Changes since 4.1.1:
- Handle ERb use of
String#<<
method for Ruby 2.5 (Pocke) - Exclude template folders in
lib/
(kru0096) - Warn about SQL injection with
not
- Avoid warning about symbol DoS on
Model#attributes
(#1096) - Avoid warning about open redirects with model methods ending with
_path
(#1117) - Avoid warning about command injection with
Shellwords.escape
(#1159) - Use ivars from
initialize
in libraries - Fix multiple assignment of globals (#1155)
Sexp#body=
can accept:rlist
fromSexp#body_list
- Update RubyParser to 3.11.0
First release of 2018!
Update ERb Handling for Ruby 2.5.0
The way ERb templates are compiled changed in Ruby 2.5.0 to use String#<<
, so Brakeman has been changed to accomodate.
Please note ERb also changed such that <% #
is not supported in Ruby 2.5.0. It will be fixed in the next Ruby release, but the correct syntax is <%#
.
(changes)
Exclude Template Folders
Files in lib/**/templates
will be ignored, since they are generally ERb files, not actually Ruby.
(changes)
SQL Injection with not
In ActiveRecord, not
takes the same arguments as where
, making it just as vulnerable to SQL injection.
Thank you to Jobert Abma for reporting this.
(changes)
Symbol DoS False Positive
Brakeman will no longer warn about Model#attributes.symbolize_keys
.
(changes)
Open Redirect False Positive
Brakeman will no longer warn about open redirects with Model#something_ending_in_path
.
(changes)
Shellwords Escaping
Brakeman will no longer warn about command injection when Shellwords.escape
and friends are used.
Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.
(changes)
Use Initialized Environment in Libraries
When processing libraries, instance variables set in initialize
will be used in subsequent methods.
(changes)
Update RubyParser
This release includes updated versions of RubyParser and friends. This may cause some warning fingerprints to change if they include a call to self[...]
.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.