Jekyll2024-02-01T22:35:06-08:00https://brakemanscanner.org/feed.xmlBrakemanBrakeman 6.1.2 Released2024-02-01T10:30:00-08:002024-02-01T10:30:00-08:00https://brakemanscanner.org/blog/2024/02/01/brakeman-6-dot-1-dot-2-released<p>Finally, just a small release!</p>
<p><em>Changes since 6.1.1:</em></p>
<ul>
<li>Avoid detecting Phlex components as dynamic render paths (<a href="https://github.com/ElMassimo">Máximo Mussini</a>)</li>
<li>Avoid detecting <code class="language-plaintext highlighter-rouge">ViewComponentContrib::Base</code> as dynamic render paths (<a href="https://github.com/vividmuimui">vividmuimui</a>)</li>
<li>Avoid copying Sexps that are too large (<a href="https://github.com/presidentbeef/brakeman/issues/1818">#1818</a>, <a href="https://github.com/presidentbeef/brakeman/issues/1546">#1546</a>)</li>
<li>Add EOL date for Ruby 3.3.0</li>
<li>Remove deprecated use of <code class="language-plaintext highlighter-rouge">Kernel#open("|...")</code></li>
<li>Remove <code class="language-plaintext highlighter-rouge">safe_yaml</code> gem dependency</li>
<li>Update Highline to 3.0 (<a href="https://github.com/presidentbeef/brakeman/issues/1812">#1812</a>)</li>
</ul>
<h3 id="components-in-render-paths">Components in Render Paths</h3>
<p>Thanks to <a href="https://github.com/ElMassimo">Máximo Mussini</a> and <a href="https://github.com/vividmuimui">vividmuimui</a>, there will be fewer false positives
warning about dynamic render paths when using components.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1805">changes</a>)</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1821">changes</a>)</p>
<h3 id="performance-improvement-with-complex-branching">Performance Improvement with Complex Branching</h3>
<p>Brakemn has a very hard time with code like</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">x</span> <span class="o">=</span> <span class="n">thing</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">foo</span><span class="p">(</span><span class="n">x</span><span class="p">)</span>
<span class="k">if</span> <span class="n">x</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">bar</span><span class="p">(</span><span class="n">x</span><span class="p">)</span>
<span class="k">else</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">baz</span><span class="p">(</span><span class="n">x</span><span class="p">)</span>
<span class="k">end</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">do_thing</span><span class="p">(</span><span class="n">x</span><span class="p">)</span>
<span class="c1"># etc.</span>
</code></pre></div></div>
<p>Because to Brakeman it looks like</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">x</span> <span class="o">=</span> <span class="n">thing</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">)</span>
<span class="k">if</span> <span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">)</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">bar</span><span class="p">(</span><span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">))</span>
<span class="k">else</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">baz</span><span class="p">(</span><span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">))</span>
<span class="k">end</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">do_thing</span><span class="p">(</span><span class="n">bar</span><span class="p">(</span><span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">))</span> <span class="o">||</span> <span class="n">baz</span><span class="p">(</span><span class="n">foo</span><span class="p">(</span><span class="n">thing</span><span class="p">)))</span>
</code></pre></div></div>
<p>This can quickly snowball into gigantic chunks of code, causing Brakeman to use lots of memory and essentially freeze up.</p>
<p>In the past, limits on how many times a value is “branched” have helped with this (and is configurable with <code class="language-plaintext highlighter-rouge">--branch-limit</code>).
