Changes since 4.7.0:
- Address file permission issues in bundled
ruby_parser-legacy
- Sort text report by file and line (Jacob Evelyn)
- Catch reverse tabnabbing with
:_blank
symbol (Jacob Evelyn) - Convert
s(:lambda)
tos(:call)
inSexp#block_call
(#1410) - Check string length against limit before joining
- Fix flaky rails4 test (Adam Kiczula)
- Fix errors from frozen
Symbol#to_s
in Ruby 2.7 - Add release dates to each version in CHANGES (TheSpartan1980)
This release includes a security fix in a dependency; please see below.
File Permissions
A security issue was reported for the ruby_parser-legacy
gem, where some files are installed with world-writable permissions.
This would allow any user on the system to edit code which would then be executed by Brakeman (or other dependent libraries) when loading the ruby_parser-legacy
gem.
In this release of the brakeman
gem, the permissions on these files have been corrected.
However, there has not been a fixed release of ruby_parser-legacy
yet, so the brakeman-lib
and brakeman-min
gems are still affected.
Default Report Format Sorting
Warnings in the default text report are now sorted by file and line number as well as confidence and category, thanks to Jacob Evelyn.
(changes)
Reverse Tabnabbing
Jacob Evelyn also updated the reverse tabnabbing check to match links created with target: :_blank
.
(changes)
Stabby Lambdas
ruby_parser
3.14.0 changed the AST representation of ->{}
lambdas, and Brakeman needed to adjust.
(changes)
String Length Limit
Brakeman now checks the resulting length of joining two strings (e.g., "blah" + "blah blah"
) before joining them.
If the joined string would be longer than 50 characters, the strings are not joined.
Note the only change is when the length is checked, the limit was already in place.
(changes)
Flaky Test Fixed
Adam Kiczula fixed an intermittently-failing test in the Brakeman test suite that had been plaguing CI builds for a long time. Thanks!
(changes)
Ruby 2.7 Frozen Strings
In Ruby 2.7, symbols and some other constant values (true
/false
, etc.) will return frozen strings.
This affected Brakeman in only minor ways, but it is fixed now in preparation for Ruby 2.7.
(changes)
Release Dates in Changelog
Brakeman’s changelog now includes release dates thanks to TheSpartan1980.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.