Changes since 4.9.0:
- Use version from
active_recordfor non-Rails apps (Ulysse Buonomo) - Check
chomped strings for SQL injection (#1509) - Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessibleifprotected_attributesgem is used (#1512)
This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.
Check ActiveRecord Version
For non-Rails applications that are using ActiveRecord, use the version of active_record to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.
Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.
(changes)
SQL Injection with Chomp
Brakeman will now check for string interpolation inside strings that have chomp called on them.
(changes)
Joined Arrays Line Number
Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.
(changes)
Protected Attributes
When using the protected_attributes gem, it is allowed but not required to set attr_accessible on models.
Brakeman will no longer warn about missing attr_accessible when protected_attributes is used.
(changes)
Update RubyParser
As noted above, this version of Brakeman ships with an updated version of ruby_parser.
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.