Changes since 6.1.2:
- Add optional support for Prism parser
- Handle parallel assignment with splats (#1833)
- Warn about unscoped finds with
find_by!(#1786) - Add initial Rails 8 support (Ron Shinall)
- Add support for symbolic links (Lu Zhu)
- Support YAML aliases in secret configs (Chedli Bourguiba)
- Add
--show-ignoredoption (Gabriel Arcangel Zayas) - Treat
::XandXthe same, for now (Jill Klang) - Remediation advice for command injection Nicholas Barone
- Fix compatibility with default frozen string literals (Jean Boussier)
- Fix Ruby warnings in test suite (Jean Boussier)
Lots of great contributions in this release, thanks!
What happened to 6.2.0? Packaging issue! No other changes.
Optional Support for Prism Parser
Prism is a new Ruby parsing library which is intended to bring together all the various Ruby parsing libraries together.
This release adds optional support for the Prism parser.
To enable use of Prism, install it directly or add it to your Gemfile. Then enable it with --prism.
(changes)
Parallel Assignment with Splats
Support splats in parallel assignments like
a, *b = 1, 2, 3
(changes)
Unscoped Finds with find_by!
Warn about insecure direct object references in code using find_by!:
User.find_by!(id: params[:id])
(changes)
Initial Rails 8 Support
While there is no specific behavior added yet for Rails 8, Brakeman will detect it properly and the -8/--rails8 options have been added.
Thanks to Ron Shinall for proactively adding this functionality.
(changes)
Support for Symbolic Links
Thanks to Lu Zhu, Brakeman will now follow symbolic links for directories - in particular links to files outside of the root directory of the Rails application.
(changes)
YAML Aliases in Secrets Config
Chedli Bourguiba enabled support for use of aliases in secrets configuration files.
(changes)
Option to Show Ignored Warnings in Text Report
In response to this request, Gabriel Arcangel Zayas added the --show-ignored option to
list ignored warnings in the default text report.
(changes)
Top-Level Constants
While it may be semantically incorrect, Brakeman will now treat ::Foo and Foo the same. This helps when matching against known constants like ViewComponent::Base and ::ViewComponent::Base. Thanks to Jill Klang for addressing this one.
(changes)
Remediation Advice for Command Injection
Nicholas Barone added a note about using shellescape to make shell commands safer.
(changes)
Frozen String Support
(Jean Boussier) has made Brakeman compatible with use of Ruby’s frozen string literals (e.g. --enable-frozen-string-literal), avoiding any future issues if/when frozen strings are the default.
Along the way, they also fixed up some Ruby warnings in the test suite.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.