- Configurable engines path (Jason Yeo)
- Check CSRF setting in direct subclasses of
ActionController::Base(Jason Yeo) - Pull Ruby version from
.ruby-versionor Gemfile - Use Ruby version to turn off SymbolDoS check (#928)
- Fix ignoring link interpolation not at beginning of string (#939)
- Show action help at start of interactive ignore (#949)
- Avoid warning about
where_values_hashin SQLi (#942)
Engine Paths Option
Thanks to the work of Jason Yeo, Brakeman now supports custom paths to Rails engines uses the --add-engines-path option.
Multiple comma-separated paths may be configured. To include all subdirectories, use * (e.g. my_engines/*). Absolute paths may be used for engines outside the application.
(changes)
Expanded CSRF Check
Also thanks to Jason Yeo, any controller with ActionController::Base as a direct parent will be checked for a protect_from_forgery call.
(changes)
Ruby Version Info
Brakeman will now pull information about the Ruby version used for an application either from the Gemfile or .ruby-version. Right now this is only used for disabling (the already optional) Symbol DoS check for versions of Ruby that have symbol garbage collection.
(changes)
Link Interpolation False Positive
Brakeman’s warning about interpolating user input into URLs has always checked to see if the interpolation was at the beginning of the string. However, that check didn’t work if the first thing in the string was another interpolation. This has been fixed.
(changes)
More Help in Interactive Ignore
For clarity, “interactive ignore” mode will now display the action options before going through each warning.
(changes)
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release.
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion.