This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax.
Changes since 4.9.0:
- Use version from
active_recordfor non-Rails apps (Ulysse Buonomo) - Check
chomped strings for SQL injection (#1509) - Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessibleifprotected_attributesgem is used (#1512)
Check ActiveRecord Version
For non-Rails applications that are using ActiveRecord, use the version of active_record to set Brakeman’s guess at a Rails version. Thanks to Ulysse Buonomo.
Note: It is not recommended to run Brakeman on non-Rails applications… but no one is going to stop you if you want really to.
(changes)
SQL Injection with Chomp
Brakeman will now check for string interpolation inside strings that have chomp called on them.
(changes)
Joined Arrays Line Number
Fixed a small, unlikely bug where joining two arrays where Brakeman doesn’t have a line number for either of them would raise an exception. Not really sure how that happens, though.
(changes)
Protected Attributes
When using the protected_attributes gem, it is allowed but not required to set attr_accessible on models.
Brakeman will no longer warn about missing attr_accessible when protected_attributes is used.
(changes)
Update RubyParser
As noted above, this version of Brakeman ships with an updated version of ruby_parser.
Checksums
The SHA256 sums for this release are:
5a17706b1da4886f1b6864c3ffff1ab40684f3f7b4d667138227c467ebccb0f7 brakeman-4.9.1.gem
8bb3d88f9786e9f08c24d38e88c40adf02f4a47b17de8c1c816f7e174de476a4 brakeman-lib-4.9.1.gem
8eae3eec1ebab0cf3b29ea50089f613b0d8e544ae4c332f1f5e64a240e8a0a94 brakeman-min-4.9.1.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.