Changes since 5.3.1:
- Add check for weak RSA key sizes and padding modes (#1736)
- Add check for absolute paths issue with Pathname (#1721)
- Handle multiple values and splats in case/when (#1730)
- Ignore more model methods in redirects (#1723)
- Fix
load_rails_defaultsoverwriting settings in the Rails application (James Gregory-Monk) - Use relative paths for CodeClimate report format (Mike Poage)
Special thanks to Bart de Water and Ryan Cartner for proposing new rules!
Check RSA Key Sizes and Padding Modes
Brakeman now warns on:
- RSA key sizes less than 2048 bits
- Use of padding modes other than OAEP (including
none)
(changes)
Unexpected Absolute Paths
When joining paths using Pathname#join, any arguments that start with a forward slash (/) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how File.join works.
Pathname.new('a').join('b', '/c', 'd')
=> #<Pathname:/c/d>
(There are more Pathname methods with this issue - to be added in a future release.)
(changes)
Multiple Values in whens
If a when clause contains only ‘safe’ values, Brakeman will treat the case value as safe:
y = [1, 2, 3]
case x
when *y
maybe_dangerous(x) # `x` must be an integer, so not dangerous
end
(changes)
Ignore More Redirects
More model methods are ignored in redirects:
first!last!solefind_by_sole
(changes)
Rails Defaults
James Gregory-Monk fixed how Rails default configuration values are set so overrides were properly handled.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.