Ruby on Rails Static Analysis Security Tool

Brakeman 5.2.2 Released

Changes since 5.2.1:

  • Respect equality in if conditions (#1683)
  • Update message for unsafe reflection (Pedro Baracho)
  • Handle nil when joining values (Dan Buettner)
  • Add additional String methods for SQL injection check (#1669)
  • Update ruby_parser for Ruby 3.1 support (Merek Skubela)

Equality Checks in Conditions

When Brakeman comes across code like:

if x == 1
  # do something with x

It will now assume x is 1 inside of the if branch.


Unsafe Reflection Messages

Pedro Baracho updated the messages for unsafe reflection to be clearer.


Another String Joining Fix

Dan Buettner fixed an exception when a nil gets into a string joining operation.


More SQL Injection

When Brakeman checks for SQL injection, there are a number of methods (like to_s or strip) that essentially return the string itself.

This list of methods has been expanded to include chop, lstrip, rstrip, scrub, and tr.


Update RubyParser

This version of Brakeman includes RubyParser 3.19 which adds support for Ruby 3.1 syntax. Thanks Merek Skubela!



The SHA256 sums for this release are:

246c9540f5d90fbde39c95999d319f9706bf79668f66bb35419825c1cbef61ae  brakeman-5.2.2.gem
1b559598d78919c0f6f3a8e8602b86ab35f825810b1d7daf872b7791b452e78b  brakeman-lib-5.2.2.gem
4c34dcc1900bf872254eee2b313b1634ffacc9002fd7d26b8390259318cf6194  brakeman-min-5.2.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.