Ruby on Rails Static Analysis Security Tool

Brakeman 3.2.0 Released

This release sheds a couple dependencies and adds support for new Ruby 2.3 syntax.

Changes since 3.1.5:

  • Support calls using &. operator (#796)
  • Handle CoffeeScript in HAML (#813)
  • Avoid render warnings about params[:action]/params[:controller] (#812)
  • Only update ignore config file on changes (#824)
  • Sort ignore config file
  • Index calls in class bodies but outside methods (#814)
  • Skip Symbol DoS check on Rails 5
  • Fix finding calls with targets: nil
  • Remove fastercsv dependency
  • Remove multi-json dependecy

Ruby 2.3 Lonely Operator

With the update of RubyParser to 3.8.1 (and Ruby2Ruby to 2.3), Brakeman now supports the new &. operator and should treat it like a regular method call.


CoffeeScript in HAML

This release handles CoffeeScript embedded in HAML better and should reduce some false positives.


Render Warnings on Safe Parameters

Brakeman will no longer warn on render params[:action] or render params[:controller], as those values are not able to be controlled by an attacker.


‘Ignore’ Configuration Changes

The “ignore config” files generated by Brakeman are now sorted and will only update on changes, instead of always writing a new file.


Index Calls Outside Methods

Calls that are outside methods (but inside class bodies) can now be found in Brakeman checks.


Skip Symbol DoS with Rails 5

Rails 5 requires Ruby >= 2.2.2, which now garbage collects symbols. If the SymbolDoS check is run on a Rails 5 application (it’s already optional), it will no longer warn.


Dependency Removal

Since Ruby 1.8 is no longer supported, this release removes the legacy fastercsv and multi-json dependencies.

(fastercsv, multi-json)


The SHA256 sums for this release are

d1d1468fcca0ec5dd99c53af2018b781a8efe06483190aef9d13b1abcbb7e2a0  brakeman-min-3.2.0.gem
07023148564668cc39911eec0354ca03774be1f8a03d66162f53a5dde44bb502  brakeman-3.2.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.