Ruby on Rails Static Analysis Security Tool

Brakeman 4.8.1 Released

Just a little bug fix release.

Changes since 4.8.0:

  • Warn about global(!) mass assignment
  • Check SQL query strings using String#strip or String.squish (#1459)
  • Handle non-symbol keys in locals hash for render (#1465)
  • Index calls in render arguments (#1459)

Global Mass Assignment

Strong parameters can be disabled with:

ActionController::Parameters.permit_all_parameters = true

Brakeman will now warn about this (very rare) configuration.


Squished and Stripped SQL

Brakeman will now check string targets of squish or strip.

For example:

ActiveRecord::Base.connection.execute "SELECT * FROM #{user_input}".squish


Non-Symbol Keys in Locals Hash

Using a value other than symbol literals as keys in the locals hash for render will no longer cause an error.


Render Arguments

Calls made as arguments to render will be indexed and checked for all vulnerability types, like every other method call.



The SHA256 sums for this release are:

5f3cc763fce471434adc33aa251298fa24ea2a1c01ef2549aec55be4b5b14d46  brakeman-4.8.1.gem
c4a95b450fb7ec2440e68640a0821e3a6b62ea34f665e78264ba0b332e98e5df  brakeman-lib-4.8.1.gem
ada41dbfc3a436c062cd44161893249654caf43296801599303952f6261f2e5e  brakeman-min-4.8.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.