 | If you are happily using Brakeman, consider sending a tweet to [@Brakeman](http://twitter.com/#!/brakeman).
42 | 


--------------------------------------------------------------------------------
/source/_posts/2011-10-25-brakeman-0-dot-8-3-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 0.8.3 Released"
 4 | date: 2011-10-25 10:00
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Changes for 0.8.3:
11 | 
12 |  * Respect -w flag in .tabs format ([tw-ngreen](https://github.com/tw-ngreen))
13 |  * Escape HTML output of error messages
14 |  * Add --skip-libs option
15 | 
16 | Changes since 0.8.0:
17 | 
18 |  * Run checks in parallel threads by default
19 |  * Fix compatibility with ruby_parser 2.3.1
20 |  * Add option to assume all controller methods are actions
21 |  * Recover from errors when parsing routes
22 | 
23 | ### Fix for .tabs Format
24 | 
25 | Brakeman will now pay attention to the `-w` flag (setting minimum confidence levels) when using the `.tabs` format.
26 | 
27 | ### Escape Error Messages in HTML
28 | 
29 | Error message will now be escaped in the HTML output so they do not mess up the formatting.
30 | 
31 | ### --skip-libs Option
32 | 
33 | The `--skip-libs` option will cause Brakeman to not process the files in the `lib` directory. At the moment, the results from this directory are only used in a couple places, so it is unlikely that skipping them will cause any problems.
34 | 
35 | ### Parallel Checks
36 | 
37 | Checks are now run in separate threads by default. Thus far, there does not seem to be a big difference between using threads and the sequential approach. To turn off threads, use the `-n` option.
38 | 
39 | ### ruby_parser Compatibility
40 | 
41 | This is a stop-gap measure until [ruby_parser](https://github.com/seattlerb/ruby_parser) supports Ruby 1.9, which is getting closer to reality.
42 | 
43 | ### Route Processing
44 | 
45 | Brakeman will no longer crash if there are problems parsing `routes.rb`. Instead, it will assume all public methods on controllers are actions. The `-a` option will also turn this behavior on. 
46 | 
47 | Rails 3.1 route parsing is still a work in progress, so this should at least allow analysis of 3.1 apps, even if it means slightly reduced accuracy.
48 | 


--------------------------------------------------------------------------------
/source/_posts/2014-07-02-brakeman-2-dot-6-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 2.6.1 Released"
 4 | date: 2014-07-02 12:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a tiny release in response to today's CVEs.
11 | 
12 | *Changes since 2.6.0*:
13 | 
14 | * Add check for CVE-2014-3482 and CVE-2014-3483
15 | * Add support for keyword arguments in blocks ([#511](https://github.com/presidentbeef/brakeman/issues/511))
16 | * Remove unused warning codes ([Bill Fischer](https://github.com/bfish510))
17 | 
18 | ### Check for PostgresSQL Injection CVEs
19 | 
20 | [CVE-2014-3482 and CVE-2014-3483](https://groups.google.com/forum/#!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J) are SQL injection issues when using the PostgresSQL backend with bitstring and range data types. Brakeman will warn about affected versions of Rails which include the "pg" gem in the Gemfile.
21 | 
22 | ([changes](https://github.com/presidentbeef/brakeman/pull/515))
23 | 
24 | ### Support Keyword Arguments to Blocks
25 | 
26 | Brakeman now handles keyword arguments to blocks as local variables in the block scope instead of throwing an error.
27 | 
28 | ([changes](https://github.com/presidentbeef/brakeman/pull/513))
29 | 
30 | ### Removal of Warning Codes
31 | 
32 | Warnings codes for `CVE_2013_6415` and `CVE_2013_6415_call` have been removed, as they are unused. This should not affect anyone.
33 | 
34 | ([changes](https://github.com/presidentbeef/brakeman/pull/514))
35 | 
36 | ### SHAs
37 | 
38 | The SHA1 sums for this release are
39 | 
40 |     5b7b5572efe769cfa38178e94952be05670e6fd4  brakeman-2.6.1.gem
41 |     fecdb07a5e1a83af02843fbd554472f980e04f91  brakeman-min-2.6.1.gem
42 | 
43 | ### Reporting Issues
44 | 
45 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
46 | 
47 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and joining the [mailing list](http://brakemanscanner.org/contact/). 
48 | 


--------------------------------------------------------------------------------
/source/Gemfile.lock:
--------------------------------------------------------------------------------
 1 | GEM
 2 |   remote: https://rubygems.org/
 3 |   specs:
 4 |     addressable (2.8.1)
 5 |       public_suffix (>= 2.0.2, < 6.0)
 6 |     colorator (1.1.0)
 7 |     concurrent-ruby (1.2.2)
 8 |     em-websocket (0.5.3)
 9 |       eventmachine (>= 0.12.9)
10 |       http_parser.rb (~> 0)
11 |     eventmachine (1.2.7)
12 |     ffi (1.15.5)
13 |     forwardable-extended (2.6.0)
14 |     http_parser.rb (0.8.0)
15 |     i18n (1.12.0)
16 |       concurrent-ruby (~> 1.0)
17 |     jekyll (3.9.3)
18 |       addressable (~> 2.4)
19 |       colorator (~> 1.0)
20 |       em-websocket (~> 0.5)
21 |       i18n (>= 0.7, < 2)
22 |       jekyll-sass-converter (~> 1.0)
23 |       jekyll-watch (~> 2.0)
24 |       kramdown (>= 1.17, < 3)
25 |       liquid (~> 4.0)
26 |       mercenary (~> 0.3.3)
27 |       pathutil (~> 0.9)
28 |       rouge (>= 1.7, < 4)
29 |       safe_yaml (~> 1.0)
30 |     jekyll-feed (0.11.0)
31 |       jekyll (~> 3.3)
32 |     jekyll-paginate (1.1.0)
33 |     jekyll-sass-converter (1.5.2)
34 |       sass (~> 3.4)
35 |     jekyll-seo-tag (2.5.0)
36 |       jekyll (~> 3.3)
37 |     jekyll-watch (2.2.1)
38 |       listen (~> 3.0)
39 |     kramdown (2.4.0)
40 |       rexml
41 |     kramdown-parser-gfm (1.1.0)
42 |       kramdown (~> 2.0)
43 |     liquid (4.0.4)
44 |     listen (3.8.0)
45 |       rb-fsevent (~> 0.10, >= 0.10.3)
46 |       rb-inotify (~> 0.9, >= 0.9.10)
47 |     mercenary (0.3.6)
48 |     minima (2.5.0)
49 |       jekyll (~> 3.5)
50 |       jekyll-feed (~> 0.9)
51 |       jekyll-seo-tag (~> 2.1)
52 |     pathutil (0.16.2)
53 |       forwardable-extended (~> 2.6)
54 |     public_suffix (5.0.1)
55 |     rb-fsevent (0.11.2)
56 |     rb-inotify (0.10.1)
57 |       ffi (~> 1.0)
58 |     rexml (3.2.5)
59 |     rouge (3.30.0)
60 |     safe_yaml (1.0.5)
61 |     sass (3.7.4)
62 |       sass-listen (~> 4.0.0)
63 |     sass-listen (4.0.0)
64 |       rb-fsevent (~> 0.9, >= 0.9.4)
65 |       rb-inotify (~> 0.9, >= 0.9.7)
66 | 
67 | PLATFORMS
68 |   ruby
69 | 
70 | DEPENDENCIES
71 |   jekyll (~> 3.9)
72 |   jekyll-feed (~> 0.6)
73 |   jekyll-paginate
74 |   kramdown-parser-gfm
75 |   minima (~> 2.0)
76 |   tzinfo-data
77 | 
78 | RUBY VERSION
79 |    ruby 3.2.0p0
80 | 
81 | BUNDLED WITH
82 |    2.4.7
83 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Warning Types"
 4 | date: 2011-08-27 08:25
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | Read more about the different warnings Brakeman reports:
11 | 
12 | * [Attribute Restriction](/docs/warning_types/attribute_restriction)
13 | * [Authentication](/docs/warning_types/authentication)
14 | * [Basic Authentication](/docs/warning_types/basic_authentication)
15 | * [Command Injection](/docs/warning_types/command_injection)
16 | * [Cross-Site Request Forgery](/docs/warning_types/cross-site_request_forgery)
17 | * [Cross Site Scripting](/docs/warning_types/cross_site_scripting)
18 | * [Cross Site Scripting (Content Tag)](/docs/warning_types/content_tag)
19 | * [Cross Site Scripting (JSON)](/docs/warning_types/cross_site_scripting_to_json)
20 | * [Dangerous Evaluation](/docs/warning_types/dangerous_evaluation)
21 | * [Dangerous Send](/docs/warning_types/dangerous_send)
22 | * [Default Routes](/docs/warning_types/default_routes)
23 | * [Denial of Service](/docs/warning_types/denial_of_service)
24 | * [Divide By Zero](/docs/warning_types/divide_by_zero)
25 | * [Dynamic Render Paths](/docs/warning_types/dynamic_render_paths)
26 | * [File Access](/docs/warning_types/file_access)
27 | * [Format Validation](/docs/warning_types/format_validation)
28 | * [Information Disclosure](/docs/warning_types/information_disclosure)
29 | * [Mail Link](/docs/warning_types/CVE-2011-0446)
30 | * [Mass Assignment](/docs/warning_types/mass_assignment)
31 | * [Remote Code Execution](/docs/warning_types/remote_code_execution)
32 | * [Remote Execution in YAML.load](/docs/warning_types/remote_code_execution_yaml_load)
33 | * [Session Manipulation](/docs/warning_types/session_manipulation)
34 | * [Session Settings](/docs/warning_types/session_setting)
35 | * [SQL Injection](/docs/warning_types/sql_injection)
36 | * [SSL Verification Bypass](/docs/warning_types/ssl_verification_bypass)
37 | * [Unsafe Deserialization](/docs/warning_types/unsafe_deserialization)
38 | * [Unscoped Find](/docs/warning_types/unscoped_find)
39 | * [Unsafe Redirects](/docs/warning_types/redirect)
40 | * [Weak Hash](/docs/warning_types/weak_hash)
41 | 
42 | ---
43 | [More Documentation](/docs)
44 | 


--------------------------------------------------------------------------------
/source/_posts/2011-12-21-brakeman-1-dot-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.1 Released"
 4 | date: 2011-12-21 19:12
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This was supposed to be a 1.0.1 release, but quite a bit of code changed.
11 | 
12 | Changes since 1.0:
13 | 
14 |  * Relax required versions for dependencies (this is for Bundler users)
15 |  * Performance improvements for source processing
16 |  * Better progress reporting
17 |  * Handle basic operators like << + - * /
18 |  * Rescue more errors to prevent Brakeman from completely bailing out
19 |  * Compatibility with newer Haml versions
20 |  * Fix some 1.9 warnings
21 | 
22 | ### Relax Dependencies
23 | 
24 | The version dependencies for Brakeman have been relaxed somewhat, so it should work fine if included in a Rails 3 Gemfile. Unfortunately, this makes it a little harder to be sure it will work with all setups. Please report any problems!
25 | 
26 | ### Performance Improvements
27 | 
28 | The 1.0 release reduced the time taken for running the vulnerability checks, but (unrelatedly) the time for processing the source code increased.
29 | 
30 | This release makes some improvements that should improve scan times. If it takes an intolerable amount of time for scans (more than 5-10 minutes), try using the `--faster` option. This will possibly report fewer vulnerabilities, but should be much faster.
31 | 
32 | ### Progress Reporting
33 | 
34 | Brakeman will now provide better feedback about its progress while processing applications. For even more output, use the `--debug` option.
35 | 
36 | ### Handle More Operators
37 | 
38 | See [here](https://github.com/presidentbeef/brakeman/wiki/Using-Brakeman::AliasProcessor) for the kinds of simple processing Brakeman can do.
39 | 
40 | ### Rescue More Errors
41 | 
42 | Brakeman does its best to never completely abort execution and tries to always provide an analysis of whatever it can manage. This release rescues exceptions that may occur while processing configurations and Gemfiles.
43 | 
44 | ### Problems
45 | 
46 | If you run into any problems, don't hesitate to send a tweet to [@Brakemanscanner](http://twitter.com/brakemanscanner) or [file an issue](https://github.com/presidentbeef/brakeman/issues) on GitHub!
47 | 


