This release is mostly bug fixes and internal improvements, although it may find more warnings due to indexing of view helpers.
- Index calls in view helpers
- Process inline template renders (#672)
- Show path when no Rails app found (Neil Matatall)
- Avoid warning about hashes in
- Improve return value guesses
- Ignore boolean methods in render paths
- Reduce open redirect duplicates
- Fix SymbolDoS error with unknown Rails version
Calls in view helpers are now indexed, which means Brakeman will search them for potential vulnerabilities.
Brakeman will now process inline templates in controllers, if they are using ERB (the default):
render :inline => "<%= params[:x].html_safe %>"
Rails App Path
Thanks to Neil Matatall, Brakeman will now display the path it tried to search for a Rails application if it cannot find it:
Please supply the path to a Rails application (looking in /some/path/).
Hashes as URLs
Brakeman will no longer warn about obvious hash arguments in the HREF for
link_to calls, as well as handling
In some cases, Brakeman attempts to determine the possible return value(s) of a method call. This release includes a number of improvements to those guesses which may make some warnings easier to understand and fix some false positives.
Render Path Booleans
The check for dynamic render paths will no longer warn about methods ending in
This release refactored much of the warning duplicate tracking, and as such there should be fewer duplicate warnings about open redirects.
The SHA256 sums for this release are
490bf7b47d4edbb29fd3f87c5dafa50aec2888d495b64275a635df324a8476e9 brakeman-3.3.3.gem 793f1c69cca2681bdd0c98f11307ace4f1a43ed594dd45cbe5b67f0383e76e2f brakeman-lib-3.3.3.gem dcc3a75b12f84cac582d383a375d3b85d033e25ba42af051bedcdc8b5377c2c5 brakeman-min-3.3.3.gem
Thank you to everyone who reported bugs and contributed improvements in this release.