This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.
Changes since 4.9.0:
- Use version from
active_recordfor non-Rails apps (Ulysse Buonomo)
chomped strings for SQL injection (#1509)
- Always set line number for joined arrays (#1499)
- Avoid warning about missing
protected_attributesgem is used (#1512)
Check ActiveRecord Version
For non-Rails applications that are using ActiveRecord, use the version of
active_record to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.
Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.
SQL Injection with Chomp
Brakeman will now check for string interpolation inside strings that have
chomp called on them.
Joined Arrays Line Number
Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.
When using the
protected_attributes gem, it is allowed but not required to set
attr_accessible on models.
Brakeman will no longer warn about missing
protected_attributes is used.
As noted above, this version of Brakeman ships with an updated version of ruby_parser.
The SHA256 sums for this release are:
5a17706b1da4886f1b6864c3ffff1ab40684f3f7b4d667138227c467ebccb0f7 brakeman-4.9.1.gem 8bb3d88f9786e9f08c24d38e88c40adf02f4a47b17de8c1c816f7e174de476a4 brakeman-lib-4.9.1.gem 8eae3eec1ebab0cf3b29ea50089f613b0d8e544ae4c332f1f5e64a240e8a0a94 brakeman-min-4.9.1.gem
Thank you to everyone who reported bugs and contributed to this release!