This is mostly a bug fix release, but does include new support for optional checks along with an optional check for unscoped calls to
Changes since 2.6.2:
- Add framework for optional checks
- Add optional check for unscoped find queries (Ben Toews)
- Fix stack overflow for cycles in class ancestors (Jeff Rafter)
- Fix stack overflow in
existsarel method from SQL injection check
- Avoid warning about Symbol DoS on safe parameters as method targets
Brakeman now supports loading checks that are not run by default. These “nondefault” checks may have high false positive rates or introduce significant slowdowns. Optional checks should be treated as experimental and may experience more breaking changes than default checks.
To run all checks, use
-A. To list only the optional checks, try
--optional-checks. Optional checks are also listed in
--checks. As usual, checks may be specified using
--test. At this time there is no way to easily run the default checks plus some optional checks.
On the code side, optional checks are the same except
Brakeman::Checks.add self becomes
The first optional check to be added to Brakeman comes from Ben Toews. This check looks for calls to
find (or similar methods) directly on models that have a
As this is an optional check, use
-A to include it in a scan or
-t UnscopedFind to run it by itself.
Fix Loops in Class Ancestors
Jeff Rafter added a fix for stack overflows (infinite loops) when a class has (or appears to have) a cycle in its superclasses.
Fix Stack Overflow
This release fixes an issue with another infinite loop when looking up the class name in a self-referential variable name, which comes up in some situations. Fixing this bug also fixed some XSS false positives for safe model attribute methods (like
id) but unfortunately also revealed some dynamic render false positives.
Whitelist Arel Method
Brakeman does not warn on most uses of Arel, but was warning about SQL injection from the
Less Symbol DoS
Brakeman should no longer warn about Symbol DoS when symbolizing
params[:action] even when there are intermediate method calls, like
The SHA1 sums for this release are
ceb689e3a6efd7e28483828de3441ec1fad501c1 brakeman-2.6.3.gem 334a7820c05bfeb31e0e9d8123f45daef64eb102 brakeman-min-2.6.3.gem