Ruby on Rails Static Analysis Security Tool

Brakeman 4.9.1 Released

This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.

Changes since 4.9.0:

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
  • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)

Check ActiveRecord Version

For non-Rails applications that are using ActiveRecord, use the version of active_record to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.

Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.


SQL Injection with Chomp

Brakeman will now check for string interpolation inside strings that have chomp called on them.


Joined Arrays Line Number

Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.


Protected Attributes

When using the protected_attributes gem, it is allowed but not required to set attr_accessible on models.

Brakeman will no longer warn about missing attr_accessible when protected_attributes is used.


Update RubyParser

As noted above, this version of Brakeman ships with an updated version of ruby_parser.


The SHA256 sums for this release are:

5a17706b1da4886f1b6864c3ffff1ab40684f3f7b4d667138227c467ebccb0f7  brakeman-4.9.1.gem
8bb3d88f9786e9f08c24d38e88c40adf02f4a47b17de8c1c816f7e174de476a4  brakeman-lib-4.9.1.gem
8eae3eec1ebab0cf3b29ea50089f613b0d8e544ae4c332f1f5e64a240e8a0a94  brakeman-min-4.9.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.