#358 Brakeman

Jun 15, 2012 | 8 minutes | Security, Tools

The Brakeman gem will scan the Ruby code of a Rails application and alert you to common security vulnerabilities.

Click to Play Video ▶

Download:
source codeProject Files in Zip (129 KB)
mp4Full Size H.264 Video (25.5 MB)
m4vSmaller H.264 Video (13.2 MB)
webmFull Size VP8 Video (12.3 MB)
ogvFull Size Theora Video (34.2 MB)

Benjamin over 12 years ago

Nice, trying it out right away. Since im the first one here, i might be lucky and get a response. :)

I have disabled mass assignment on my shopping cart because i am using this

          ruby
        
def purchase
  response = GATEWAY.purchase(price_in_cents, credit_card, purchase_options)
  transactions.create!(:action => "purchase", :amount => price_in_cents, :response => response)
   cart.update_attributes(:purchased_at, Time.now) if response.success?
  response.success?
end 

I get a complaint about purchase, price_in_cents and response not mass assigned, i ended up disabling it after many attempts but obviously running Brakeman brings back the issues. How can i add these to my attr_accessible?

Neil Matatall about 12 years ago

Are you saying you set :attr_accessible nil and it won't let you assign any attributes? If that's the case, just manually set them when necessary. New/create/build take a block form so you can do this somewhat nicely:

Something.create(params[:something]) do |thing|
  thing.attr = params[:something][:attr] 
end

while I realize that seems silly, it's better than the alternative :)

Neil Matatall about 12 years ago

Something.create(params[:something]) do |thing|
  thing.attr = params[:something][:attr] 
end

while I realize that seems silly, it's better than the alternative :)

Richard Huang over 12 years ago

If you think brakeman gem is useful, you must try my online service based on brakeman, rails-brakeman

Pavel Forkert over 12 years ago

Unfortunately, "redirect_to redirect_url, only_path: true" won't work. It works only, when you pass first argument as a Hash and it should contain :only_path options. When you have redirect_url as a string you can use URI.parse(redirect_url).path or URI.parse(redirect_url).request_uri, hovewer request_uri is available only on URI::HTTP objects, so additional checks might be needed.

jDeppen over 12 years ago

after gem install brakeman and adding it to my gemfile, I keep getting

          ruby
        
zsh: command not found: brakeman

and rbenv rehash gives me

          ruby
        
rbenv: cannot rehash: /Users/jason/.rbenv/shims/.rbenv-shim exists

jDeppen over 12 years ago

I'm able to rehash now

          ruby
        
mv /Users/jason/.rbenv/shims/.rbenv-shim /Users/jason/.rbenv/shims/.rbenv-shim2

I'm not sure why but it started working after I ran

          ruby
        
brakeman -o output.html

NewAlexandria about 12 years ago

Thanks, rehashing is what I needed, too

Andrey Prihodko over 12 years ago

bundle exec brakeman

AstonJ over 12 years ago

Awesome - thanks! This makes me feel a lot better about my app :D

Would love to see a similar episode on performance (slow queries etc) although knowing Ryan he has probably already done one!

Theodor Tonum over 12 years ago

The bullet-gem notifies you of eager loading SQL queries :)

Jay Brodie over 12 years ago

Seems it is crashing out on our project.

[Notice] Detected Rails 3 application
Loading scanner...
[Notice] Using Ruby 1.9.2. Please make sure this matches the one used to run your Rails application.
Processing application in /home/**/projects/**
Processing configuration...
[Notice] Escaping HTML by default
Processing gems...
Processing initializers...
Processing libs...
Processing routes...

Processing templates...

Processing data flow in templates...
Processing models...

Processing controllers...

Processing data flow in controllers...
Killed7 controllers processed

Reaches 62/127 for data flow in controllers then hangs and dies.

Justin over 12 years ago

Hi Jay,

Sorry about that. Please follow these suggestions to figure out the problem.