Ruby on Rails Static Analysis Security Tool

Brakeman 3.7.0 Released

Changes since 3.6.2:

  • Avoid interpolating hashes/arrays on failed access (#921)
  • Fix false positive for redirect_to in Rails 4 (Mário Areias)
  • Show progress indicator in interactive mode (#1012)
  • Handle simple conditional guards that use return (#1057)
  • Improve support for rails4/rails5 options in config file (#1059)
  • Updated RubyParser to master

Performance Improvement with Hash/Array Accesses

When Brakeman sees a hash or array access that it cannot resolve (i.e. can’t find the value for the key), it will no longer copy the entire hash/array value to the call site.

For some applications, this will significantly improve performance.

This may cause some warning fingerprints to change.


Unsafe Hash in Redirects

Thanks to Mário Areias, Brakeman correctly handles to_unsafe_hash and to_unsafe_h in redirect_to.


Progress Indicator in Interactive Mode

When using -I to manage false positives, Brakeman will now show how far you are through the warnings.



Simple Guards with Return

Brakeman can now recognize simple guard conditions such as:

return unless [:safe, :values].include? params[:x]


Rails Version Option in Brakeman Configuration

It is now possible to specify just :rails4: true or :rails5: true in a Brakeman configuration file.


Updated RubyParser

The main brakeman gem bundles as-of-yet unreleased changes in RubyParser. This includes “squiggly heredoc” support (<<~), improved line numbers, and a few other fixes.


The SHA256 sums for this release are:

f46550d7c7827644a5663ccc10a6ca222e2534648f68630e3a777cb73df59824  brakeman-3.7.0.gem
0ea5359ae802284695500b92a03bf1d022574953a0da44607ff7f715f456c37e  brakeman-min-3.7.0.gem
f6f17e9f1f71a68b486d68f2b3413607fb47154a0fb6a6da23d9d7be87f37967  brakeman-lib-3.7.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development, check out Brakeman Pro.