Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

File Permissions

A security issue was reported for the ruby_parser-legacy gem, where some files are installed with world-writable permissions. This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy gem.

In this release of the brakeman gem, the permissions on these files have been corrected. However, there has not been a fixed release of ruby_parser-legacy yet, so the brakeman-lib and brakeman-min gems are still affected.

Default Report Format Sorting

Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.

(changes)

Reverse Tabnabbing

Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank.

(changes)

Stabby Lambdas

ruby_parser 3.14.0 changed the AST representation of ->{} lambdas, and Brakeman needed to adjust.

(changes)

String Length Limit

Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah") before joining them. If the joined string would be longer than 50 characters, the strings are not joined.

Note the only change is when the length is checked, the limit was already in place.

(changes)

Flaky Test Fixed

Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!

(changes)

Ruby 2.7 Frozen Strings

In Ruby 2.7, symbols and some other constant values (true/false, etc.) will return frozen strings. This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.

(changes)

Release Dates in Changelog

Brakeman’s changelog now includes release dates thanks to TheSpartan1980.

(changes)