This release includes two new checks and a number of bug fixes.
Changes since 3.1.0:
- Add check for user input in session keys
- Add optional check for use of MD5 and SHA1
- Fix absolute paths for Windows (Cody Frederick)
- Allow searching call index methods by regex (Alex Ianus)
- Better Haml processing of
- Fix chained assignment
- Add more Arel methods to be ignored in SQL (#711)
- Avoid warning when linking to decorated models (#683)
- Support newer terminal-table releases (#709)
Session Manipulation Check
As suggested by Joernchen, Brakeman will now look for user input in session keys which can lead to session manipulation.
Optional Check for Weak Hashes
An optional check to look for use of MD5 and SHA1 has been added to this release. Run with
-t WeakHash to use just this optional check or
-A to run all checks.
Cody Frederick fixed an issue with determining absolute paths on Windows.
Search for Methods by Regex
Alex Ianus re-introduced the ability to search the CallIndex with regular expressions for methods:
Haml users may have noticed warnings with
find_and_preserve is treated as though it just passes through its arguments. Calls to
render_with_options will be treated as unescaped output.
Along with this change,
Chained assignments like
a = b = c = 1 will now be handled correctly. This fixes a very old issue from 2012.
While Brakeman already treated
a.b(), there is a surprising amount of code which does
a.try(&:b). This is totally unncessary, but Brakeman now handles it as well.
More Arel Whitelisting
A number of Arel methods have been whitelisted to avoid warning about them inside SQL query building.
Decorated Models in Links
If the Draper gem is used, Brakeman will ignore calls to
Newer terminal-table releases are supported now and the dependency has been relaxed.
The SHA1 sums for this release are
cfd1840116c20b0b8932720fdaac09dd4e47091a brakeman-3.1.1.gem 603389da732d307a014af445a1f312415b65a682 brakeman-min-3.1.1.gem