However, it is not sufficient.</p>
<p>Now Brakeman has a limit on how large these chunks of code can get. This has improved performance without any noticable impact on true positives.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1820">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>7716769c18f2c4a52d7a74d2cb5a614be0c46d8aad3fbe7ca089dbb7c98bd4d3 brakeman-6.1.2.gem
38939998eb695b82932c207ef766356bc21e57199e18c4d8f000a005d294e587 brakeman-lib-6.1.2.gem
dbc2f9a3b61760c03737cf701f5a1dfe634fb14e8388968e056a0f77effab018 brakeman-min-6.1.2.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>Finally, just a small release!Brakeman 6.1.0 Released2023-12-04T22:30:00-08:002023-12-04T22:30:00-08:00https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released<p>It’s been a while!</p>
<p><em>Changes since 6.0.1:</em></p>
<ul>
<li>Add check for unfiltered search with Ransack</li>
<li>Add <code class="language-plaintext highlighter-rouge">--timing</code> to add timing duration for scan steps</li>
<li>Add <code class="language-plaintext highlighter-rouge">PG::Connection.escape_string</code> as a SQL sanitization method (<a href="https://github.com/joevin-slq-docto">Joévin Soulenq</a>)</li>
<li>Handle <code class="language-plaintext highlighter-rouge">class << self</code></li>
<li>Fix class method lookup in parent classes</li>
<li>Fix keyword splats in filter arguments</li>
</ul>
<h3 id="ransack-searches">Ransack Searches</h3>
<p><a href="https://activerecord-hackery.github.io/ransack/">Ransack</a> is a popular library for enabling search against ActiveRecord attributes.</p>
<p>It was originally intended for administrative interfaces (like those provided by ActiveAdmin).</p>
<p>Use usually looks like</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">Car</span><span class="p">.</span><span class="nf">ransack</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:q</span><span class="p">])</span>
</code></pre></div></div>
<p>And a url might look like</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com?q[make_start]=vol
</code></pre></div></div>
<p>This might generate a query like</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">SELECT</span> <span class="n">make</span> <span class="k">FROM</span> <span class="n">cars</span> <span class="k">WHERE</span> <span class="n">make</span> <span class="k">LIKE</span> <span class="s1">'vol%'</span><span class="p">;</span>
</code></pre></div></div>
<p>The library does clever things with the query parameter key.
In this case, <code class="language-plaintext highlighter-rouge">make</code> is the column and <code class="language-plaintext highlighter-rouge">start</code> means match values that start with the search term
passed in.</p>
<p>However, it’s also possible to specify columns on related tables, such as</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com?q[owner_name_start]=just
</code></pre></div></div>
<p>Which would search the <code class="language-plaintext highlighter-rouge">name</code> column on the <code class="language-plaintext highlighter-rouge">owners</code> table (assuming <code class="language-plaintext highlighter-rouge">Car</code> has an association to <code class="language-plaintext highlighter-rouge">Owner</code>).</p>
<p>Prior to Ransack 4.0, the default configuration allowed searching <em>all</em> columns on a table as
well as <em>all</em> columns on associated tables.</p>
<p><a href="https://positive.security/blog/ransack-data-exfiltration">Some folks figured out this can be used to extract secret values</a> by brute-forcing the value one character at a time.</p>
<p>To fix this issue, explicitly <a href="https://activerecord-hackery.github.io/ransack/going-further/other-notes/#authorization-allowlistingdenylisting">allow list the attributes and associations available</a> to search.</p>
<p>In Ransack 4.0 and later, it is required to set up an allowlist.</p>
<p>Brakeman will warn about unrestricted use of <code class="language-plaintext highlighter-rouge">ransack</code>:</p>
<ul>
<li><strong>High</strong> if no allow-listing methods are found in the class hierarchy of the model on which <code class="language-plaintext highlighter-rouge">ransack</code> is called</li>
<li><strong>Medium</strong> if the use happens to be in a file with <code class="language-plaintext highlighter-rouge">admin</code> in the path</li>