--------------------------------------------------------------------------------
/source/_posts/2011-12-05-brakeman-1-dot-0-release-candidate-available.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.0 Release Candidate Available"
 4 | date: 2011-12-05 14:04
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Because there have been some major changes since 0.9.2, I have released a release candidate just in case there are problems. Please try it out and report any issues!
11 | 
12 |     gem install brakeman --pre
13 | 
14 | **Changes:**
15 | 
16 |  * Brakeman can now be used as a library
17 |  * Faster call search
18 |  * Add option to return error code if warnings are found (tw-ngreen)
19 |  * Allow truncated messages to be expanded in HTML
20 |  * Keep expanded context in HTML output
21 |  * Fix summary when using warning thresholds
22 |  * Better support for Rails 3 routes
23 |  * Reduce SQL injection duplicate warnings
24 |  * Lower confidence on mass assignment with no user input
25 |  * Ignore mass assignment using all literal arguments
26 | 
27 | ### Brakeman as a Library
28 | 
29 | After some re-factoring, Brakeman can now be used as a library.
30 | 
31 |     require 'brakeman'
32 |     
33 |     Brakeman.run :app_path => 'my_app'
34 | 
35 | ### Faster Call Search
36 | 
37 | Searching for calls, like many of the checks do, is significantly faster now. Any scans that spend the majority of the time running checks should be much quicker.
38 | 
39 | ### Option to Return Error Code
40 | 
41 | `--exit-on-warn` will cause Brakeman to exit with an error code if any warnings are found.
42 | 
43 | ### Fix Context in HTML Report
44 | 
45 | Truncated messages with no context are now able to be expanded when clicked.
46 | 
47 | Expanded context should remain visible in the browser, instead of sometimes scrolling out of view.
48 | 
49 | ### Fix Report Summary
50 | 
51 | The summary in reports with warnings below the specified threshold will now only show the number of warnings in the actual report.
52 | 
53 | ### Reduce Duplicate SQL Warnings
54 | 
55 | There should be fewer duplicate SQL injection warnings now.
56 | 
57 | ## 1.0 Release
58 | 
59 | Next up is fixing Rubinius support, making Brakeman more useful as a library, and improving Rails 3 route processing.
60 | 
61 | If all is well, the 1.0 release will be ready in a couple days! Report bugs if you got 'em!
62 | 


--------------------------------------------------------------------------------
/source/_posts/2012-01-13-brakeman-1-dot-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.2 Released"
 4 | date: 2012-01-13 22:00
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | First Brakeman release of 2012!
11 | 
12 | _Changes since 1.1:_
13 | 
14 |  * Speed improvements for CheckExecute and CheckRender
15 |  * Check `named_scope` and `scope` for SQL injection
16 |  * Add `--rake` option to create rake task to run Brakeman
17 |  * Add `--summary` option to only output summary
18 |  * Add experimental support for rescanning a subset of files
19 |  * Fix a problem with Rails 3 routes
20 | 
21 | Besides those, there has also been quite a bit of code improvement internally.
22 | 
23 | ### Speed Improvements
24 | 
25 | The checks for command injection and dynamic render paths should be considerably faster now.
26 | 
27 | ### More SQL Injection Checks
28 | 
29 | Thanks to [a5sk4s](https://github.com/presidentbeef/brakeman/issues/30) for pointing out that Brakeman was not checking `named_scope` for SQL injection. This has been rectified. For Rails 3.1 and up, `scope` will be checked.
30 | 
31 | Also, it seems common to use `Model.table_name` inside SQL statements. This will no longer raise a warning.
32 | 
33 | ### Brakeman Rake Task
34 | 
35 | The `--rake` option can now be used to install a Rake task for running Brakeman. The task will be copied to `lib/tasks/brakeman.rake`.
36 | 
37 | To use, run this from the root of the Rails app:
38 | 
39 |     brakeman --rake
40 | 
41 | Then, to run Brakeman:
42 | 
43 |     rake brakeman:run
44 | 
45 | Naturally, this requires Rake to be installed.
46 | 
47 | To output to a specific file:
48 | 
49 |     rake brakeman:run["report.html"]
50 | 
51 | More actions may be added in the future.
52 | 
53 | ### Summary Option
54 | 
55 | Sometimes the specifics of a scan are not needed. The `--summary` option will limit the report output to just the summary section.
56 | 
57 | ### Rescan for Subset of Files
58 | 
59 | This release adds experimental support for rescanning a subset of paths in a Rails application. Please see this [example](https://gist.github.com/1563286).
60 | 
61 | ### Issues
62 | 
63 | Please report _any_ problems or questions on [GitHub](https://github.com/presidentbeef/brakeman/issues) or send a tweet to [@Brakeman](https://twitter.com/#!/brakemanscanner)!
64 | 


--------------------------------------------------------------------------------
/source/javascripts/lib/humane.js:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Javascript Humane Dates
 3 |  * Copyright (c) 2008 Dean Landolt (deanlandolt.com)
 4 |  * Re-write by Zach Leatherman (zachleat.com)
 5 |  * 
 6 |  * Adopted from the John Resig's pretty.js
 7 |  * at http://ejohn.org/blog/javascript-pretty-date
 8 |  * and henrah's proposed modification 
 9 |  * at http://ejohn.org/blog/javascript-pretty-date/#comment-297458
10 |  * 
11 |  * Licensed under the MIT license.
12 |  */
13 | 
14 | function humane_date(date_str){
15 | 	var time_formats = [
16 | 		[60, 'Just Now'],
17 | 		[90, '1 minute'], // 60*1.5
18 | 		[3600, 'minutes', 60], // 60*60, 60
19 | 		[5400, '1 hour'], // 60*60*1.5
20 | 		[86400, 'hours', 3600], // 60*60*24, 60*60
21 | 		[129600, '1 day'], // 60*60*24*1.5
22 | 		[604800, 'days', 86400], // 60*60*24*7, 60*60*24
23 | 		[907200, '1 week'], // 60*60*24*7*1.5
24 | 		[2628000, 'weeks', 604800], // 60*60*24*(365/12), 60*60*24*7
25 | 		[3942000, '1 month'], // 60*60*24*(365/12)*1.5
26 | 		[31536000, 'months', 2628000], // 60*60*24*365, 60*60*24*(365/12)
27 | 		[47304000, '1 year'], // 60*60*24*365*1.5
28 | 		[3153600000, 'years', 31536000], // 60*60*24*365*100, 60*60*24*365
29 | 		[4730400000, '1 century'], // 60*60*24*365*100*1.5
30 | 	];
31 | 
32 | 	var time = ('' + date_str).replace(/-/g,"/").replace(/[TZ]/g," "),
33 | 		dt = new Date,
34 | 		seconds = ((dt - new Date(time) + (dt.getTimezoneOffset() * 60000)) / 1000),
35 | 		token = ' ago',
36 | 		i = 0,
37 | 		format;
38 | 
39 | 	if (seconds < 0) {
40 | 		seconds = Math.abs(seconds);
41 | 		token = '';
42 | 	}
43 | 
44 | 	while (format = time_formats[i++]) {
45 | 		if (seconds < format[0]) {
46 | 			if (format.length == 2) {
47 | 				return format[1] + (i > 1 ? token : ''); // Conditional so we don't return Just Now Ago
48 | 			} else {
49 | 				return Math.round(seconds / format[2]) + ' ' + format[1] + (i > 1 ? token : '');
50 | 			}
51 | 		}
52 | 	}
53 | 
54 | 	// overflow for centuries
55 | 	if(seconds > 4730400000)
56 | 		return Math.round(seconds / 4730400000) + ' centuries' + token;
57 | 
58 | 	return date_str;
59 | };
60 | 
61 | if(typeof jQuery != 'undefined') {
62 | 	jQuery.fn.humane_dates = function(){
63 | 		return this.each(function(){
64 | 			var date = humane_date(this.title);
65 | 			if(date && jQuery(this).text() != date) // don't modify the dom if we don't have to
66 | 				jQuery(this).text(date);
67 | 		});
68 | 	};
69 | }
70 | 


--------------------------------------------------------------------------------
/source/_posts/2018-06-28-brakeman-has-been-acquired-by-synopsys.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman Has Been Acquired by Synopsys"
 4 | date: 2018-06-28 13:37
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title/index.html
 8 | ---
 9 | 
10 | We are excited to announce [Brakeman Pro](https://brakemanpro.com) has been acquired by Synopsys.
11 | 
12 | Started in 2014, Brakeman Pro has been a partnership between [Justin Collins](https://twitter.com/presidentbeef), [Neil Matatall](https://twitter.com/ndm), [Jim Manico](https://twitter.com/manicode), and [Adam Korman](https://twitter.com/adamkorman). Although it’s been an unconventional journey, we are all grateful to have traveled it together. Sincere thanks to the many folks who supported, promoted, and encouraged us along the way.
13 | 
14 | Justin Collins will be joining Synopsys to help integrate the Brakeman Pro Engine into their static application security testing (SAST) offerings, as well as continuing to develop and support the Brakeman OSS project. This is an exciting opportunity to focus on improving and expanding SAST for the Ruby community.
15 | 
16 | ### Brakeman OSS
17 | 
18 | This Brakeman OSS project is part of the acquisition, and Synopsys now owns the copyright previously held by Brakeman, Inc.
19 | 
20 | The project going forward and any future contributions will be made available under the [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Public License](https://creativecommons.org/licenses/by-nc-sa/4.0/). For most users who are using Brakeman for internal purposes or assessments, nothing will change. Brakeman OSS will continue to be maintained by the same folks, free, and open source. Code will remain available on [GitHub](https://github.com/presidentbeef/brakeman), and Ruby gems will be distributed from [RubyGems.org](https://rubygems.org/gems/brakeman).
21 | 
22 | However, under the new license, it is no longer possible to use Brakeman OSS for the development of a commercial product or online service or to resell Brakeman OSS as a service. Companies wishing to do either will require a commercial agreement with Synopsys. Please see [here](https://github.com/presidentbeef/brakeman/pull/1238#issuecomment-401448976) for more details.
23 | 
24 | ### Thank You
25 | 
26 | Thank you again to our customers, friends, and family who supported us in making the web a little bit safer!
27 | 


--------------------------------------------------------------------------------
/source/_posts/2011-11-04-brakeman-0-dot-8-4-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 0.8.4 Released"
 4 | date: 2011-11-04 14:58
 5 | comments: true
 6 | categories: 
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Changes:
11 | 
12 |  * Option for separate attr_accessible warnings
13 |  * Option to set CSS file for HTML output
14 |  * Add file names for version-specific warnings
15 |  * Add line number for default routes in a controller
16 |  * Fix hash_insert()
17 |  * Remove use of Queue from threaded checks
18 | 
19 | 
20 | ### Separate attr_accessible Warnings
21 | 
22 | The current default is to roll all controllers lacking `attr_accessible` into a single warning. This is convenient when manually looking at HTML or text output, but for Jenkins/Hudson it is better to have each be a separate warning. That way it is easier to track new and fixed warnings.
23 | 
24 | To turn on this behavior, use `--separate-models`.
25 | 
26 | ### Custom CSS for HTML Output
27 | 
28 | Use the `--css-file` option to set a custom CSS file for styling HTML output. This file is copied directly into the report.
29 | 
30 | ### File Names for Version-Specific Warnings
31 | 
32 | Previously, there would be no file name associated with warnings about certain versions of Rails. This caused the warnings to not show up in the Jenkins/Hudson plugin. Now either `Gemfile` or `config/environment.rb` will be used as the file name for warnings based on the detected Rails version.
33 | 
34 | ### Line Number for Default Routes
35 | 
36 | When default routes were detected for specific controllers, there will now be a line number (from `routes.rb`) associated with the warning.
37 | 
38 | ### hash_insert() Fixed
39 | 
40 | `hash_insert` was broken and would cause some spurious warnings. For example, sometimes `only_path => true` would be set in `params`, but Brakeman would mess up the `params` hash and a redirect warning would still be created.
41 | 
42 | ### Threaded Checks No Longer Use Queue
43 | 
44 | When using threaded checks, the resulting warnings were stored in a thread-safe Queue. This has been removed, and the resulting value from each thread will be used instead. This should avoid some (small) locking overhead and is just simpler.
45 | 
46 | ### "Like" Brakeman on Ruby Toolbox
47 | 
48 | Please consider 'liking' Brakeman on the [Ruby Toolbox](https://www.ruby-toolbox.com/projects/brakeman)!
49 | 


