Several changes in this release are updates to Brakeman’s open redirect check.
Changes since 5.4.0:
- Add Rails 6.1 and 7.0 default configuration values
- Support Rails 7 redirect options
redirect_back_or_toto open redirect check
- Revise checking for
request.envto only consider request headers
- Prevent redirects using
url_frombeing marked as unsafe (Lachlan Sylvester)
- Warn about unscoped find for
- Fix issue with
- Fix file/line location for EOL software warnings
Rails 6.1 and Rails 7.0 Defaults
The default configuration values for Rails 6.1 and Rails 7.0 have been added to Brakeman.
Open Redirect Updates
Rails 7 introduced a new protection against open directs.
config.action_controller.raise_on_open_redirects is set to
true, then Rails prevents redirects that redirect to a different domain than
This protection can be bypassed by passing in
allow_other_host: true to
Lachlan Sylvester pointed out it’s also possible to use
url_from to ensure a URL is for the same host. So
redirect_to(url_from(params[:url])) is safe.
This release also expands the open redirect check to
redirect_back_or_to which have options for a fallback URL.
More Unscoped Finds
Brakeman will now warn about use of
find_by(id: ...) the same way it would warn about
find_by_id for “unscoped finds” (i.e., possible insecure direct object references).
Presence Method Support
Brakeman now handles
in? are often used for guard clauses, this fixes some false positives.
File/Line for End-Of-Life Warnings
March is nearly here, which means support for Ruby 2.7 is ending!
Thanks to Jon Burns for pointing out Brakeman was reporting the wrong file and/or line number for EOL Ruby warnings.
The SHA256 sums for this release are:
dc664d4b5d01dd81608db02ec9b7c383beb65a3169049df2939c4bbbd4edfb73 brakeman-5.4.1.gem c1bf7e4cec5bde1d53122b41743343d3e38e4aa30145707b902278dd3b588fd4 brakeman-lib-5.4.1.gem 94d24f3ea881bfc213ead8fbf3568aa37b301272ccbecf383394c9d7d7f43eeb brakeman-min-5.4.1.gem
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.