- Configurable engines path (Jason Yeo)
- Check CSRF setting in direct subclasses of
- Pull Ruby version from
- Use Ruby version to turn off SymbolDoS check (#928)
- Fix ignoring link interpolation not at beginning of string (#939)
- Show action help at start of interactive ignore (#949)
- Avoid warning about
where_values_hashin SQLi (#942)
Engine Paths Option
Thanks to the work of Jason Yeo, Brakeman now supports custom paths to Rails engines uses the
Multiple comma-separated paths may be configured. To include all subdirectories, use
my_engines/*). Absolute paths may be used for engines outside the application.
Expanded CSRF Check
Also thanks to Jason Yeo, any controller with
ActionController::Base as a direct parent will be checked for a
Ruby Version Info
Brakeman will now pull information about the Ruby version used for an application either from the
.ruby-version. Right now this is only used for disabling (the already optional) Symbol DoS check for versions of Ruby that have symbol garbage collection.
Link Interpolation False Positive
Brakeman’s warning about interpolating user input into URLs has always checked to see if the interpolation was at the beginning of the string. However, that check didn’t work if the first thing in the string was another interpolation. This has been fixed.
More Help in Interactive Ignore
For clarity, “interactive ignore” mode will now display the action options before going through each warning.
Thank you to everyone who reported bugs and contributed to this release.