--------------------------------------------------------------------------------
/source/_posts/2014-02-19-brakeman-2-dot-4-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 2.4.1 Released"
 4 | date: 2014-02-19 10:53
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This release only adds checks for the latest CVEs, no other changes.
11 | 
12 | *Changes since 2.4.0*:
13 | 
14 |  * Add check for CVE-2014-0080
15 |  * Add check for CVE-2014-0081, replaces CVE-2013-6415
16 |  * Add check for CVE-2014-0082
17 | 
18 | ### CVE-2014-0080
19 | 
20 | [CVE-2014-0080](https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ) is a SQL injection issue only affects applications using PostgreSQL with Rails 4.x. If Brakeman detects the `pg` gem and an affected version, it will warn about this CVE.
21 | 
22 | ([changes](https://github.com/presidentbeef/brakeman/pull/447))
23 | 
24 | ### CVE-2014-0081
25 | 
26 | [CVE-2014-0081](https://groups.google.com/d/msg/rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ) is a vulnerability in `number_to_currency`, `number_to_percentage`, and `number_to_human`. Values passed in as options may not be properly escaped. It affects all previous versions of Rails.
27 | 
28 | Brakeman will warn on unsafe uses of these methods. If no unsafe calls are found, it will generate a generic medium confidence warning.
29 | 
30 | Warnings for CVE-2014-0081 replace warnings for CVE-2013-6415, which was about just `number_to_currency`.
31 | 
32 | ([changes](https://github.com/presidentbeef/brakeman/pull/448))
33 | 
34 | ### CVE-2014-0082
35 | 
36 | [CVE-2014-0082](https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ) is a potential symbol denial of service problem when handling `render :text` in Rails 3.x.
37 | 
38 | Brakeman will only warn about this CVE if it detects use of `render :text` in affected versions.
39 | 
40 | ([changes](https://github.com/presidentbeef/brakeman/pull/449))
41 | 
42 | ### SHAs
43 | 
44 | The SHA1 sums for this release are
45 | 
46 |     e9fb5439d5a322b4a9c9611d75d994e7df83d4d2  brakeman-2.4.1.gem
47 |     b84ad90a7ec9b6e6bbce8fc69c50d1d8b3214d0f  brakeman-min-2.4.1.gem
48 | 
49 | ### Reporting Issues
50 | 
51 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
52 | 
53 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter or joining the [mailing list](http://brakemanscanner.org/contact/). 
54 | 
55 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross_site_scripting_to_json/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Scripting (JSON)"
 4 | date: 2012-08-29 18:09
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
11 | 
12 | XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.  Calls to `Hash#to_json` can be used to trigger XSS.  Brakeman will check to see if there are any calls to `Hash#to_json` with `ActiveSupport#escape_html_entities_in_json` set to false (or if you are running Rails < 2.1.0 which did not have this functionality).
13 | 
14 | `ActiveSupport#escape_html_entities_in_json` was introduced in the "new\_rails\_defaults" initializer in Rails 2.1.0 which is set to `false` by default.  In Rails 3.0.0, `true` became the default setting.  Setting this value to `true` will automatically escape '<', '>', '&' which are commonly used to break out of code generated by a to\_json call.
15 | 
16 | See [ActiveSupport#escape\_html\_entities\_in\_json](http://rubydoc.info/docs/rails/ActiveSupport/JSON/Encoding.escape_html_entities_in_json=) for more details.
17 | 
18 | ### Exploiting to\_json
19 | 
20 | Consider the following snippet of Rails 2.x ERB:
21 | 
22 |     # controller
23 |     @attrs = {:email => 'some@email.com</script><script>alert(document.domain)//'}
24 | 
25 |     <!-- view -->
26 |     <script>
27 |       var attributes = <%= @attrs.to_json %>
28 |     </script>
29 | 
30 | Which generates the following html:
31 | 
32 |     <script>
33 |       var attributes = {"email":"some@email.com</script><script>alert(document.domain)//"}
34 |     </script>
35 | 
36 | While the generated Javascript appears valid, the browser parses the script tags first, so it sees something like this:
37 | 
38 |     <script>
39 |       var attributes = {"email":"some@email.com
40 |     </script>
41 |     <script>
42 |       alert(document.domain)//"}
43 |     </script>
44 | 
45 | The attribute assignment causes a Javascript error, but the alert triggers just fine!
46 | 
47 | With `escape_html_entities_in_json = true`, you will receive the following innocuous output:
48 | 
49 |     <script>
50 |       var attributes = {"email":"some@email.com\u003C/script\u003E\u003Cscript\u003Ealert(document.domain)//"}
51 |     </script>
52 | 
53 | ---
54 | Back to [Warning Types](/docs/warning_types)
55 | 
56 | 


--------------------------------------------------------------------------------
/source/_posts/2020-09-28-brakeman-4-dot-10-dot-0-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 4.10.0 Released"
 4 | date: 2020-09-28 12:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This release introduces a new report format!
11 | 
12 | _Changes since 4.9.1:_
13 | 
14 | * Add SARIF report format ([Steve Winton](https://github.com/swinton))
15 | 
16 | ### SARIF Report Format
17 | 
18 | [Steve Winton](https://github.com/swinton) from GitHub has contributed support for [Static Analysis Results Interchange Format (SARIF)](https://sarifweb.azurewebsites.net/).
19 | This is a standard format for static analysis tools and can be consumed by some report viewers, such as [this one for Visual Studio Code](https://github.com/Microsoft/sarif-vscode-extension/).
20 | 
21 | To output a SARIF report, use `-f sarif` or a file name like `-o report.sarif`.
22 | 
23 | ([changes](https://github.com/presidentbeef/brakeman/pull/1500))
24 | 
25 | ### Previewing Brakeman 5.0
26 | 
27 | _What is planned for Brakeman 5.0?_
28 | 
29 | The big change coming in 5.0 is scanning _way_ more files. Currently, Brakeman scans specific directories in `app/`, `config/`, `lib/`, and `engines/`.
30 | It also only looks for files in particular places - e.g. views will be somewhere in `app/**/views`.
31 | 
32 | In 5.0, Brakeman will scan (almost) all files in the project directory with `.rb` or template-related extensions.
33 | This will dramatically increase the scope of Brakeman scans, which is better coverage but at the cost of more false positives and slower scans.
34 | 
35 | Also expected in Brakeman 5.0 is a bump of minimum Ruby version to 2.4.0 (which is already EOL).
36 | 
37 | ### Checksums
38 | 
39 | The SHA256 sums for this release are:
40 | 
41 |     7bef7df71137d06be5fc3325ead57f8ce35be7691bf6dd389228461d731b79dd  brakeman-4.10.0.gem
42 |     698b8eb02cdea7a6e407192c261c61d8fc6cd24d590a1b388defc9de17966119  brakeman-lib-4.10.0.gem
43 |     64bb565ee84b9a9646985e456db1125ff9fb884ca83de6ba6fbc2c63bdbc8de9  brakeman-min-4.10.0.gem
44 | 
45 | ### Reporting Issues
46 | 
47 | Thank you to everyone who reported bugs and contributed to this release!
48 | 
49 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
50 | 
51 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
52 | 
53 | 


--------------------------------------------------------------------------------
/source/_posts/2021-12-15-brakeman-5-dot-2-dot-0-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.2.0 Released"
 4 | date: 2021-12-15 11:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | _Changes since 5.1.2:_
11 | 
12 | * Initial Rails 7 support ([#1653](https://github.com/presidentbeef/brakeman/issues/1653))
13 | * Add new checks for unsupported Ruby and Rails version
14 | * Fix issue with calls to `foo.root` in routes ([#1640](https://github.com/presidentbeef/brakeman/issues/1640))
15 | * Ignore `I18n.locale` in SQL queries ([#1597](https://github.com/presidentbeef/brakeman/issues/1597))
16 | * Do not treat `sanitize_sql_like` as safe
17 | * Bundled version of `ruby_parser` updated to 3.18.1
18 | * Require Ruby 2.5.0+ ([#1649](https://github.com/presidentbeef/brakeman/issues/1649))
19 | 
20 | ### Initial Rails 7 Support
21 | 
22 | Nothing special here, but the `-7` option is available and Brakeman won't think a Rails 7 app is a Rails 2 app.
23 | 
24 | ([changes](https://github.com/presidentbeef/brakeman/pull/1654))
25 | 
26 | ### New Checks for Unmaintained Software
27 | 
28 | Brakeman will now warn about use of Ruby or Rails versions which are no longer maintained.
29 | 
30 | Unlike other warnings, these new checks have a time component and _will_ change as the end-of-life dates approach:
31 | 
32 | * 60 days until EOL: Low warning
33 | * 30 days until EOL: Medium warning
34 | * EOL+: High warning
35 | 
36 | ([changes](https://github.com/presidentbeef/brakeman/pull/1660))
37 | 
38 | ### Bug Fix in Routes
39 | 
40 | Calls to `something.root` will no longer cause Brakeman to freak out.
41 | 
42 | ([changes](https://github.com/presidentbeef/brakeman/pull/1655))
43 | 
44 | ### SQL Injection Updates
45 | 
46 | `I18n.locale` is ignored in SQL queries.
47 | 
48 | ([changes](https://github.com/presidentbeef/brakeman/pull/1658))
49 | 
50 | `sanitize_sql_like` is no longer treated as "safe". It only escapes `LIKE`-specific characters such as `%` but does not prevent SQL injection.
51 | 
52 | ([changes](https://github.com/presidentbeef/brakeman/pull/1657))
53 | 
54 | ### Reporting Issues
55 | 
56 | Thank you to everyone who reported bugs and contributed to this release!
57 | 
58 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
59 | 
60 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
61 | 


