This release updates Haml support to Haml 5.x!
Changes since 4.6.1:
- Update Haml support to Haml 5.x (#1044)
- Catch shell injection from
-cshell commands (Jacob Evelyn)
- Correctly handle non-symbols in
- Ignore interpolation in
form_forfor XSS check
Haml Support Update
Haml 5 introduced a completely different “compiled” format, so adding support was a significant effort taking a few months to complete. Due to the large number of changes, you may expect some changes to warnings for Haml templates.
Please report any bugs or odd behavior with Haml templates!
Haml 3.x and 4.x are no longer supported, although in general Haml is mostly backwards-compatible.
Jacob Evelyn added support for detecting command injection with
-c in known-dangerous commands (such as
An example of dangerous code would be:
system("echo", "-c", params[:command])
Of course not all dangerous shell commands are covered - so in general be careful passing any user-controlled input to a shell command.
Phil Turnbull fixed an issue in
CheckCookieSerialization where non-symbol cookie serialization options were handled poorly.
Benoit Côté-Jodoin refactored
Brakeman::Differ to compare warnings more efficiently and remove old fallback behavior.
All warnings are compared by fingerprint now when using
Andrey Glushkov updated the code for comparing library versions so it uses
Gem::Version and handles “beta”/pre-release versions better.
String interpolation when using
%W is no longer considered dangerous in shell commands where regular interpolation would be.
form_for is considered a safe method in XSS checks.
String.new << 'some string' is now treated like
'' << 'some string'.
The SHA256 sums for this release are:
f43d949f1de9c0bb67b7bc7d41000ac70a1fb6c2250c5e7332015f0cc5ce36c5 brakeman-4.7.0.gem c02dbaa4ad0c7402ef99697c7b1916b7d9558dd5aa45e1a36efed117628498cc brakeman-lib-4.7.0.gem 3ab80a47bbfbb0f869bb1289292ed62b9643b5e0884a4a79e2c7e44218ce3b07 brakeman-min-4.7.0.gem
Thank you to everyone who reported bugs and contributed to this release!