This release sheds a couple dependencies and adds support for new Ruby 2.3 syntax.
Changes since 3.1.5:
- Support calls using
- Handle CoffeeScript in HAML (#813)
- Avoid render warnings about
- Only update ignore config file on changes (#824)
- Sort ignore config file
- Index calls in class bodies but outside methods (#814)
- Skip Symbol DoS check on Rails 5
- Fix finding calls with
Ruby 2.3 Lonely Operator
With the update of RubyParser to 3.8.1 (and Ruby2Ruby to 2.3), Brakeman now supports the new
&. operator and should treat it like a regular method call.
CoffeeScript in HAML
This release handles CoffeeScript embedded in HAML better and should reduce some false positives.
Render Warnings on Safe Parameters
Brakeman will no longer warn on
render params[:action] or
render params[:controller], as those values are not able to be controlled by an attacker.
‘Ignore’ Configuration Changes
The “ignore config” files generated by Brakeman are now sorted and will only update on changes, instead of always writing a new file.
Index Calls Outside Methods
Calls that are outside methods (but inside class bodies) can now be found in Brakeman checks.
Skip Symbol DoS with Rails 5
Rails 5 requires Ruby >= 2.2.2, which now garbage collects symbols. If the
SymbolDoS check is run on a Rails 5 application (it’s already optional), it will no longer warn.
Since Ruby 1.8 is no longer supported, this release removes the legacy
The SHA256 sums for this release are
d1d1468fcca0ec5dd99c53af2018b781a8efe06483190aef9d13b1abcbb7e2a0 brakeman-min-3.2.0.gem 07023148564668cc39911eec0354ca03774be1f8a03d66162f53a5dde44bb502 brakeman-3.2.0.gem
Thank you to everyone who reported bugs and contributed improvements in this release.
Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.