--------------------------------------------------------------------------------
/source/_posts/2015-12-22-brakeman-3-dot-1-4-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.1.4 Released"
 4 | date: 2015-12-22 10:41
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Brakeman Pi!
11 | 
12 | _Changes since 3.1.3_:
13 | 
14 | * Emit Brakeman's native fingerprints for Code Climate engine ([Noah Davis](https://github.com/noahd1))
15 | * Ignore `secrets.yml` if in .gitignore ([#777](https://github.com/presidentbeef/brakeman/issues/777))
16 | * Work around `safe_yaml` error ([#778](https://github.com/presidentbeef/brakeman/issues/778))
17 | * Increase test coverage for option parsing ([Zander Mackie](https://github.com/Zanadar))
18 | * Clean up Ruby warnings ([Andy Waite](https://github.com/andyw8))
19 | 
20 | ### Code Climate Fingerprints
21 | 
22 | The output format for Code Climate has been updated to include warning fingerprints as generated by Brakeman.
23 | 
24 | ### Ignored secrets.yml
25 | 
26 | If `secrets.yml` is ignored via `.gitignore`, Brakeman will ignore it, too.
27 | 
28 | ([changes](https://github.com/presidentbeef/brakeman/pull/781))
29 | 
30 | ### Safe YAML Error
31 | 
32 | For some people, in some cases, `date` is not loaded prior to loading `safe_yaml`. This release ensures `date` is loaded before using SafeYAML and only loads `safe_yaml` on demand.
33 | 
34 | ([changes](https://github.com/presidentbeef/brakeman/pull/782))
35 | 
36 | ### Test Coverage and Warning Cleanup
37 | 
38 | Thanks to Zander Mackie for improving test coverage (up to 91.24%) by writing tests for the command line options and thanks to Andy Waite for cleaning up various Ruby warnings.
39 | 
40 | ([test changes](https://github.com/presidentbeef/brakeman/pull/780), [warning fixes](https://github.com/presidentbeef/brakeman/pull/784))
41 | 
42 | ### SHAs
43 | 
44 | The SHA256 sums for this release are
45 | 
46 |     d53103d40a7ddf6ee2737770ecd0353b945a757d0fab6c50cde1eefba31f6197  brakeman-3.1.4.gem
47 |     a67d7c96090bc3b8193cf3b5db7af62ce719b9277d1b818ec6e9f96a52ad0caa  brakeman-min-3.1.4.gem
48 | 
49 | ### Reporting Issues
50 | 
51 | Thank you to everyone who reported bugs and contributed improvements in this release.
52 | 
53 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
54 | 
55 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter, joining the [mailing list](http://brakemanscanner.org/contact/), or hanging out [on Gitter](https://gitter.im/presidentbeef/brakeman).
56 | 


--------------------------------------------------------------------------------
/source/_posts/2012-02-25-brakeman-1-dot-4-0-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.4.0 Released"
 4 | date: 2012-02-25 09:57
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is not a big release, but it does add a new check. Also, processing for ERB templates with the `rails_xss` plugin has changed, so there is the possibility that line numbers for reported warnings will shift.
11 | 
12 | _Changes since 1.3.0:_
13 | 
14 |  * Add check for user input in link_to href parameter
15 |  * Match ERB processing to rails_xss plugin when plugin used
16 |  * Add Brakeman::Report#to_json, Brakeman::Warning#to_json
17 |  * Warnings below minimum confidence are dropped completely
18 |  * Brakeman.run will now always return a Tracker
19 | 
20 | 
21 | ### New Check for link_to
22 | 
23 | [Neil Matatall](https://github.com/oreoshake) has contributed a new check for the href parameter in `link_to`. Even if HTML escaped, some values can be dangerous, so this check will warn for user input in that parameter. See [here](https://github.com/presidentbeef/brakeman/pull/45) for more details.
24 | 
25 | The `--url-safe-methods` option can be used to specify escaping methods which are safe for urls.
26 | 
27 | ### ERB and rails_xss
28 | 
29 | The `rails_xss` plugin has some fixes for how Erbuis handles certain input. Brakeman now matches those changes, which fixes some parsing errors.
30 | 
31 | ### Internal Changes
32 | 
33 | There have been some changes which only impact those working with Brakeman as a library.
34 | 
35 | First, there is now json output for reports. This actually should be an output format option, but I did not realize it until writing this post. The next release will include this, though!
36 | 
37 | The way Brakeman handles the `--confidence-level` option has also changed. In the past, warnings would be filtered when output in a report. This meant, for example, that `tracker.checks.all_warnings` would still return warnings below the specified confidence level. It also caused problems because there were many places in the code where the warnings needed to be filtered. With this release, warnings below the confidence level will be dropped as soon as they are found and will not need to be filtered at any later point.
38 | 
39 | Lastly, `Brakeman.run` would return `false` if `--exit-on-warn` was set, and a `Tracker` object otherwise. This has changed. `Brakeman.run` will now always return a `Tracker` object and the logic for `--exit-on-warn` was pushed out to the Brakeman executable. 
40 | 
41 | ### Report Issues
42 | 
43 | As usual, please [report any issues](https://github.com/presidentbeef/brakeman/issues).
44 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/cross_site_scripting/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Cross Site Scripting"
 4 | date: 2011-11-09 13:34
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Cross site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
11 | 
12 | XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
13 | 
14 | In Rails 2.x, values need to be explicitly escaped (e.g., by using the `h` method). In Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the `raw` method to output a value directly.
15 | 
16 | See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-scripting-xss) for more details.
17 | 
18 | ### Query Parameters and Cookies
19 | 
20 | Rails 2.x example in ERB:
21 | 
22 |     <%= params[:query] %>
23 | 
24 | Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the `params` or `cookies` is being directly output to a view. In such cases, it will issue a warning like:
25 | 
26 |     Unescaped parameter value near line 3: params[:query]
27 | 
28 | By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
29 | 
30 | For example:
31 | 
32 |     <%= some_method(cookie[:name]) %>
33 | 
34 | This raises a warning like:
35 | 
36 |     Unescaped cookie value near line 5: some_method(cookies[:oreo])
37 | 
38 | However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
39 | 
40 | Some methods are known to Brakeman to either be dangerous (`link_to` is one) or safe (`escape_once`). Users can specify safe methods using the `--safe-methods` option. Alternatively, Brakeman can be set to _only_ warn when values are used directly with the `--report-direct` option.
41 | 
42 | ### Model Attributes
43 | 
44 | Because (many) models come from database values, Brakeman mistrusts them by default.
45 | 
46 | For example, if `@user` is an instance of a model set in an action like
47 | 
48 |     def set_user
49 |       @user = User.first
50 |     end
51 | 
52 | and there is a view with
53 | 
54 |     <%= @user.name %>
55 | 
56 | Brakeman will raise a warning like
57 | 
58 |     Unescaped model attribute near line 3: User.first.name
59 | 
60 | If you trust all your data (although you probably shouldn't), this can be disabled with `--ignore-model-output`.
61 | 
62 | ---
63 | Back to [Warning Types](/docs/warning_types)
64 | 
65 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/mass_assignment/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Mass Assignment"
 4 | date: 2011-11-09 14:37
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
11 | 
12 | Example:
13 | 
14 |     User.new(params[:user])
15 | 
16 | Unfortunately, if there is a user field called `admin` which controls administrator access, now any user can make themselves an administrator with a query like
17 | 
18 |     ?user[admin]=true
19 | 
20 | ### Rails With Strong Parameters
21 | 
22 | In Rails 4 and newer, protection for mass assignment is on by default.
23 | 
24 | Query parameters must be explicitly whitelisted via `permit` in order to be used in mass assignment:
25 | 
26 |    User.new(params.permit(:name, :password))
27 | 
28 | Care should be taken to only whitelist values that are safe for a user (or attacker) to set. Foreign keys such as `account_id` are likely unsafe, allowing an attacker to manipulate records belonging to other accounts.
29 | 
30 | Brakeman will warn on potentially dangerous attributes that are whitelisted.
31 | 
32 | Brakeman will also warn about uses of `params.permit!`, since that allows everything.
33 | 
34 | 
35 | ### Rails Without Strong Parameters
36 | 
37 | In older versions of Rails, `attr_accessible` and `attr_protected` can be used to limit mass assignment.
38 | However, Brakeman will warn unless `attr_accessible` is used, or mass assignment is completely disabled.
39 | 
40 | There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
41 | 
42 |     Unprotected mass assignment near line 61: User.new(params[:user])
43 | 
44 | The other warning is raised whenever a model is found which does not use `attr_accessible`. This produces generic warnings like
45 | 
46 |     Mass assignment is not restricted using attr_accessible
47 | 
48 | with a list of affected models.
49 | 
50 | In Rails 3.1 and newer, mass assignment can easily be disabled:
51 | 
52 |     config.active_record.whitelist_attributes = true
53 | 
54 | Unfortunately, it can also easily be bypassed:
55 | 
56 |     User.new(params[:user], :without_protection => true)
57 | 
58 | Brakeman will warn on uses of `without_protection`.
59 | 
60 | ### More Information
61 | 
62 | [Strong Parameters in Rails Security Guide](http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters)
63 | [Mass Assignment in Rails Security Guide](http://guides.rubyonrails.org/v3.2.8/security.html#mass-assignment)
64 | 
65 | ---
66 | 
67 | Back to [Warning Types](/docs/warning_types)
68 | 


--------------------------------------------------------------------------------
/source/_posts/2020-04-06-brakeman-4-dot-8-dot-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 4.8.1 Released"
 4 | date: 2020-04-06 10:00
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Just a little bug fix release.
11 | 
12 | _Changes since 4.8.0:_
13 | 
14 | * Warn about global(!) mass assignment
15 | * Check SQL query strings using `String#strip` or `String.squish` ([#1459](https://github.com/presidentbeef/brakeman/issues/1469))
16 | * Handle non-symbol keys in `locals` hash for `render` ([#1465](https://github.com/presidentbeef/brakeman/issues/1465))
17 | * Index calls in render arguments ([#1459](https://github.com/presidentbeef/brakeman/issues/1459))
18 | 
19 | ### Global Mass Assignment
20 | 
21 | Strong parameters can be disabled with:
22 | 
23 | ```ruby
24 | ActionController::Parameters.permit_all_parameters = true
25 | ```
26 | 
27 | Brakeman will now warn about this (very rare) configuration.
28 | 
29 | ([changes](https://github.com/presidentbeef/brakeman/pull/1464))
30 | 
31 | ### Squished and Stripped SQL
32 | 
33 | Brakeman will now check string targets of `squish` or `strip`.
34 | 
35 | For example:
36 | 
37 | ```ruby
38 | ActiveRecord::Base.connection.execute "SELECT * FROM #{user_input}".squish
39 | ```
40 | 
41 | ([changes](https://github.com/presidentbeef/brakeman/pull/1470))
42 | 
43 | ### Non-Symbol Keys in Locals Hash
44 | 
45 | Using a value other than symbol literals as keys in the `locals` hash for `render` will no longer cause an error.
46 | 
47 | ([changes](https://github.com/presidentbeef/brakeman/pull/1468))
48 | 
49 | ### Render Arguments
50 | 
51 | Calls made as arguments to `render` will be indexed and checked for all vulnerability types, like every other method call.
52 | 
53 | ([changes](https://github.com/presidentbeef/brakeman/pull/1460))
54 | 
55 | ### Checksums
56 | 
57 | The SHA256 sums for this release are:
58 | 
59 |     5f3cc763fce471434adc33aa251298fa24ea2a1c01ef2549aec55be4b5b14d46  brakeman-4.8.1.gem
60 |     c4a95b450fb7ec2440e68640a0821e3a6b62ea34f665e78264ba0b332e98e5df  brakeman-lib-4.8.1.gem
61 |     ada41dbfc3a436c062cd44161893249654caf43296801599303952f6261f2e5e  brakeman-min-4.8.1.gem
62 | 
63 | ### Reporting Issues
64 | 
65 | Thank you to everyone who reported bugs and contributed to this release!
66 | 
67 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
68 | 
69 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
70 | 
71 | 