<li><strong>Low</strong> if the call to <code class="language-plaintext highlighter-rouge">ransack</code> is not on a class</li>
</ul>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1799">changes</a>)</p>
<h3 id="timing-output">Timing Output</h3>
<p>Use <code class="language-plaintext highlighter-rouge">--timing</code> to output duration of various steps during the scan.</p>
<p>Useful for debugging slowness.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1801">changes</a>)</p>
<h3 id="another-sql-escaping-method">Another SQL Escaping Method</h3>
<p>Brakeman will not warn about use of <code class="language-plaintext highlighter-rouge">escape_string</code> in SQL queries.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1789">changes</a>)</p>
<h3 id="class-methods">Class Methods</h3>
<p>Brakeman will now treat methods defined inside of <code class="language-plaintext highlighter-rouge">class << self</code> as class methods.</p>
<p>This does mean fingerprints of warnings found inside those methods will change.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1792">changes</a>)</p>
<h3 id="class-method-lookups">Class Method Lookups</h3>
<p>Searching for class method definitions in parent classes will now actually look for class methods, not instance methods.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1796">changes</a>)</p>
<h3 id="keyword-splats-in-filters">Keyword Splats in Filters</h3>
<p>Code like</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">before_action</span><span class="p">(</span><span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">do</span>
<span class="c1"># ...</span>
<span class="k">end</span>
</code></pre></div></div>
<p>Will no longer cause an error.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1800">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0d4066936dd58f0fe757d0ff1ec0744479be9ff06c771be4b581bdf0cb8d7403 brakeman-6.1.0.gem
e7c9e739a43ec719d981e9b401b980c11cbe81a333ccb166965b9264ef413cc8 brakeman-lib-6.1.0.gem
709813eff010c9605dc09b9fcbe60742dd3b9e757ec7131808988a14b83eee23 brakeman-min-6.1.0.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>It’s been a while!Brakeman 6.0.1 Released2023-07-20T13:30:00-07:002023-07-20T13:30:00-07:00https://brakemanscanner.org/blog/2023/07/20/brakeman-6-dot-0-dot-1-released<p>Very tiny release this time!</p>
<p><em>Changes since 6.0.0:</em></p>
<ul>
<li>Accept strings for <code class="language-plaintext highlighter-rouge">load_defaults</code> version (<a href="https://github.com/presidentbeef/brakeman/issues/1784">#1784</a>)</li>
<li>Bundle latest <code class="language-plaintext highlighter-rouge">ruby_parser</code></li>
</ul>
<h3 id="strings-for-load_defaults">Strings for <code class="language-plaintext highlighter-rouge">load_defaults</code></h3>
<p>While the default for Rails generators and documentation is to use floats for versions, e.g. <code class="language-plaintext highlighter-rouge">load_defaults 6.1</code>, internally it uses strings. It appears quite a few apps also use strings.</p>
<p>Now Brakeman supports and uses strings.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1785">changes</a>)</p>
<h3 id="latest-rubyparser">Latest RubyParser</h3>
<p>Bundled with <code class="language-plaintext highlighter-rouge">ruby_parser</code> 3.20.3, which includes additional support for Ruby 3.2 syntax.</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>39641c63bc247bbdf993a349de90a13e146c464c872191f2adc12555bde591be brakeman-6.0.1.gem
e029fbd43c97bbb9c084fa4f0e13ee259bf193b79d66ba7ef94fa9496bab62cd brakeman-lib-6.0.1.gem
ef2ff1234ba2a9e7216a0a047b9df0def8c3b8d162d29853c907238901353a54 brakeman-min-6.0.1.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>Very tiny release this time!Brakeman 6.0.0 Released2023-05-24T15:30:00-07:002023-05-24T15:30:00-07:00https://brakemanscanner.org/blog/2023/05/24/brakeman-6-dot-0-released<p>Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.</p>
<p><em>Changes since 5.4.1:</em></p>
<ul>
<li>Drop support for Ruby 1.8/1.9 syntax</li>
<li>Raise minimum Ruby version to 3.0</li>
<li>Add obsolete fingerprints to comparison report (<a href="https://github.com/presidentbeef/brakeman/issues/1758">#1758</a>)</li>
<li>Warn about missing CSRF protection when defaults are not loaded (<a href="https://github.com/montdidier">Chris Kruger</a>)</li>
