Brakeman: A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman
Brakeman is an open-source static analysis tool that checks Ruby on Rails applications for security vulnerabilities.
It can detect:
- Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
- Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
- String interpolation in find_by_sql (SQL Injection)
- String interpolation or params in calls to system, exec, and syscall and “ (Command Injection)
- Unrestricted mass assignments
- Global restriction of mass assignment
- Missing call to protect_from_forgery in ApplicationController (CSRF protection)
- Default routes, per-controller and globally
- Redirects based on params (probably too broad currently)
- Validation regexes not using \A and \z
- Calls to render with dynamic paths
General capabilities:
- Search for method calls based on target class and/or method name
- Determine ‘output’ of templates using ERB, Erubis, or HAML. Can handle automatic escaping
Install
gem install brakeman
Use
For a full list of options, use brakeman –help or see the OPTIONS.md file.
To specify an output file for the results:
brakeman -o output_file
The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, markdown, csv, and codeclimate.
Multiple output files can be specified:
brakeman -o output.html -o output.json
To suppress informational warnings and just output the report:
brakeman -q
Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
To see all kinds of debugging information:
brakeman -d
Specific checks can be skipped if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):
brakeman -x DefaultRoutes
Multiple checks should be separated by a comma:
brakeman -x DefaultRoutes,Redirect
To do the opposite and only run a certain set of tests:
brakeman -t SQL,ValidationRegex
If Brakeman is running a bit slow, try
brakeman --faster
This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.
By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
brakeman -z
To skip certain files or directories that Brakeman may have trouble parsing, use:
brakeman --skip-files file1,/path1/,path2/
To compare results of a scan with a previous scan, use the JSON output option and then:
brakeman --compare old_report.json
This will output JSON with two lists: one of fixed warnings and one of new warnings.
Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:
brakeman -I
