Special thanks to Bart de Water and Ryan Cartner for proposing new rules!
Changes since 5.3.1:
- Add check for weak RSA key sizes and padding modes (#1736)
- Add check for absolute paths issue with Pathname (#1721)
- Handle multiple values and splats in case/when (#1730)
- Ignore more model methods in redirects (#1723)
load_rails_defaultsoverwriting settings in the Rails application (James Gregory-Monk)
- Use relative paths for CodeClimate report format (Mike Poage)
Check RSA Key Sizes and Padding Modes
Brakeman now warns on:
- RSA key sizes less than 2048 bits
- Use of padding modes other than OAEP (including
Unexpected Absolute Paths
When joining paths using
Pathname#join, any arguments that start with a forward slash (
/) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how
Pathname.new('a').join('b', '/c', 'd') => #<Pathname:/c/d>
(There are more
Pathname methods with this issue - to be added in a future release.)
Multiple Values in
when clause contains only ‘safe’ values, Brakeman will treat the
case value as safe:
y = [1, 2, 3] case x when *y maybe_dangerous(x) # `x` must be an integer, so not dangerous end
Ignore More Redirects
More model methods are ignored in redirects:
James Gregory-Monk fixed how Rails default configuration values are set so overrides were properly handled.
The SHA256 sums for this release are:
bab990760949e999c5d52b297d8badda376754eb296c91abf829def733ed9d51 brakeman-5.4.0.gem 2b5a0cd5845b8c0e1b83e00122654af48b025ac3e6625c9ecbc5535226068416 brakeman-lib-5.4.0.gem fcbd60456c5db62767d143696e1edf8e4eaee734f2a039903aeca7bb4e6b3dbf brakeman-min-5.4.0.gem
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.