<li>Fix false positive with <code class="language-plaintext highlighter-rouge">content_tag</code> in newer Rails (<a href="https://github.com/presidentbeef/brakeman/issues/1778">#1778</a>)</li>
<li>Scan directories that include the word <code class="language-plaintext highlighter-rouge">public</code></li>
<li>Fix end-of-life dates for Ruby</li>
</ul>
<h3 id="ruby-parsing-version-support">Ruby Parsing Version Support</h3>
<p>This version of Brakeman no longer supports parsing Ruby 1.8/1.9 syntax.</p>
<p><code class="language-plaintext highlighter-rouge">ruby_parser</code>, the gem Brakeman depends on for parsing Ruby, dropped support quite a while ago. Brakeman was depending on the <code class="language-plaintext highlighter-rouge">ruby_parser-legacy</code> gem for these older versions. But since it has been eight years since Ruby 1.9 has been unmaintained… it is time to let go.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1771">changes</a>)</p>
<h3 id="minimum-ruby-version">Minimum Ruby Version</h3>
<p>The minimum Ruby version to run Brakeman is now 3.0.0.</p>
<p>Official support for the 2.x line of Ruby has ended, so it is a good time to bump up the minimum requirement and adopt more modern language features.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1771">changes</a>)</p>
<h3 id="missing-csrf-protection-warning">Missing CSRF Protection Warning</h3>
<p>Since Rails 5.2.0, new applications have had cross-site request forgery protection enabled. Brakeman assumed the protection was enabled based on the Rails version. However, this was incorrect.</p>
<p>Now Brakeman correctly handles the default configuration values.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1776">changes</a>)</p>
<h3 id="content-tag-attributes">Content Tag Attributes</h3>
<p>Brakeman will no longer warn about user input in <code class="language-plaintext highlighter-rouge">content_tag</code> attribute names in Rails 6.1.6+</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1779">changes</a></p>
<h3 id="obsolete-warnings-in-comparison-report">Obsolete Warnings in Comparison Report</h3>
<p>When using the <code class="language-plaintext highlighter-rouge">--compare</code> option, the output JSON will now include an <code class="language-plaintext highlighter-rouge">obsolete</code> key with an array of fingerprints.</p>
<p>These fingerprints are warnings that are configured to be ignored, but no longer exist.</p>
<p>Note that the report will include <em>all</em> fingerprints in the ignore configuration that are not in the current report, even if they were already obsolete.</p>
<p>This report format matches the <code class="language-plaintext highlighter-rouge">--json</code> output.</p>
<p>The report will resemble:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"new": [ ... ],
"fixed": [ ... ],
"obsolete": [
"abcdef01234567890ba28050e7faf1d54f218dfa9435c3f65f47cb378c18cf98"
]
}
</code></pre></div></div>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1777">changes</a>)</p>
<h3 id="scan-public-directories">Scan ‘public’ Directories</h3>
<p>In the old days, Brakeman tried to scan only the “standard” Rails directories, mostly within <code class="language-plaintext highlighter-rouge">/app/</code>. With the 5.0 release, Brakeman was revised to make very few assumptions about what kinds of files live where, instead making decisions based on the content of files rather than their location.</p>
<p>However, there was a lingering exception. Brakeman would ignore any directories that included <code class="language-plaintext highlighter-rouge">/public/</code>.</p>
<p>This exception has been removed.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1774">changes</a>)</p>
<h3 id="eol-dates-for-ruby">EOL Dates for Ruby</h3>
<p>Fixed end-of-life date for Ruby 3.0 and added expected dates for 3.1 and 3.2.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1770">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>6ff908e5bfca4651d909a31f3d3ae5846e33732284860a23aff454761c4145d0 brakeman-6.0.0.gem
9a5e68e34c1cffe73b51952937ed2b4f427afd5d11d4a1c10c61e971253ba505 brakeman-lib-6.0.0.gem
db1d8e2118af4b4701fbe49bf1177ac5c89a6a956ca037fdc0e62eb062e2dbb9 brakeman-min-6.0.0.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.Brakeman 5.4.1 Released2023-02-21T08:30:00-08:002023-02-21T08:30:00-08:00https://brakemanscanner.org/blog/2023/02/21/brakeman-5-dot-4-dot-1-released<p>Several changes in this release are updates to Brakeman’s open redirect check.</p>
