Brakeman: Brakeman 7.1.1 Released

Changes since 7.1.0:

Exclude directories before searching for files (#1925)
Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
Fix SQL injection check for calculate method (Rohan Sharma)
Check each side of or SQL arguments (#1935)
Consider Tempfile.create.path as safe input (Ali Ismayilov)
Fix false positive when calling with_content on ViewComponents (Peer Allan)
Add FilePath#to_path for Ruby 3.5 compatibility (S.H.)
Ignore attribute builder in Haml 6 (#1952)
Word wrap text output in pager

Faster File Search on MacOS

Brakeman now pre-filters top-level directories to speed up file enumeration on MacOS. This can be significant when there are large numbers of files.

(changes)

SQL Injection Detection Updates

Patrick Brinich-Langlois fixed a bug where ActiveRecord queries with two arguments would cause the query to be ignored.

(changes)

Rohan Sharma addressed an issue where calls to calculate only checked the third argument for dangerous values, when the second argument is also vulnerable to SQL injection.

(changes)

Queries where the input is two or more values ored together will now check all values in the argument (which can resolve false positives).

(changes)

Safe Tempfile Paths

Ali Ismayilov added Tempfile.create.path as a safe value to match existing behavior with Tempfile.new.path.

(changes)

More ViewComponents

Peer Allan addressed a false positive when with_content is used with ViewComponents.

(changes)

Pathname Ruby 3.5 Compatibility

S.H. fixed a future compatibility issue with Pathnames and Ruby 3.5.

(changes)

More Haml 6 Fixes

AttributeBuilder will now be handled correctly in Haml 6 templates (i.e. ignored).

(changes)

Word Wrapping

Brakeman will now word wrap text output when using the page (which is the default). This is especially helpful if using brakeman-llm.

(changes)

Reporting Issues

Additional thanks to

Bryan Helmkamp for fixing code coverage with qlty
Sunny Ripert for fixing up a mistake in the changelog!
John Hawthorn for adding a missing </td> in the HTML report.

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.

Checksums

The SHA256 sums for this release are:

629426b5d6496c75e3ffa2299e1ab1bb3ba721fea03d8808414c083660439498 brakeman-7.1.1.gem

0e7b06294c148fbe73008eb19507e59c3cb50ab61a62f679becd4b2b93e49249 brakeman-lib-7.1.1.gem

8a911bbb1fe531530bff61e9bdc7acb6a9b4cecc3fae7a6f2a840c58006743a6 brakeman-min-7.1.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on GitHub for questions and discussion.