--------------------------------------------------------------------------------
/source/docs/warning_types/redirect/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Redirect"
 4 | date: 2011-11-09 15:21
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | Unvalidated redirects and forwards are #10 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A10).
11 | 
12 | Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
13 | 
14 | 
15 | Brakeman will raise warnings whenever `redirect_to` appears to be used with a user-supplied value that may allow them to change the `:host` option.
16 | 
17 | For example,
18 | 
19 |     redirect_to params.merge(:action => :home)
20 | 
21 | will create a warning like
22 | 
23 |     Possible unprotected redirect near line 46: redirect_to(params)
24 | 
25 | This is because `params` could contain `:host => 'evilsite.com'` which would redirect away from your site and to a malicious site.
26 | 
27 | If the first argument to `redirect_to` is a hash, then adding `:only_path => true` will limit the redirect to the current host. Another option is to specify the host explicitly.
28 | 
29 |     redirect_to params.merge(:only_path => true)
30 | 
31 |     redirect_to params.merge(:host => 'myhost.com')
32 | 
33 | If the first argument is a string, then it is possible to parse the string and extract the path:
34 | 
35 |     redirect_to URI.parse(some_url).path
36 | 
37 | **If the URL does not contain a protocol (e.g., `http://`), then you will probably get unexpected results, as `redirect_to` will prepend the current host name and a protocol.**
38 | 
39 | ### Rails 7 Updates
40 | 
41 | If `config.action_controller.raise_on_open_redirects` is `true` (default for _new_ Rails 7.0 applications), then Rails will not allow redirecting to a domain that differs from the request.
42 | 
43 | Even if the configuration setting is not `true`, the protection can be applied by setting `allow_other_host: false` explicitly:
44 | 
45 |     redirect_to params[:url], allow_other_host: false
46 | 
47 | The code above will raise an exception if `params[:url]` does not match the current domain.
48 | 
49 | Brakeman will warn about calls where `allow_other_host` is set to `true`.
50 | 
51 | To coerce the URL to be "safe", use [`url_from`](https://api.rubyonrails.org/v7.0/classes/ActionController/Redirecting.html#method-i-url_from):
52 | 
53 |     redirect_to url_from(params[:url])
54 | 
55 | If the URL is does not match the current domain, then `url_from` returns `false`. The recommended pattern is to provide a fallback:
56 | 
57 |     redirect_to url_from(params[:url]) || some_safe_default_url
58 | 
59 | ---
60 | Back to [Warning Types](/docs/warning_types)
61 | 


--------------------------------------------------------------------------------
/source/_posts/2013-09-18-brakeman-2-dot-1-2-released-important-security-update.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 2.1.2 Released - Important Security Update"
 4 | date: 2013-09-18 01:38
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | *Important*: Contrary to the "Brakeman Philosophy," there is one situation in which Brakeman attempts to load files from an application. This is a security risk since the code in the files would be executed (typical `require` behavior). Note that this is only a real problem if running Brakeman against code outside one's control. Since most users are scanning their own code, this should not be a concern for the majority of Brakeman users.
11 | 
12 | *Changes since 2.1.1:*
13 | 
14 |  * Do not attempt to load custom Haml filters
15 |  * Do not warn about `to_json` XSS in Rails 4
16 |  * Remove fuzzy matching on dangerous `attr_accessible` values
17 |  * Add --table-width option to set width of text reports ([ssendev](https://github.com/ssendev))
18 | 
19 | ### Custom Haml Filters
20 | 
21 | Brakeman no longer attempts to load custom Haml filters. This was a hack (from nearly three years ago) to help compile some Haml templates. It was recently noted that this introduces a security risk when scanning untrusted code.
22 | 
23 | For now, custom Haml filters will cause a Brakeman error and the Haml templates using them will not be scanned.
24 | 
25 | ([changes](https://github.com/presidentbeef/brakeman/commit/8a6ae98df3039bf5f3d7cc0852efb1006362f143#L1L3))
26 | 
27 | ### JSON Output in Rails 4
28 | 
29 | As of Rails 4, the output of `to_json` is now safe by default. Brakeman should no longer warn about cross-site scripting with `to_json` in Rails 4 applications.
30 | 
31 | ([changes](https://github.com/presidentbeef/brakeman/pull/392))
32 | 
33 | ### Less Fuzzy Mass Assignment
34 | 
35 | Brakeman no longer uses fuzzy matching for potentially dangerous model attributes allowed for mass assignment, such as any value containing `admin`.
36 | 
37 | ([changes](https://github.com/presidentbeef/brakeman/pull/390))
38 | 
39 | ### Text Report Width Option
40 | 
41 | The width of text reports can now be controlled with the `--table-width` option. For example, this can be useful when capturing text output to a file.
42 | 
43 | ([changes](https://github.com/presidentbeef/brakeman/pull/387))
44 | 
45 | ### Reporting Issues
46 | 
47 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
48 | 
49 | Also consider joining the [mailing list](http://brakemanscanner.org/contact/) or following [@brakeman](https://twitter.com/brakeman) on Twitter.
50 | 


--------------------------------------------------------------------------------
/source/javascripts/libs/jXHR.js:
--------------------------------------------------------------------------------
 1 | // jXHR.js (JSON-P XHR)
 2 | // v0.1 (c) Kyle Simpson
 3 | // MIT License
 4 | 
 5 | (function(global){
 6 | 	var SETTIMEOUT = global.setTimeout, // for better compression
 7 | 		doc = global.document,
 8 | 		callback_counter = 0;
 9 | 
10 | 	global.jXHR = function() {
11 | 		var script_url,
12 | 			script_loaded,
13 | 			jsonp_callback,
14 | 			scriptElem,
15 | 			publicAPI = null;
16 | 
17 | 		function removeScript() { try { scriptElem.parentNode.removeChild(scriptElem); } catch (err) { } }
18 | 
19 | 		function reset() {
20 | 			script_loaded = false;
21 | 			script_url = "";
22 | 			removeScript();
23 | 			scriptElem = null;
24 | 			fireReadyStateChange(0);
25 | 		}
26 | 
27 | 		function ThrowError(msg) {
28 | 			try { publicAPI.onerror.call(publicAPI,msg,script_url); } catch (err) { throw new Error(msg); }
29 | 		}
30 | 
31 | 		function handleScriptLoad() {
32 | 			if ((this.readyState && this.readyState!=="complete" && this.readyState!=="loaded") || script_loaded) { return; }
33 | 			this.onload = this.onreadystatechange = null; // prevent memory leak
34 | 			script_loaded = true;
35 | 			if (publicAPI.readyState !== 4) ThrowError("Script failed to load ["+script_url+"].");
36 | 			removeScript();
37 | 		}
38 | 
39 | 		function fireReadyStateChange(rs,args) {
40 | 			args = args || [];
41 | 			publicAPI.readyState = rs;
42 | 			if (typeof publicAPI.onreadystatechange === "function") publicAPI.onreadystatechange.apply(publicAPI,args);
43 | 		}
44 | 
45 | 		publicAPI = {
46 | 			onerror:null,
47 | 			onreadystatechange:null,
48 | 			readyState:0,
49 | 			open:function(method,url){
50 | 				reset();
51 | 				internal_callback = "cb"+(callback_counter++);
52 | 				(function(icb){
53 | 					global.jXHR[icb] = function() {
54 | 						try { fireReadyStateChange.call(publicAPI,4,arguments); }
55 | 						catch(err) {
56 | 							publicAPI.readyState = -1;
57 | 							ThrowError("Script failed to run ["+script_url+"].");
58 | 						}
59 | 						global.jXHR[icb] = null;
60 | 					};
61 | 				})(internal_callback);
62 | 				script_url = url.replace(/=\?/,"=jXHR."+internal_callback);
63 | 				fireReadyStateChange(1);
64 | 			},
65 | 			send:function(){
66 | 				SETTIMEOUT(function(){
67 | 					scriptElem = doc.createElement("script");
68 | 					scriptElem.setAttribute("type","text/javascript");
69 | 					scriptElem.onload = scriptElem.onreadystatechange = function(){handleScriptLoad.call(scriptElem);};
70 | 					scriptElem.setAttribute("src",script_url);
71 | 					doc.getElementsByTagName("head")[0].appendChild(scriptElem);
72 | 				},0);
73 | 				fireReadyStateChange(2);
74 | 			},
75 | 			setRequestHeader:function(){}, // noop
76 | 			getResponseHeader:function(){return "";}, // basically noop
77 | 			getAllResponseHeaders:function(){return [];} // ditto
78 | 		};
79 | 
80 | 		reset();
81 | 
82 | 		return publicAPI;
83 | 	};
84 | })(window);
85 | 
86 | 


--------------------------------------------------------------------------------
/source/_posts/2015-06-18-brakeman-3-dot-0-4-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.0.4 Released"
 4 | date: 2015-06-18 10:50
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a small release prompted by Tuesday's CVE announcements. New checks for the CVEs directly in Rails have been added, and can also test for the suggested workarounds. Please consider using [bundler-audit](https://github.com/rubysec/bundler-audit) for detecting known vulnerable versions of gems, as Brakeman has only limited coverage.
11 | 
12 | Note this release also upgrades the RubyParser dependency. The latest RubyParser has several bug fixes and initial support for new Ruby 2.2 syntax.
13 | 
14 | *Changes since 3.0.3*:
15 | 
16 | * Add check for CVE-2015-3226 (XSS via JSON keys)
17 | * Add check for CVE-2015-3227 (XML DoS)
18 | * Treat `<%==` as unescaped output ([#661](https://github.com/presidentbeef/brakeman/issues/661))
19 | * Update `ruby_parser` dependency to 3.7.0
20 | 
21 | ### Cross Site Scripting in JSON
22 | 
23 | [CVE-2015-3226](https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ) is an issue with converting hashes to JSON. The keys do not properly escape HTML entities, leading to potential cross site scripting vulnerabilities. Brakeman will warn unless the workaround is included in an initializer (essentially verbatim). The warning is high confidence if there is evidence of explicitly converting values to JSON, otherwise medium.
24 | 
25 | ([changes](https://github.com/presidentbeef/brakeman/pull/665))
26 | 
27 | ### XML Denial of Service
28 | 
29 | [CVE-2015-3227](https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J) is a potential denial of service when parsing deeply nested XML requests. Brakeman will warn about this unless there is an initializer changing the XML parser as described in the CVE. Currently it looks for either `LibXML` or `Nokogiri`.
30 | 
31 | ([changes](https://github.com/presidentbeef/brakeman/pull/666))
32 | 
33 | ### Double Equals is Unescaped Output
34 | 
35 | Brakeman will now treat `<%== x %>` in ERB templates as unescaped output.
36 | 
37 | ([changes](https://github.com/presidentbeef/brakeman/pull/663))
38 | 
39 | ### SHAs
40 | 
41 | The SHA1 sums for this release are
42 | 
43 |     bf6ae72a0b516ecf65b9165d07e86259ef9fa5d3  brakeman-3.0.4.gem
44 |     c1c2ea5402d8a89fe4a645947ec324d0603d3976  brakeman-min-3.0.4.gem
45 | 
46 | ### Reporting Issues
47 | 
48 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
49 | 
50 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and joining the [mailing list](http://brakemanscanner.org/contact/). 
51 | 
52 | 


--------------------------------------------------------------------------------
/source/docs/faq/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Frequently Asked Questions"
 4 | date: 2011-08-27 08:29
 5 | comments: true
 6 | sharing: true
 7 | footer: false
 8 | ---
 9 | 
10 | ### Brakeman hangs while processing my app. What do I do?
11 | 
12 | Sorry about that! Please follow [these instructions](/docs/troubleshooting/hanging).
13 | 
14 | ### Brakeman is reporting parsing errors, but my app runs fine. What's going on?
15 | 
16 | Brakeman relies on [RubyParser](https://github.com/seattlerb/ruby_parser) for parsing Ruby code. RubyParser can lag behind the latest syntax changes in Ruby. 
17 | 
18 | By the way, sometimes there are actual syntax errors! This can happen in code which is no longer used by the application.
19 | 
20 | Please follow [these instructions](/docs/troubleshooting/parse_errors) to find out what went wrong.
21 | 
22 | ### What is the number in parentheses (red in HTML) in the report summary?
23 | 
24 | That number indicates how many high confidence warnings were found.
25 | 
26 | ### Why are line numbers reported wrong?
27 | 
28 | Line numbers are sometimes off. This can be due to the parser reporting the wrong line number, or occasionally there is a bug in Brakeman.
29 | 
30 | However, it is important to note that the line number reported is where the vulnerability was found, not necessarily where it was introduced. For example, if a SQL query uses string interpolation which was assigned to a variable, the line with the query will be reported, not where the string is constructed.
31 | 
32 | ### Why is the context so different from the code shown in the warning?
33 | 
34 | The code in the warning is what is seen by Brakeman, while the code in the context is pulled directly from the original file. These can be different, as Brakeman propagates variables and performs other transformations on the code.
35 | 
36 | ### What is an "Unresolved Model"?
37 | 
38 | "Unresolved Model" is a placeholder used when it is clear that a model is being used at that location, but there is no way to know which model it is.
39 | 
40 | ### Why is a variable shown as "SomeModel.new" when it clearly is not?
41 | 
42 | Records from a model will be sometimes displayed this way. 
43 | 
44 | For example, if `User` is a model and there is an action like
45 | 
46 |     class UsersController
47 | 
48 |       def list
49 |         @users = User.all
50 |       end
51 | 
52 |     end
53 | 
54 | and a corresponding view containing
55 | 
56 |     <% @users.each do |user| %>
57 |       <%= user.name.html_safe %>
58 |     <% end %>
59 | 
60 | This will produce a warning that looks like
61 | 
62 |     Unescaped model attribute near line 3: User.new.name
63 | 
64 | ### Brakeman reports 0 warnings. Am I safe?
65 | 
66 | **No**. It just means Brakeman didn't find any problems. There are many vulnerabilities Brakeman cannot find. No security tool has 100% coverage.
67 | 
68 | ---
69 | 
70 | [More documentation](/docs)
71 | 


