Just a little bug fix release.
Changes since 4.8.0:
- Warn about global(!) mass assignment
- Check SQL query strings using
String#striporString.squish(#1459) - Handle non-symbol keys in
localshash forrender(#1465) - Index calls in render arguments (#1459)
Global Mass Assignment
Strong parameters can be disabled with:
ActionController::Parameters.permit_all_parameters = true
Brakeman will now warn about this (very rare) configuration.
(changes)
Squished and Stripped SQL
Brakeman will now check string targets of squish or strip.
For example:
ActiveRecord::Base.connection.execute "SELECT * FROM #{user_input}".squish
(changes)
Non-Symbol Keys in Locals Hash
Using a value other than symbol literals as keys in the locals hash for render will no longer cause an error.
(changes)
Render Arguments
Calls made as arguments to render will be indexed and checked for all vulnerability types, like every other method call.
(changes)
Checksums
The SHA256 sums for this release are:
5f3cc763fce471434adc33aa251298fa24ea2a1c01ef2549aec55be4b5b14d46 brakeman-4.8.1.gem
c4a95b450fb7ec2440e68640a0821e3a6b62ea34f665e78264ba0b332e98e5df brakeman-lib-4.8.1.gem
ada41dbfc3a436c062cd44161893249654caf43296801599303952f6261f2e5e brakeman-min-4.8.1.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.