First release of 2018!
Changes since 4.1.1:
- Handle ERb use of
String#<<method for Ruby 2.5 (Pocke)
- Exclude template folders in
- Warn about SQL injection with
- Avoid warning about symbol DoS on
- Avoid warning about open redirects with model methods ending with
- Avoid warning about command injection with
- Use ivars from
- Fix multiple assignment of globals (#1155)
- Update RubyParser to 3.11.0
Update ERb Handling for Ruby 2.5.0
The way ERb templates are compiled changed in Ruby 2.5.0 to use
String#<<, so Brakeman has been changed to accomodate.
Please note ERb also changed such that
<% # is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is
Exclude Template Folders
lib/**/templates will be ignored, since they are generally ERb files, not actually Ruby.
SQL Injection with
not takes the same arguments as
where, making it just as vulnerable to SQL injection.
Thank you to Jobert Abma for reporting this.
Symbol DoS False Positive
Brakeman will no longer warn about
Open Redirect False Positive
Brakeman will no longer warn about open redirects with
Brakeman will no longer warn about command injection when
Shellwords.escape and friends are used.
Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.
Use Initialized Environment in Libraries
When processing libraries, instance variables set in
initialize will be used in subsequent methods.
This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to
The SHA256 sums for this release are:
c6ad3861920075ccf553343815fcce07aa09d015bc8529c6e4d8a865674530f7 brakeman-4.2.0.gem 94a97496761ddd27974867bde3235cab303761dadec4bd6a8d22260a72aaaa38 brakeman-lib-4.2.0.gem a071eb6d6e866df0338bcb9c8dd56f5b0d66c68212eb604f551ac8aa196d6923 brakeman-min-4.2.0.gem
Thank you to everyone who reported bugs and contributed to this release.
If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.