Brakeman 4.2.0 Released

First release of 2018!

Update ERb Handling for Ruby 2.5.0

The way ERb templates are compiled changed in Ruby 2.5.0 to use String#<<, so Brakeman has been changed to accomodate.

Please note ERb also changed such that <% # is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is <%#.

(changes)

Exclude Template Folders

Files in lib/**/templates will be ignored, since they are generally ERb files, not actually Ruby.

(changes)

SQL Injection with not

In ActiveRecord, not takes the same arguments as where, making it just as vulnerable to SQL injection.

Thank you to Jobert Abma for reporting this.

(changes)

Symbol DoS False Positive

Brakeman will no longer warn about Model#attributes.symbolize_keys.

(changes)

Open Redirect False Positive

Brakeman will no longer warn about open redirects with Model#something_ending_in_path.

(changes)

Shellwords Escaping

Brakeman will no longer warn about command injection when Shellwords.escape and friends are used.

Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.

(changes)

Use Initialized Environment in Libraries

When processing libraries, instance variables set in initialize will be used in subsequent methods.

(changes)

Update RubyParser

This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to self[...].

(changes)