This is a small bug fix release. The only expected changes in warnings are for dangerous attributes in
and cross site scripting involving model attributes. Some warning fingerprints may change as a result of this update.
Changes since 2.1.0:
- More accurate results for model attribute warnings (#385)
- Do not warn on
attr_accessibleusing roles (#372)
- New warning code for dangerous attributes in
- Fix infinite loop when run as rake task (Matthew Shanley)
- Use exit code zero with
-zif all warnings ignored (#381)
- Respect ignored warnings in rescans (#382)
- Respect ignored warnings in tabs format reports
- Ignore dynamic controller names in routes
More Accurate Model Matching
Model attributes which are reported as user input should now be reported more accurately. For example, instead of reporting
Model.find(1) as user input, the entire attribute will be reported. For example:
As a side effect, several methods which were already intended to be ignored (such as
count) will actually be ignored for XSS warnings.
attr_accessible Check Updates
The check for potentially dangerous attributes whitelisted in
attr_accessible has been updated to ignore attributes protected by roles. Additionally, it now has its own warning code to separate it from regular mass assignment warnings.
Rake Task Fix
The last release included a method named
load_dependency which handles calling
require for optional dependencies. Unfortunately, Rails overrides
require to call its own method called
load_dependency. Rails is loaded when any
rake command is used, so when Brakeman is run with Rake it causes an infinite loop between
Thanks to Matthew Shanley for reporting the issue and providing a fix.
Exit Code Fixed When Warnings Ignored
Brakeman will now return
0 when using
-z and all reported warnings are ignored.
Ignore Warnings in Rescans
Ignored warnings should now be ignored during rescans (for use with guard-brakeman).
Remove Ignored Warnings in Tabs Report
Ignoring warnings should now work for those using the Jenkins plugin.
Ignore Dynamic Controller Name in Routes
Instead of completely aborting route processing, dynamic controller names are just ignored.