Changes since 3.6.2:
- Avoid interpolating hashes/arrays on failed access (#921)
- Fix false positive for
redirect_to
in Rails 4 (Mário Areias) - Show progress indicator in interactive mode (#1012)
- Handle simple conditional guards that use
return
(#1057) - Improve support for
rails4
/rails5
options in config file (#1059) - Updated RubyParser to master
Performance Improvement with Hash/Array Accesses
When Brakeman sees a hash or array access that it cannot resolve (i.e. can’t find the value for the key), it will no longer copy the entire hash/array value to the call site.
For some applications, this will significantly improve performance.
This may cause some warning fingerprints to change.
(changes)
Unsafe Hash in Redirects
Thanks to Mário Areias, Brakeman correctly handles to_unsafe_hash
and to_unsafe_h
in redirect_to
.
(changes)
Progress Indicator in Interactive Mode
When using -I
to manage false positives, Brakeman will now show how far you are through the warnings.
(changes)
Simple Guards with Return
Brakeman can now recognize simple guard conditions such as:
return unless [:safe, :values].include? params[:x]
(changes)
Rails Version Option in Brakeman Configuration
It is now possible to specify just :rails4: true
or :rails5: true
in a Brakeman configuration file.
(changes)
Updated RubyParser
The main brakeman
gem bundles as-of-yet unreleased changes in RubyParser. This includes “squiggly heredoc” support (<<~
), improved line numbers, and a few other fixes.
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.