<p><em>Changes since 5.4.0:</em></p>
<ul>
<li>Add Rails 6.1 and 7.0 default configuration values</li>
<li>Support Rails 7 redirect options</li>
<li>Add <code class="language-plaintext highlighter-rouge">redirect_back</code> and <code class="language-plaintext highlighter-rouge">redirect_back_or_to</code> to open redirect check</li>
<li>Revise checking for <code class="language-plaintext highlighter-rouge">request.env</code> to only consider request headers</li>
<li>Prevent redirects using <code class="language-plaintext highlighter-rouge">url_from</code> being marked as unsafe (<a href="https://github.com/lsylvester">Lachlan Sylvester</a>)</li>
<li>Warn about unscoped find for <code class="language-plaintext highlighter-rouge">find_by(id: ...)</code></li>
<li>Support <code class="language-plaintext highlighter-rouge">presence</code>, <code class="language-plaintext highlighter-rouge">presence_in</code> and <code class="language-plaintext highlighter-rouge">in?</code> (<a href="https://github.com/presidentbeef/brakeman/issues/1569">#1569</a>)</li>
<li>Fix issue with <code class="language-plaintext highlighter-rouge">if</code> expressions in <code class="language-plaintext highlighter-rouge">when</code> clauses (<a href="https://github.com/presidentbeef/brakeman/issues/1743">#1743</a>)</li>
<li>Fix file/line location for EOL software warnings</li>
</ul>
<h3 id="rails-61-and-rails-70-defaults">Rails 6.1 and Rails 7.0 Defaults</h3>
<p>The default configuration values for Rails 6.1 and Rails 7.0 have been added to Brakeman.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1751">changes</a>)</p>
<h3 id="open-redirect-updates">Open Redirect Updates</h3>
<p>Rails 7 introduced a new protection against open directs.</p>
<p>If <code class="language-plaintext highlighter-rouge">config.action_controller.raise_on_open_redirects</code> is set to <code class="language-plaintext highlighter-rouge">true</code>, then Rails prevents redirects that redirect to a different domain than <code class="language-plaintext highlighter-rouge">request.host</code>.
This protection can be bypassed by passing in <code class="language-plaintext highlighter-rouge">allow_other_host: true</code> to <code class="language-plaintext highlighter-rouge">redirect_to</code>.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1755">changes</a>)</p>
<p><a href="https://github.com/lsylvester">Lachlan Sylvester</a> pointed out it’s also possible to use <code class="language-plaintext highlighter-rouge">url_from</code> to ensure a URL is for the same host. So <code class="language-plaintext highlighter-rouge">redirect_to(url_from(params[:url]))</code> is safe.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1749">changes</a>)</p>
<p>This release also expands the open redirect check to <code class="language-plaintext highlighter-rouge">redirect_back</code> and <code class="language-plaintext highlighter-rouge">redirect_back_or_to</code> which have options for a fallback URL.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1756">changes</a>)</p>
<h3 id="more-unscoped-finds">More Unscoped Finds</h3>
<p>Brakeman will now warn about use of <code class="language-plaintext highlighter-rouge">find_by(id: ...)</code> the same way it would warn about <code class="language-plaintext highlighter-rouge">find_by_id</code> for “unscoped finds” (i.e., possible insecure direct object references).</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1748">changes</a>)</p>
<h3 id="presence-method-support">Presence Method Support</h3>
<p>Brakeman now handles <code class="language-plaintext highlighter-rouge">presence</code>, <code class="language-plaintext highlighter-rouge">presence_in</code>, and <code class="language-plaintext highlighter-rouge">in?</code> methods.</p>
<p>Since <code class="language-plaintext highlighter-rouge">presence_in</code> and <code class="language-plaintext highlighter-rouge">in?</code> are often used for guard clauses, this fixes some false positives.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1747">changes</a>)</p>
<h3 id="fileline-for-end-of-life-warnings">File/Line for End-Of-Life Warnings</h3>
