Wow, it has been too long since the last release!
Changes since 4.0.1:
- Add check for dangerous keys in
- Add optional check for divide by zero
- Remove errors about divide by zero
- Warn about dynamic values in
- Show better location for Sass errors (Andrew Bromwich)
- Avoid warning about file access for temp files (#1110)
- Avoid CSRF warning in Rails 5.2 default config (#1132)
- Better processing of
x[:y] += 1) (#1103)
- Handle nested destructuring/multiple assignment
- Do not warn on
params.permitwith safe values (#1000)
- Use HTTPS for warning links
- Try to guess options for
- Do not page if results fit on screen
- Leave results on screen after paging
- Fix upgrade version for CVE-2016-6316
include_pathsfor Code Climate engine (Will Fleming)
app_pathconfiguration for Code Climate engine (Noah Davis)
- Refactor Code Climate engine options parsing (Noah Davis)
New Check for Dangerous Permit Keys
Very similar to warning about potentially dangerous keys in
attr_accessible, Brakeman now warns about potentially dangerous keys whitelisted for mass assignment via
New Optional Check for Division by Zero
Previously, Brakeman would report errors when it encountered potential division by zero. Now, it optionally reports warnings instead.
Arel.sql allows one to add raw SQL to queries. Brakeman now warns about potential SQL injection when using
Arel.sql with dynamic values.
Sass Error Locations
Thanks to Andrew, Brakeman now reports actual file names for errors involving Sass.
Brakeman no longer warns about file access with
Rails 5.2 CSRF Configuration
In Rails 5.2, CSRF protection is enabled by default. Brakeman will now respect this.
Attribute Combination Assignment
This release handles code like
x[:y] += 1 better. Previously, it would not update the value for
Brakeman now can handle nested multiple assignment, like
x, (a, b), y = z, assuming
z is known to be an array.
The default pager (
less) now leaves the output in the terminal after exiting and now exits immediately if the output fits on the screen.
Additionally, Brakeman attempts to detect if these options are actually supported by
less before using them.
In case this one was keeping you up at night, Brakeman now reports the correct upgrade version for CVE-2016-6316.
HTTPS for Warning Links
Links to brakemanscanner.org in reports are now HTTPS! Only makes sense.
Code Climate Updates
The Brakeman engine on Code Climate now supports
The SHA256 sums for this release are:
1dd62ee8aa872acf5d0aace6dc0745b55c78da68640f04754bf11c12a58842bf brakeman-4.1.0.gem a16bd3082223655f132ff4c601f5d1930290082116fc256c5c1e652ff3ba933a brakeman-lib-4.1.0.gem 29d9be77b06195675e6b803141da979438983c0970c182fe8b8ccf3145ecda9f brakeman-min-4.1.0.gem
Thank you to everyone who reported bugs and contributed to this release.
If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.