This release drops support for running Brakeman with versions of Ruby older than 2.3.0. As always, scanning code with older syntax continues to be supported.
Also in this release: better supported for embedded “filters” in templates and (relatedly) the Sass dependency was removed!
Changes since 4.4.0:
- Officially drop support for running with older Ruby versions
- More thoroughly handle
- Handle non-integer version number comparisons (#1305)
- Better handling of splat/kwsplat arguments (#1204)
**inside Hash literals
- Add support for CoffeeScript in Slim templates
- Improve support for embedded template “filters”
- Remove Sass dependency
- Avoid joining strings with different encodings
- Improve “user input” reported for SQL injection
- Stop swallowing exceptions in
- Add original exception to
Scannerto parse files
- Set location information in
- Update RubyParser to 3.13.0
Dropped Support for Older Rubies
Brakeman code will no longer attempt to maintain compatibility with Ruby 1.9.3, instead setting the minimum version to Ruby 2.3.0.
Note that Ruby 2.2.0 reached end of life almost a year ago and is no longer receiving security updates.
This does not affect the versions of Ruby code Brakeman can analyze. Thanks to RubyParser, scanning syntax back to Ruby 1.8 is still supported.
More Shell Escaping
Brakeman is now better at handling shell escaping with
Shellwords when checking for command injection.
Non-Integer Version Numbers
When comparing non-integer version numbers (e.g.,
"beta1"), Brakeman will compare integers to integers and strings to strings instead of
incorrectly converting some strings to integers.
Splat args (
*arg) and double splat/keyword splats (
**kwargs) are better supported now (instead of being ignored).
Keyward splats inside of hash literals will be merged into the hash literal.
Embedded Template Filters
Support for embedded filters in templates (e.g.
markdown inside of Haml or Slim) has been completely rewritten. As a result, it is simpler to support embedded filters and it was possible to drop the Sass dependency. (The Sass gem itself is deprecated and will be end of life as of March 31st, 2019.)
Previously, it was possible to run into errors when Brakeman attempted to join or concatenate strings with different encodings. Now it will just fail and leave the strings apart.
Better Reporting of SQL Injection
SQL injection warnings now have better information about which value triggered the warning. Previously, sometimes the value highlighted as “dangerous” was misleading and confusing.
Thanks to Ryan Davis, RubyParser now has better support for newer Ruby 2.5 and Ruby 2.6 syntax, along with many other fixes!
This should address many of the parsing errors folks have been seeing.
The SHA256 sums for this release are:
c82c73e47668e1381829bcf50d09b952f7968bc36af9c5abd6ee20ee03882130 brakeman-4.5.0.gem 0d372dac72e6bf7f9ff9c2558e3f5d92ef62cd4c6ab051fcea88016f3bfa7470 brakeman-lib-4.5.0.gem 8565a780be3595ffc5a8d847f6eece8746a272138290fff115555d7aecaa1a38 brakeman-min-4.5.0.gem
Thank you to everyone who reported bugs and contributed to this release!