<p>March is nearly here, which means support for Ruby 2.7 is ending!</p>
<p>Thanks to <a href="https://github.com/jburns42891">Jon Burns</a> for pointing out Brakeman was reporting the wrong file and/or line number for EOL Ruby warnings.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1761">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dc664d4b5d01dd81608db02ec9b7c383beb65a3169049df2939c4bbbd4edfb73 brakeman-5.4.1.gem
c1bf7e4cec5bde1d53122b41743343d3e38e4aa30145707b902278dd3b588fd4 brakeman-lib-5.4.1.gem
94d24f3ea881bfc213ead8fbf3568aa37b301272ccbecf383394c9d7d7f43eeb brakeman-min-5.4.1.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>Several changes in this release are updates to Brakeman’s open redirect check.Brakeman 5.4.0 Released2022-11-17T21:30:00-08:002022-11-17T21:30:00-08:00https://brakemanscanner.org/blog/2022/11/17/brakeman-5-dot-4-dot-0-released<p>Special thanks to <a href="https://github.com/bdewater">Bart de Water</a> and <a href="https://github.com/tehryanx">Ryan Cartner</a> for proposing new rules!</p>
<p><em>Changes since 5.3.1:</em></p>
<ul>
<li>Add check for weak RSA key sizes and padding modes (<a href="https://github.com/presidentbeef/brakeman/issues/1736">#1736</a>)</li>
<li>Add check for absolute paths issue with Pathname (<a href="https://github.com/presidentbeef/brakeman/issues/1721">#1721</a>)</li>
<li>Handle multiple values and splats in case/when (<a href="https://github.com/presidentbeef/brakeman/issues/1730">#1730</a>)</li>
<li>Ignore more model methods in redirects (<a href="https://github.com/presidentbeef/brakeman/issues/1723">#1723</a>)</li>
<li>Fix <code class="language-plaintext highlighter-rouge">load_rails_defaults</code> overwriting settings in the Rails application (<a href="https://github.com/jamgregory">James Gregory-Monk</a>)</li>
<li>Use relative paths for CodeClimate report format (<a href="https://github.com/RubyBrewsday">Mike Poage</a>)</li>
</ul>
<h3 id="check-rsa-key-sizes-and-padding-modes">Check RSA Key Sizes and Padding Modes</h3>
<p>Brakeman now warns on:</p>
<ul>
<li>RSA key sizes less than 2048 bits</li>
<li>Use of padding modes other than OAEP (including <code class="language-plaintext highlighter-rouge">none</code>)</li>
</ul>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1737">changes</a>)</p>
<h3 id="unexpected-absolute-paths">Unexpected Absolute Paths</h3>
<p>When joining paths using <code class="language-plaintext highlighter-rouge">Pathname#join</code>, any arguments that start with a forward slash (<code class="language-plaintext highlighter-rouge">/</code>) will cause the rest of the path to be relative to that absolute path. This may cause unexpected behavior and deviates from how <code class="language-plaintext highlighter-rouge">File.join</code> works.</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">Pathname</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s1">'a'</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="s1">'b'</span><span class="p">,</span> <span class="s1">'/c'</span><span class="p">,</span> <span class="s1">'d'</span><span class="p">)</span>
<span class="o">=></span> <span class="c1">#<Pathname:/c/d></span>
</code></pre></div></div>
<p>(There are more <code class="language-plaintext highlighter-rouge">Pathname</code> methods with this issue - to be added in a future release.)</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1733">changes</a>)</p>
<h3 id="multiple-values-in-whens">Multiple Values in <code class="language-plaintext highlighter-rouge">when</code>s</h3>
<p>If a <code class="language-plaintext highlighter-rouge">when</code> clause contains only ‘safe’ values, Brakeman will treat the <code class="language-plaintext highlighter-rouge">case</code> value as safe:</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">y</span> <span class="o">=</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">]</span>
<span class="k">case</span> <span class="n">x</span>
<span class="k">when</span> <span class="o">*</span><span class="n">y</span>
<span class="n">maybe_dangerous</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># `x` must be an integer, so not dangerous</span>
<span class="k">end</span>
</code></pre></div></div>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1734">changes</a>)</p>
<h3 id="ignore-more-redirects">Ignore More Redirects</h3>
