This release is mostly bug fixes and false positive reduction. However, please note fingerprints for inline render warnings will change.
Changes since 3.1.1:
- Sortable tables in HTML report (David Lanner)
- Add line numbers to class-level warnings
- Warn on SQL query keys, not values in hashes (#738)
- Set user input value for inline renders
- Avoid warning on inline renders with safe content types
current_userlike a model (#744)
- Avoid warning about model
private def ...
- Handle empty interpolation in HAML filters (#732)
- Catch divide-by-zero in alias processing (#729)
- Ignore filters that are not method names
- Search for config file relative to application root
- Use SafeYAML to load configuration files
- Allow inspection of recursive Sexps
- Reduce string allocations in
David Lanner added the ability to sort tables in the HTML report by clicking on the column headers.
Line Numbers for Class Warnings
When warning about an entire class (like a model missing
attr_accessible), the warning line number will point to the beginning of the class.
SQL Query Hashes
A long-standing bug in Brakeman caused it to warn about values in query hashes (e.g.,
User.where(:x => params[:x])) when it was intended to warn about user input in the keys.
Brakeman will now report the
render call as the
code value and the user input as
user_input. Please note the code will look a little different from what Brakeman reports, as render calls are turned into a slightly different AST node internally. This will definitely change fingerprints for these warnings.
In a couple places, Brakeman will treat
current_user like a model instance, which it almost always is. This will probably be expanded in future releases.
private using the return value of
def will now work properly:
private def secret_stuff # ... end
Empty HAML Interpolation
Empty HAML interpolation inside of filters will no longer cause crashes and will be handled properly.
Brakeman sometimes divides by zero when it performs simple arithmetic during constant folding. While this is now reported as an error (and used to be, too), someday it should be a warning instead.
Config File Changes
When looking for the
config/brakeman.yml configuration file, Brakeman will now look relative to the application path instead of the working directory.
SafeYAML gem is used to prevent code execution for those running Brakeman against untrusted code.
The SHA256 sums for this release are
c01f07ccc2490d0421e5974499c57f519aa371bfab5d25ba3b224e7ae9e2c415 brakeman-3.1.2.gem d820c872cbe7bc8452c9bd8bd46d990ff1c0d53ee621c09f1997270fc978f783 brakeman-min-3.1.2.gem
Thank you to everyone who reported bugs fixed in this release.