Changes:
- Process Rails 3 configuration files
- Check for config.active_record.whitelist_attributes = true
- Always produce a warning for without_protection => true
- Fix CSV output
This is just a small release on the way to 1.0.
Rails 3 Configs
Configurations in config/application and config/environments/production.rb will now be parsed.
Check for Disabled Mass Assignment
A new option was added in Rails 3.1 to globally disable mass assignment using config.active_record.whitelist_attributes = true. Brakeman will now turn off mass assignment warnings if this configuration setting is detected.
Always Warn on without_protection
Rails 3.1 adds a way to bypass attribute protection when doing mass assignment.
For example:
User.new(params, :without_protection => true)
Brakeman will now always warn when without_protection is used, even if mass assignment is disabled or attributes are protected on that model.
Fix CSV Output
Brakeman reports using the CSV format should work once again.
There is a bug in Ruport when using Ruby 1.9.2 and CSV output. A temporary patch has been added until this is resolved.
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.