<p>More model methods are ignored in redirects:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">first!</code></li>
<li><code class="language-plaintext highlighter-rouge">last!</code></li>
<li><code class="language-plaintext highlighter-rouge">sole</code></li>
<li><code class="language-plaintext highlighter-rouge">find_by_sole</code></li>
</ul>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1732">changes</a>)</p>
<h3 id="rails-defaults">Rails Defaults</h3>
<p><a href="https://github.com/jamgregory">James Gregory-Monk</a> fixed how Rails default configuration values are set so overrides were properly handled.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1719">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bab990760949e999c5d52b297d8badda376754eb296c91abf829def733ed9d51 brakeman-5.4.0.gem
2b5a0cd5845b8c0e1b83e00122654af48b025ac3e6625c9ecbc5535226068416 brakeman-lib-5.4.0.gem
fcbd60456c5db62767d143696e1edf8e4eaee734f2a039903aeca7bb4e6b3dbf brakeman-min-5.4.0.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>Special thanks to Bart de Water and Ryan Cartner for proposing new rules!Brakeman 5.3.0 Released2022-08-09T08:30:00-07:002022-08-09T08:30:00-07:00https://brakemanscanner.org/blog/2022/08/09/brakeman-5-dot-3-dot-0-released<p>This release adds CWE information to reports - the first JSON report change in a long time!</p>
<p><em>Changes since 5.2.3:</em></p>
<ul>
<li>Add CWE information to warnings (<a href="https://github.com/saghaulor">Stephen Aghaulor</a>)</li>
<li>Include explicit engine or lib paths in <code class="language-plaintext highlighter-rouge">vendor/</code> (<a href="https://github.com/jrafanie">Joe Rafaniello</a>)</li>
<li>Add check for CVE-2022-32209</li>
<li>Load rexml as a Brakeman dependency</li>
<li>Fix “full call” information propagating unnecessarily</li>
</ul>
<h3 id="cwe-information">CWE Information</h3>
<p>Thanks to <a href="https://github.com/saghaulor">Stephen Aghaulor</a> for taking on the arduous task of adding CWE information
to every Brakeman warning type!</p>
<p>CWE information is now available in most report formats. In particular, it is a new field for the JSON report.</p>
<p>Example:</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nl">"warning_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cross-Site Scripting"</span><span class="p">,</span><span class="w">
</span><span class="nl">"warning_code"</span><span class="p">:</span><span class="w"> </span><span class="mi">124</span><span class="p">,</span><span class="w">
</span><span class="nl">"fingerprint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d"</span><span class="p">,</span><span class="w">
</span><span class="nl">"check_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SanitizeConfigCve"</span><span class="p">,</span><span class="w">
</span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)"</span><span class="p">,</span><span class="w">
</span><span class="nl">"file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"config/initializers/sanitizers.rb"</span><span class="p">,</span><span class="w">
</span><span class="nl">"line"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w">
</span><span class="nl">"link"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ"</span><span class="p">,</span><span class="w">
</span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rails::Html::SafeListSanitizer.allowed_tags = [</span><span class="se">\"</span><span class="s2">select</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">a</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">style</span><span class="se">\"</span><span class="s2">]"</span><span class="p">,</span><span class="w">
</span><span class="nl">"render_path"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w">
</span><span class="nl">"location"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w">
</span><span class="nl">"user_input"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w">
</span><span class="nl">"confidence"</span><span class="p">:</span><span class="w"> </span><span class="s2">"High"</span><span class="p">,</span><span class="w">
</span><span class="nl">"cwe_id"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="mi">79</span><span class="w">
</span><span class="p">]</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1693">changes</a>)</p>