--------------------------------------------------------------------------------
/source/_posts/2012-03-22-brakeman-1-dot-5-2-released-important-fixes.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.5.2 Released - Important Fixes"
 4 | date: 2012-03-22 13:34
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is update includes some important fixes. All users of the `rails_xss` plugin are particularly encouraged to upgrade.
11 | 
12 | _Changes since 1.5.1:_
13 | 
14 |  * Fix handling of views when using `rails_xss`
15 |  * Fix rescanning of lib files (Neil Matatall)
16 |  * Fix `link_to` checks for Rails 2.0 and 2.3
17 |  * Revert to `ruby_parser` 2.3.1 for Ruby 1.8 parsing
18 |  * Only warn on user input in render paths
19 |  * Output stack trace on interrupt when debugging
20 |  * Ignore user input in if statement conditions
21 |  * Fix --skip-files option with Ruby 1.8
22 | 
23 | 
24 | ### Views with rails\_xss
25 | 
26 | Some previous changes to make sure Brakeman was processing ERB views the same way as the `rails_xss` plugin unfortunately broke the processing of those views.
27 | 
28 | These changes caused Brakeman to not report *any* output from ERB views when the `rails_xss` plugin was in use, hiding any XSS vulnerabilities in those views.
29 | 
30 | This now fixed, so if you are using the `rails_xss` plugin, it is highly recommended to upgrade.
31 | 
32 | ### Rescanning lib/ Files
33 | 
34 | Rescanning changed files in the `lib` directory was broken, but Neil fixed it!
35 | 
36 | ### link\_to Checks
37 | 
38 | In Rails 2.3, the URL is escaped, but not the body of the link. In Rails 2.0, neither argument is escaped.
39 | 
40 | In this release, the check for XSS in `link_to` has been updated to handle `link_to` with blocks and to warn in Rails 2.0.x if any user input is used as an argument.  
41 | 
42 | ### Revert to ruby\_parser for Ruby 1.8
43 | 
44 | Brakeman has been using a vendored version of [ruby\_parser](https://github.com/seattlerb/ruby_parser) with some updates to Ruby 1.9 syntax parsing. Unfortunately, that version also introduced some regressions for parsing Ruby 1.8 syntax.
45 | 
46 | To handle this, Brakeman will now only use the vendored version for 1.9 parsing, but the regular gem version for 1.8 syntax parsing. This should fix some parse errors people are seeing for Ruby 1.8 apps.
47 | 
48 | ### Dynamic Render Path Updates
49 | 
50 | The check for dynamic render paths was not very good, but it is better now. "Dynamic Render Path" warnings should only be raised when user input is actually used to determine what view, partial, or file to render.
51 | 
52 | ### Stacktrace Output
53 | 
54 | Brakeman will now output a stacktrace if interrupted while running with the `-d` option. This is mostly helpful when Brakeman appears to "hang". 
55 | 
56 | ### Reporting Issues
57 | 
58 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues)!
59 | 
60 | Also consider joining the [mailing list](http://brakemanscanner.org/contact/) or following [@brakeman](https://twitter.com/brakeman) on Twitter.
61 | 


--------------------------------------------------------------------------------
/source/docs/reducing_false_positives/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Reducing False Positives"
 4 | date: 2012-01-10 10:23
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | By default, Brakeman reports as much as possible. Because there is no way for Brakeman to know if certain items are actually safe or not, it errs on the side of reporting _too much_ rather than possibly not reporting a real problem. Sometimes, though, these false positives can become overwhelming. Brakeman does provides many options for customizing reports. It is also possible [to ignore specific warnings](/docs/ignoring_false_positives).
11 | 
12 | It is recommended to always run Brakeman with the default settings first (and then periodically after that), but it is possible to narrow down the results to make them less annoying.
13 | 
14 | ### Specify Checks to Run
15 | 
16 | When running Brakeman, one can specify a set of checks to run or a set to exclude using the `--test` or `--except`, respectively. These options take a comma-separated list of check names, which are case-sensitive. Use `brakeman --checks` to get a list of the exact check names.
17 | 
18 | For example, to only check for SQL injection and cross-site scripting:
19 | 
20 |     brakeman --test CheckSQL,CheckCrossSiteScripting
21 | 
22 | _('Check' can actually be omitted from the names.)_
23 | 
24 | To exclude checks for dynamic render paths:
25 | 
26 |     brakeman --except CheckRender
27 | 
28 | ### Set Confidence Threshold
29 | 
30 | Getting a ton of weak confidence warnings? Use `-w3` to only report high confidence warnings or `-w2` to only report high and medium confidence warnings.
31 | 
32 | (Use of `-w3` is not recommended, however.)
33 | 
34 | ### Mark Methods as Safe
35 | 
36 | If an applications has custome sanitizing methods or just methods which are known to be safe, then the `--safe-methods` option can be used to ignore those methods. Specify the methods as a comma-separated list.
37 | 
38 | For example:
39 | 
40 |     brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer
41 | 
42 | ### Only Reporting Direct Vulnerabilities
43 | 
44 | With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a _parameter_ is output.
45 | 
46 | For example, this will raise a warning unless `some_method` is marked as safe like above:
47 | 
48 |     <%= some_method(params[:blah]) %>
49 | 
50 | To ignore this kind of output, use the `--report-direct` option. This also applies to some other situations, such as checking calls to `redirect_to`.
51 | 
52 | ### Ignoring Model Attributes
53 | 
54 | Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the `--ignore-model-output` option to suppress reporting model attributes as cross-site scripting vulnerabilities.
55 | 
56 | ---
57 | 
58 | [Ignoring false positives](/docs/ignoring_false_positives)
59 | 
60 | [More documentation](/docs)
61 | 


--------------------------------------------------------------------------------
/source/_posts/2019-11-25-brakeman-4-dot-7-dot-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 4.7.2 Released"
 4 | date: 2019-11-25 14:00
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Some minor fixes for a minor release.
11 | 
12 | _Changes since 4.7.1:_
13 | 
14 | * Add `request.params` as query parameters ([#1398](https://github.com/presidentbeef/brakeman/issues/1398))
15 | * Handle more `permit!` cases ([#1426](https://github.com/presidentbeef/brakeman/issues/1426))
16 | * Remove version guard for `named_scope` vs. `scope`
17 | * Find SQL injection in `String#strip_heredoc` target ([#1433](https://github.com/presidentbeef/brakeman/issues/1433))
18 | * Ensure file name is set when processing models
19 | * Bundle `ruby_parser` version 3.14.1 ([#1429](https://github.com/presidentbeef/brakeman/issues/1429))
20 | 
21 | ### More Query Parameters 
22 | 
23 | `request.params` has been added as a query parameters method.
24 | 
25 | ([changes](https://github.com/presidentbeef/brakeman/pull/1423))
26 | 
27 | ### More `permit!`
28 | 
29 | More cases of `permit!` will be identified, particularly when it is the target of a method call.
30 | 
31 | ([changes](https://github.com/presidentbeef/brakeman/pull/1427))
32 | 
33 | ### More Scopes
34 | 
35 | Both `named_scope` and `scope` will be handled regardless of detected Rails version.
36 | 
37 | ([changes](https://github.com/presidentbeef/brakeman/pull/1435))
38 | 
39 | ### SQL Injection with `strip_heredoc`
40 | 
41 | `strip_heredoc` is now treated as returning a string.
42 | This fixes false positives if the target is a plain string and fixes false negatives if the target has interpolation.
43 | 
44 | ([changes](https://github.com/presidentbeef/brakeman/pull/1434))
45 | 
46 | ### Model File Names
47 | 
48 | In some cases, warnings were missing file names because the file name was not being passed to the model processor.
49 | 
50 | The file name will now be passed along, and there is a new test in the test suite for file names on warnings.
51 | 
52 | ([changes](https://github.com/presidentbeef/brakeman/pull/1431))
53 | 
54 | ### Checksums
55 | 
56 | The SHA256 sums for this release are:
57 | 
58 |     339d6f3707a2c0a32003536a231255b839a0b87bd6a7ebef3c82aedd1bdd3ac8  brakeman-4.7.2.gem
59 |     39ce3a5fe248dee8c78fe671441d2abbfec66cec923ee9f56c62018229d3c9b0  brakeman-lib-4.7.2.gem
60 |     efa07aa8476ef5553c91734093349a3ed55e2ef05b469d3dcecfdaabede37296  brakeman-min-4.7.2.gem
61 | 
62 | 
63 | ### Reporting Issues
64 | 
65 | Thank you to everyone who reported bugs and contributed to this release!
66 | 
67 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
68 | 
69 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
70 | 
71 | 


--------------------------------------------------------------------------------
/source/_posts/2012-03-05-brakeman-1-dot-5-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.5.1 Released"
 4 | date: 2012-03-05 18:50
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | After the excitment yesterday with a mass assignment vulnerability being exploited in a very public manner on [Github](https://gist.github.com/1978249), interest in Brakeman has skyrocketed.
11 | 
12 | This lead to re-examination of Brakeman's code for detecting that mass assignment has been globally disabled - and it turns out there was a bug or two. So here is a bug-fix release of Brakeman to correct that and some other minor issues.
13 | 
14 | Upgrading to 1.5.1 may increase the number of warnings reported.
15 | 
16 | _Changes since 1.5.0_:
17 | 
18 |  * Fix detection of global mass assignment setting
19 |  * Fix partial rendering in Rails 3
20 |  * Show backtrace when interrupt received (Ruby 1.9 only)
21 |  * More debug output
22 |  * Internal fixes:
23 |    * Remove duplicate method in Brakeman::Rails2XSSErubis
24 |    * Add tracking of module and class to Brakeman::BaseProcessor
25 |    * Report module when using Brakeman::FindCall
26 | 
27 | ### Mass Assignment
28 | 
29 | Mass assignment is not a particularly new issue, but the amount of attention suddenly focused on it this weekend was amazing.
30 | 
31 | This release of Brakeman can detect three different methods for defaulting all models to a whitelist of allowed attributes that can be mass assigned.
32 | 
33 | The first is probably the most widely-seen version. In an intializer, do
34 | 
35 |     ActiveRecord::Base.send(:attr_accessible, nil)
36 | 
37 | The second is essentially equivalent, but 1.5.1 adds support for it as well:
38 | 
39 |     module ActiveRecord
40 |       class Base
41 |         attr_accessible nil
42 |       end
43 |     end
44 | 
45 | The third option is only available for Rails 3.1.0 and newer. The following configuration setting can be added to `application.rb`:
46 | 
47 |     config.active_record.whitelist_attributes = true
48 | 
49 | Brakeman should correctly detect all of these.
50 | 
51 | [This is a very nice post](http://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/) explaining the dangers of mass assignment (mentioning Brakeman is nice, too.)
52 | 
53 | ### Partials in Rails 3
54 | 
55 | In Rails 3, `render 'blah'` is now equivalent to `render :partial => 'blah'` when used inside a template.
56 | 
57 | Brakeman now supports this correctly.
58 | 
59 | ### Debug Output
60 | 
61 | More debugging output has been added for use with the `-d` option.
62 | 
63 | Additionally, when interrupting the application (for example, with `^C`), a stack trace will be output. Please note, however, that this only works with Ruby 1.9.
64 | 
65 | ### Internal Changes
66 | 
67 | There have been a few internal changes. There is a possibility that these will affect some warnings. However, it should only result in accurate reporting of class names.
68 | 
69 | ### Report Issues
70 | 
71 | Please report any problems on [Github](https://github.com/presidentbeef/brakeman/issues)!
72 | 


