Changes since 4.9.0:
- Use version from
active_record
for non-Rails apps (Ulysse Buonomo) - Check
chomp
ed strings for SQL injection (#1509) - Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used (#1512)
This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.
Check ActiveRecord Version
For non-Rails applications that are using ActiveRecord, use the version of active_record
to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.
Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.
(changes)
SQL Injection with Chomp
Brakeman will now check for string interpolation inside strings that have chomp
called on them.
(changes)
Joined Arrays Line Number
Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.
(changes)
Protected Attributes
When using the protected_attributes
gem, it is allowed but not required to set attr_accessible
on models.
Brakeman will no longer warn about missing attr_accessible
when protected_attributes
is used.
(changes)
Update RubyParser
As noted above, this version of Brakeman ships with an updated version of ruby_parser.
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.