Changes since 3.4.1:
- Warn about SQL injection even if target is not known ActiveRecord model
- Avoid warning about models as SQL injection (#655, #680, #833)
- Avoid warning about SQLi in
lastafter Rails 4.0
- Treat templates without
.htmlas HTML anyway (#790)
- Report check name in JSON and plain reports (#971)
--ensure-latestoption (tamgrosser / Michael Grosser)
--no-summaryto hide summaries in HTML/text reports (#963)
- Fail on invalid checks specified by
includedblock in concerns (#958)
- Updated RubyParser/Ruby2Ruby dependencies
SQL Injection Improvements
This release includes several changes to the SQL Injection check.
First, Brakeman will no longer restrict SQL injection warnings to calls on known ActiveRecord models. While this may lead to a few false positives, there were too many reports of obvious SQL injection being missed. This reverses a decision made previously. Warnings that may involve non-models are given a lower confidence.
Next, SQL that includes calls on model targets will no longer generate warnings. There were too many false positives and no known vulnerabilities flagged by this.
Finally, Brakeman will no longer check calls to
last as they changed in Rails 4.1.
Templates which do not specify any extension (e.g. just
.erb instead of
.html.erb) will still be treated as HTML instead of being ignored.
Check Name in Reports
The plain and JSON reports now include the name of the check that generated the warning.
Option to Enforce Latest Brakeman
--ensure-latest option has been added. If there is a newer version of Brakeman available, this option will cause Brakeman to exit with a non-zero exit code.
Option to Hide Summary
--no-summary and either the plain or “table” output, Brakeman will only report warnings, no metadata. Probably most useful in combination with
Fail on Invalid Checks
-x to control which checks are run, Brakeman will now fail if the options supplied do not match existing check names.
-t None may be used to avoid running any checks.
Handle Included Concerns
Brakeman will now handle the
included block in Concerns. Additionally, to support this, Concerns are processed prior to other classes.
The SHA256 sums for this release are:
49fd8b3e6c1f348304bdbfc3b5d4cfbd465a5b5d4feec8337bbe3df7836787be brakeman-3.5.0.gem 2ef50a61ca4aa1cff1f28dfe6308ea53157d996975519f5ae5c9266bf5772fb0 brakeman-min-3.5.0.gem 766c9da778e3be36ca709e637276f090514dbc0ddde5e261a1baff6da351480e brakeman-lib-3.5.0.gem
Thank you to everyone who reported bugs and contributed to this release.