--------------------------------------------------------------------------------
/source/brakeman_users/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Brakeman Users"
 4 | date: 2013-11-26 07:52
 5 | comments: false
 6 | sharing: true
 7 | footer: true
 8 | ---
 9 | 
10 | > "When I work with Rails shops, the first thing I tell them to do is run Brakeman. It runs fast, gives very few false positives, and points to remediation information developers can understand." - Matt Konda ([Jemurai](http://jemurai.com/))
11 | 
12 | Here are a few of the companies using Brakeman:
13 | 
14 | [![Blackhawk Network](/images/users/blackhawknetwork.png)](http://blackhawknetwork.com/)
15 | [![Braintree Payments](/images/users/braintree.png)](https://www.braintreepayments.com)
16 | [![Carousel Apps](/images/users/carousel.png)](https://carouselapps.com/)
17 | [![Codacy](/images/users/codacy.png)](https://www.codacy.com/)
18 | [![Code Climate](/images/users/codeclimate.png)](https://codeclimate.com/)
19 | [![CodeDX](/images/users/codedx.png)](http://codedx.com/)
20 | [![Conviso](/images/users/conviso.png)](https://www.conviso.com.br/)
21 | [![DataCentred](/images/users/datacentred.png)](http://www.datacentred.co.uk/)
22 | [![Envato](/images/users/envato.png)](https://envato.com/)
23 | [![GitHub](/images/users/github.png)](https://github.com/)
24 | [![Hix on Rails](/images/users/hix.png)](https://hixonrails.com/)
25 | [![Icicle Technologies](/images/users/icicletech.png)](http://www.icicletech.com)
26 | [![Logical Reality Design](/images/users/lrdesign.png)](http://lrdesign.com)
27 | [![Lumosity](/images/users/lumosity.png)](http://lumosity.com)
28 | [![nVisium](/images/users/nvisium.png)](https://www.nvisium.com/)
29 | [![New Relic](/images/users/newrelic.png)](http://newrelic.com)
30 | [![OpenCage](/images/users/opencage.png)](https://opencagedata.com/)
31 | [![Semaphore](/images/users/semaphore.png)](https://semaphoreci.com/)
32 | [![PullReview](/images/users/pullreview.png)](https://www.pullreview.com/)
33 | [![ThreadFix](/images/users/threadfix.png)](http://www.threadfix.org/)
34 | [![TranslateFX](/images/users/translatefx.png)](http://www.translatefx.com/)
35 | [![Twitter](/images/users/twitter.png)](https://twitter.com)
36 | [![Vinted](/images/users/vinted.png)](http://www.vinted.com/)
37 | [![The Winnower](/images/users/winnower.png)](https://www.thewinnower.com/)
38 | 
39 | [Acorns](https://www.acorns.com/)<br>
40 | [Groupon](http://groupon.com)<br>
41 | [Jemurai](http://jemurai.com/)<Br>
42 | [MPower Payments](http://www.mpowerpayments.com)<br>
43 | [RightScale](http://www.rightscale.com/)<br>
44 | [University of Washington Center for Commercialization](http://depts.washington.edu/uwc4c)<br>
45 | [WiseCash](https://www.wisecashhq.com/)<br>
46 | 
47 | Additionally, use of Brakeman is recommended by:
48 | 
49 | [![Cigital](/images/users/cigital.png)](http://cigital.com)
50 | 
51 | To add your company or logo here, please [open an issue](https://github.com/presidentbeef/brakeman-site/issues/new?title=Please+list+our+company+%28and+logo%29+as+a+proud+Brakeman+user!) or [tweet @Brakeman](https://twitter.com/intent/tweet?text=%40brakeman+Please+list+our+company%27s+name+%28and+logo%29+as+a+proud+Brakeman+user!).
52 | 


--------------------------------------------------------------------------------
/source/docs/contributing/adding_tests/index.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Adding Tests"
 4 | date: 2012-02-09 10:02
 5 | comments: false
 6 | sharing: false
 7 | footer: true
 8 | ---
 9 | 
10 | Please see [this page](/docs/testing_brakeman) for details about how Brakeman is tested.
11 | 
12 | ### File Locations
13 | 
14 | The test applications are located in `test/apps/`.
15 | 
16 | Corresponding tests are located in `test/tests/`.
17 | 
18 | ### Adding an Undetected Vulnerability
19 | 
20 | Most of the time, improvements to Brakeman mean finding more vulnerabilities.
21 | 
22 | If possible, a real-life test case makes this much easier to implement.
23 | 
24 | To add a new vulnerability and verify that Brakeman does not alert on it, choose one of the Rails applications in `test/apps` according to the version desired and add some vulnerable code to it.
25 | 
26 | There is no real strict structure to the applications, so add the vulnerability wherever it makes sense. Adding new files as needed is fine.
27 | 
28 | **IMPORTANT**: If adding a vulnerability to an existing file, make sure it is *below* any existing code containing vulnerabilities. Shifting any existing lines will cause all those tests to fail!
29 | 
30 | Once the new vulnerability has been added, run `test/test.rb`. If all the tests pass, the new vulnerability has not been detected. This can be verified by running Brakeman directly against the application.
31 | 
32 | However, if a test fails like this:
33 | 
34 |     1) Failure:
35 |      test_number_of_warnings(Rails2Tests) [test.rb:84]:
36 |      Expected 22 warning warnings, but found 23.
37 |      <22> expected but was
38 |      <23>.
39 | 
40 | Then the vulnerability probably was detected. Again, verify by using Brakeman directly.
41 | 
42 | If the vulnerability was not detected, please [file an issue](https://github.com/presidentbeef/brakeman/issues) for it!
43 | 
44 | ### Adding a Known Vulnerability
45 | 
46 | There may be categories of Brakeman that does detect, but is not covered by the current tests. OR, you are planning on submitting a new feature or check that will find more vulnerabilities.
47 | 
48 | Again, this vulnerability should be added to one of the existing applications in `test/apps`. If the vulnerability differs according to version, it may make sense to add it to more than one application.
49 | 
50 | Once the vulnerability is introduced, run both `test/test.rb` and Brakeman directly against the code. Hopefully the tests show more warnings than expected, and the new vulnerability shows up in the Brakeman report.
51 | 
52 | Now it is time to add a test for the warning.
53 | 
54 | In the appropriate test suite under `test/tests`, add a new test for the warning. See [this page](/docs/testing_brakeman) for information on how to do this.
55 | 
56 | ### Adding a False Positive
57 | 
58 | This should follow the same process as adding a known vulnerability. However, when it comes time to add the test for the warning, use `assert_no_warning` instead of `assert_warning`.
59 | 
60 | ---
61 | 
62 | [More documentation](/docs)
63 | 
64 | [More testing information](/docs/testing_brakeman)
65 | 


--------------------------------------------------------------------------------
/source/_posts/2016-08-12-brakeman-3-dot-3-4-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 3.3.4/3.3.5 Released"
 4 | date: 2016-08-12 08:26
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a quick release to add warnings for [CVE-2016-6316](https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ) and [CVE-2016-6317](https://groups.google.com/d/msg/ruby-security-ann/WccgKSKiPZA/9DrsDVSoCgAJ). There was a bug in 3.3.4 that affected debug output which has been fixed in 3.3.5.
11 | 
12 | *Changes since 3.3.3*:
13 | 
14 | * Add generic warning for CVE-2016-6316
15 | * Warn about dangerous use of `content_tag` with CVE-2016-6316
16 | * Add warning for CVE-2016-6317
17 | * Use Minitest
18 | 
19 | *Changes since 3.3.4*:
20 | 
21 | * Fix bug in reports when using `--debug` 
22 | 
23 | ### CVE-2016-6316
24 | 
25 | Typically Rails will escape attribute values passed to tag helpers like `content_tag`. If the attribute has already been marked as "safe" with `.html_safe` or (more likely) a different escaping helper like `sanitize`, the tag helper will not escape the value again (that is the purpose of `.html_safe`). However, not all sanitizers/escape methods escape double quotes, which are dangerous inside of tag attributes. In particular, double quotes allow an attacker to close the current attribute and insert new attributes (like `onmouseover`) that can execute JavaScript.
26 | 
27 | Brakeman will issue a generic warning about CVE-2016-6316 for affected versions and may generate warnings for potentially dangerous calls to `content_tag`.
28 | 
29 | ([changes](https://github.com/presidentbeef/brakeman/pull/917))
30 | 
31 | ### CVE-2016-6317
32 | 
33 | The [JSON bug](https://groups.google.com/d/msg/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ) is back. Specially-crafted queries can cause parameters to be interpreted as empty hashes, which may cause unexpected behavior in SQL queries.
34 | 
35 | Brakeman will generate a generic warning for affected versions (4.2 series).
36 | 
37 | ([changes](https://github.com/presidentbeef/brakeman/pull/918))
38 | 
39 | ### Minitest
40 | 
41 | Unrelated, Brakeman now uses Minitest instead of test-unit.
42 | 
43 | ([changes](https://github.com/presidentbeef/brakeman/pull/912/))
44 | 
45 | ### SHAs
46 | 
47 | The SHA256 sums for this release are
48 | 
49 |     7231e00bdb4353ee7e91e5f1e60e34cf29b5563e6f7e1e5478223e72568c493a  brakeman-3.3.5.gem
50 |     c07e282c2e1733f8d7db4a4ffefe22e7e38a62ddfd750f0866c0b49070cb61c9  brakeman-lib-3.3.5.gem
51 |     a7f8e6fa8eb4254b7ad17080180289794a02641b1f2ec362de57cfdb2f1535be  brakeman-min-3.3.5.gem
52 | 
53 | ### Reporting Issues
54 | 
55 | Thank you to everyone who reported bugs.
56 | 
57 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
58 | 
59 | Also consider following [@brakeman](https://twitter.com/brakeman) on Twitter and hanging out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
60 | 


--------------------------------------------------------------------------------
/source/_posts/2022-04-06-brakeman-5-dot-2-dot-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.2.2 Released"
 4 | date: 2022-04-06 08:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | _Changes since 5.2.1:_
11 | 
12 | * Respect equality in `if` conditions ([#1683](https://github.com/presidentbeef/brakeman/issues/1683))
13 | * Update message for unsafe reflection ([Pedro Baracho](https://github.com/pedropb))
14 | * Handle `nil` when joining values ([Dan Buettner](https://github.com/Capncavedan))
15 | * Add additional String methods for SQL injection check ([#1669](https://github.com/presidentbeef/brakeman/issues/1669))
16 | * Update `ruby_parser` for Ruby 3.1 support ([Merek Skubela](https://github.com/sqbell))
17 | 
18 | ### Equality Checks in Conditions
19 | 
20 | When Brakeman comes across code like:
21 | 
22 | ```ruby
23 | if x == 1
24 |   # do something with x
25 | end
26 | ```
27 | 
28 | It will now assume `x` is `1` inside of the `if` branch.
29 | 
30 | ([changes](https://github.com/presidentbeef/brakeman/pull/1681))
31 | 
32 | ### Unsafe Reflection Messages
33 | 
34 | [Pedro Baracho](https://github.com/pedropb) updated the messages for unsafe reflection to be clearer.
35 | 
36 | ([changes](https://github.com/presidentbeef/brakeman/pull/1670))
37 | 
38 | ### Another String Joining Fix
39 | 
40 | [Dan Buettner](https://github.com/Capncavedan) fixed an exception when a `nil` gets into a string joining operation.
41 | 
42 | 
43 | ([changes](https://github.com/presidentbeef/brakeman/pull/1686))
44 | 
45 | ### More SQL Injection
46 | 
47 | When Brakeman checks for SQL injection, there are a number of methods (like `to_s` or `strip`) that essentially return the string itself.
48 | 
49 | This list of methods has been expanded to include `chop`, `lstrip`, `rstrip`, `scrub`, and `tr`.
50 | 
51 | ([changes](https://github.com/presidentbeef/brakeman/pull/1682))
52 | 
53 | ### Update RubyParser
54 | 
55 | This version of Brakeman includes [RubyParser 3.19](https://www.zenspider.com/releases/2022/03/ruby_parser-version-3-19-0-has-been-released.html) which adds support for Ruby 3.1 syntax. Thanks [Merek Skubela](https://github.com/sqbell)!
56 | 
57 | ([changes](https://github.com/presidentbeef/brakeman/pull/1695))
58 | 
59 | ### Checksums
60 | 
61 | The SHA256 sums for this release are:
62 | 
63 |     246c9540f5d90fbde39c95999d319f9706bf79668f66bb35419825c1cbef61ae  brakeman-5.2.2.gem
64 |     1b559598d78919c0f6f3a8e8602b86ab35f825810b1d7daf872b7791b452e78b  brakeman-lib-5.2.2.gem
65 |     4c34dcc1900bf872254eee2b313b1634ffacc9002fd7d26b8390259318cf6194  brakeman-min-5.2.2.gem
66 | 
67 | ### Reporting Issues
68 | 
69 | Thank you to everyone who reported bugs and contributed to this release!
70 | 
71 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
72 | 
73 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
74 | 


--------------------------------------------------------------------------------
/source/_posts/2012-08-13-brakeman-1-dot-7-1-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.7.1 Released"
 4 | date: 2012-08-13 11:04
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a small release to add checks for the [Rails vulnerabilities reported last week](http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/).
11 | 
12 | _Changes since 1.7.0_:
13 | 
14 |  * Add check for [CVE-2012-3463](https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion)
15 |  * Add check for [CVE-2012-3464](https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion)
16 |  * Add check for [CVE-2012-3465](https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion)
17 |  * Add charset to HTML report ([hooopo](https://github.com/hooopo))
18 |  * Report XSS in select() for Rails 2
19 | 
20 | ### CVE-2012-3463 - XSS in select\_tag Prompt
21 | 
22 | In Rails 3.x, values supplied to the `:prompt` option in the `select_tag` helper are not escaped, leading to a cross-site scripting vulnerability.
23 | 
24 | Brakeman will warn on all uses of `select_tag` with unescaped user input in the `:prompt` option.
25 | 
26 | ### CVE-2012-3464 - Single Quotes are Unescaped
27 | 
28 | This is pretty much a known issue ([example from 2008](http://www.ruby-forum.com/topic/166894)), but Rails 3.2.8 fixes it.
29 | 
30 | Single quotes are most dangerous when interpolating values into HTML attributes that use single quotes, which is why it is often recommended to always use double quotes in HTML.
31 | 
32 | There is a [provided workaround](https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion) for earlier versions of Rails which replaces `ERB::Util.html_escape` with `Rack::Utils.escape_html`. This method adds escaping for both single quotes (`'`) and forward slashes (`/`).
33 | 
34 | If the provided workaround is used in an initializer, as suggested, then Brakeman will not generate a warning for this vulnerability. Otherwise, Brakeman will generate a warning for affected versions.
35 | 
36 | ### CVE-2012-3465 - XSS in strip\_tags
37 | 
38 | Another vulnerability has been reported for `strip_tags` (earlier report was [CVE-2011-2931](https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion)).
39 | 
40 | Brakeman will warn on affected versions if uses of `strip_tags` are detected.
41 | 
42 | ### XSS in select Helper
43 | 
44 | This vulnerability was [reported a while ago](https://groups.google.com/d/topic/rubyonrails-security/CdoMUVpsRmQ/discussion), but it was unclear if it applied to Rails 2.x or just Rails 3. Thanks to Neil Matatall, it has been confirmed to be an issue in Rails 2.x as well.
45 | 
46 | Therefore, Brakeman will be reporting the vulnerability (`select` does not escape options list if supplied as a straight string) for Rails 2.x as well.
47 | 
48 | ### Report Issues
49 | 
50 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release!
51 | 
52 | Also consider joining the [mailing list](http://brakemanscanner.org/contact/) or following [@brakeman](https://twitter.com/brakeman) on Twitter.
53 | 


--------------------------------------------------------------------------------
/source/_posts/2012-10-17-brakeman-1-dot-8-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 1.8.2 Released"
 4 | date: 2012-10-17 10:44
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | This is a bugfix release, in particular fixing rescanning (used by [guard-brakeman](https://github.com/guard/guard-brakeman)).
11 | 
12 | _Changes since 1.8.1_:
13 | 
14 |  * Fixed rescanning problems caused by 1.8.0 changes
15 |  * Fix scope calls with single argument
16 |  * Report specific model name in rendered collections
17 |  * Handle overwritten JSON escape settings (Neil Matatall)
18 |  * Add CHANGES to gemspec
19 | 
20 | ### Rescan Fixes
21 | 
22 | Brakeman supports rescanning a subset of files in an application, with the caveat that the previous scan must still be in memory. This functionality was broken in the the 1.8.0 release, due to the lack of tests.
23 | 
24 | This release updates rescanning to be more robust and work with the 1.8.0 changes to how "render paths" are stored. Also, a number of tests were added to help prevent breakage in the future.
25 | 
26 | ([changes](https://github.com/presidentbeef/brakeman/pull/165))
27 | 
28 | ### Scope Calls with One Argument
29 | 
30 | Calls to `scope` with a single argument were causing errors in Brakeman's SQL injection check.
31 | 
32 | The fixed error looked like:
33 | 
34 |     undefined method `node_type' for nil:NilClass  /something/brakeman/lib/brakeman/checks/check_sql.rb:75:in `block (2 levels) in find_scope_calls'
35 | 
36 | ([changes](https://github.com/presidentbeef/brakeman/pull/157))
37 | 
38 | ### Model Names for Rendered Collections
39 | 
40 | In cases like below, where a collection of models is being rendered and the model name could be known, any resulting warnings will now reference the actual model name.
41 | 
42 |     <%= render 'user', :collection => User.all %>
43 | 
44 | Previously, Brakeman would report warnings with `UnknownModel`, whether or not the model name was actually known.
45 | 
46 | ([changes](https://github.com/presidentbeef/brakeman/pull/155))
47 | 
48 | ### Overwritten JSON Escape Config
49 | 
50 | It is possible that a config setting in one initializer overrides a setting in a different initializer. This is now handled for the JSON escape settings.
51 | 
52 | ([changes](https://github.com/presidentbeef/brakeman/pull/154))
53 | 
54 | ### CHANGES File in Gem
55 | 
56 | The [CHANGES](https://github.com/presidentbeef/brakeman/blob/master/CHANGES) file is now included in the gem file as requested.
57 | 
58 | ([changes](https://github.com/presidentbeef/brakeman/issues/153))
59 | 
60 | ### Report Issues
61 | 
62 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release! Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
63 | 
64 | Also consider joining the [mailing list](http://brakemanscanner.org/contact/) or following [@brakeman](https://twitter.com/brakeman) on Twitter.
65 | 
66 | ### Brakeman Roadmap
67 | 
68 | A rough guide to Brakeman 1.9 and 2.0 has been [posted here](https://github.com/presidentbeef/brakeman/wiki/Roadmap).
69 | 


--------------------------------------------------------------------------------
/source/_posts/2021-10-28-brakeman-5-dot-1-dot-2-released.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: post
 3 | title: "Brakeman 5.1.2 Released"
 4 | date: 2021-10-28 11:30
 5 | comments: true
 6 | categories:
 7 | permalink: /blog/:year/:month/:day/:title
 8 | ---
 9 | 
10 | Here's a small bugfix release with a big parser update!
11 | 
12 | Huge thanks as always to [Ryan Davis](https://github.com/sponsors/zenspider?o=esb) for maintaining `ruby_parser`.
13 | 
14 | _Changes since 5.1.1:_
15 | 
16 | * Updated `ruby_parser` ([Ryan Davis](https://www.zenspider.com/))
17 | * Fix issue where the previous output is still visible ([Jason Frey](https://github.com/Fryguy))
18 | * Handle cases where enums are not symbols ([#1627](https://github.com/presidentbeef/brakeman/issues/1627))
19 | * Support newer Haml with `::Haml::AttributeBuilder.build`
20 | * Fix sorting with `nil` line numbers
21 | 
22 | ## Updated RubyParser
23 | 
24 | Once again, [Ryan Davis](https://github.com/sponsors/zenspider?o=esb) comes through with a great update of [ruby\_parser](https://github.com/seattlerb/ruby_parser)
25 | including support for newer Ruby 2.7 and 3.0 syntaxes as well as many other fixes and improvements.
26 | 
27 | ([changes](https://www.zenspider.com/releases/2021/10/ruby_parser-version-3-18-0-has-been-released.html))
28 | 
29 | ## Output Cleanup
30 | 
31 | [Jason Frey](https://github.com/Fryguy) cleaned up the `Processing libs...` updates so it doesn't look like `Processing libs...ssed` anymore.
32 | 
33 | ([changes](https://github.com/presidentbeef/brakeman/pull/1629))
34 | 
35 | ## Enums Without Symbols
36 | 
37 | Calls to `enum` where the first argument is not a symbol will be ignored for now.
38 | 
39 | ([changes](https://github.com/presidentbeef/brakeman/pull/1631))
40 | 
41 | ## Newer Haml
42 | 
43 | In Haml 5.2.2 the `::Haml::AttributeBuilder.build` method started popping up and Brakeman was treating it as suspicious.
44 | 
45 | For now, ignoring it because it seems pretty safe.
46 | 
47 | ([changes](https://github.com/presidentbeef/brakeman/pull/1637))
48 | 
49 | ## Sorting with Missing Line Numbers
50 | 
51 | In some, apparently rare cases, if two warnings have the same confidence, warning type, and are in the same file, but have `nil` line numbers,
52 | then it _could_ (but doesn't always) cause a sorting error.
53 | 
54 | ([changes](https://github.com/presidentbeef/brakeman/pull/1641))
55 | 
56 | ### Checksums
57 | 
58 | The SHA256 sums for this release are:
59 | 
60 |     d95b1cee8d751db8300c9390d8c90cf3e54f725c4d448f7ccfbdb9a723b6377a  brakeman-5.1.2.gem
61 |     8e6a25a4da113269e70a0e536325e8a18b02745f23dea25ecf640c675961961c  brakeman-lib-5.1.2.gem
62 |     7b272fa7efc2f25208614bd801993e2b161b4edbf8c423c93b6b13aaee09ae84  brakeman-min-5.1.2.gem
63 | 
64 | ### Reporting Issues
65 | 
66 | Thank you to everyone who reported bugs and contributed to this release!
67 | 
68 | Please report any [issues](https://github.com/presidentbeef/brakeman/issues) with this release. Take a look at [this guide](https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue) to reporting Brakeman problems.
69 | 
70 | Follow [@brakeman](https://twitter.com/brakeman) on Twitter and hang out [on Gitter](https://gitter.im/presidentbeef/brakeman) for questions and discussion.
71 | 


--------------------------------------------------------------------------------