<h3 id="explicit-paths-in-vendor-directory">Explicit Paths in Vendor Directory</h3>
<p>By default, Brakeman does not scan any code in the <code class="language-plaintext highlighter-rouge">vendor/</code> directory.</p>
<p>But it was also ignoring any paths in <code class="language-plaintext highlighter-rouge">vendor/</code>, even if the user explicitly included them via <code class="language-plaintext highlighter-rouge">--add-libs-path</code> or <code class="language-plaintext highlighter-rouge">--add-engines-path</code>.</p>
<p>Thanks to <a href="https://github.com/jrafanie">Joe Rafaniello</a> this is now changed to respect the explicit additional paths, even if they reside in <code class="language-plaintext highlighter-rouge">vendor/</code>.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1699">changes</a>)</p>
<h3 id="cve-2022-32209">CVE-2022-32209</h3>
<p><em>As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!</em></p>
<p>A check was added for <a href="https://hackerone.com/reports/1530898">CVE-2022-32209</a>.</p>
<p>If the vulnerable configuration is detected, the warning will be <code class="language-plaintext highlighter-rouge">high</code> confidence.</p>
<p>If only the vulnerable version of <code class="language-plaintext highlighter-rouge">rails-html-sanitizer</code> is detected, the warning will be <code class="language-plaintext highlighter-rouge">weak</code> confidence.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1718">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>4fe584ef37c16e1011a0f2db36ebab540fef403ff8e26afed212e2d7ff5a3176 brakeman-5.3.0.gem
1f5caa0bd05fd8ea5b4f5791371dd0911f96d804612c7be986bab3ed0163a8cf brakeman-lib-5.3.0.gem
4a4ccef090c4eb5857140c15fa69ff65167f3eb550f7a0ca555012642aafe7e9 brakeman-min-5.3.0.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://github.com/presidentbeef/brakeman/discussions">on Github</a> for questions and discussion.</p>This release adds CWE information to reports - the first JSON report change in a long time!Brakeman 5.2.3 Released2022-05-01T08:30:00-07:002022-05-01T08:30:00-07:00https://brakemanscanner.org/blog/2022/05/01/brakeman-5-dot-2-dot-3-released<p><em>Changes since 5.2.2:</em></p>
<ul>
<li>Fix error with hash shorthand syntax (<a href="https://github.com/presidentbeef/brakeman/issues/1700">#1700</a>)</li>
<li>Match order of interactive options with help message (<a href="https://github.com/roryokane">Rory O’kane</a>)</li>
</ul>
<h3 id="hash-shorthand-syntax">Hash Shorthand Syntax</h3>
<p>Parsing shorthand hash syntax like this was added with RubyParser 3.19:</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">thing</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">blah</span><span class="p">(</span><span class="n">thing</span><span class="p">:)</span>
</code></pre></div></div>
<p>but Brakeman needed to handle it properly, too.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1701">changes</a>)</p>
<h3 id="interative-options">Interative Options</h3>
<p><a href="https://github.com/roryokane">Rory O’kane</a> updated the ordering of options in the help message for interative ignore so
the help message matches the order of the options in the prompt!</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1702">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>5b6efb6a1e5c2b79063553647638e17239d2d2f4d50561230c8b0acaae4728d4 brakeman-5.2.3.gem
3104abc8ac2b6558d9610ede40f4cac2ebc7ae45569876b8e5907b7422c4e3af brakeman-lib-5.2.3.gem
10d743c930c03ed1d2bea021ade8fac10f1229d02b8f65bf2214f7f09ec7a0ff brakeman-min-5.2.3.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://gitter.im/presidentbeef/brakeman">on Gitter</a> for questions and discussion.</p>Changes since 5.2.2:Brakeman 5.2.2 Released2022-04-06T08:30:00-07:002022-04-06T08:30:00-07:00https://brakemanscanner.org/blog/2022/04/06/brakeman-5-dot-2-dot-2-released<p><em>Changes since 5.2.1:</em></p>
<ul>
<li>Respect equality in <code class="language-plaintext highlighter-rouge">if</code> conditions (<a href="https://github.com/presidentbeef/brakeman/issues/1683">#1683</a>)</li>
<li>Update message for unsafe reflection (<a href="https://github.com/pedropb">Pedro Baracho</a>)</li>
<li>Handle <code class="language-plaintext highlighter-rouge">nil</code> when joining values (<a href="https://github.com/Capncavedan">Dan Buettner</a>)</li>
<li>Add additional String methods for SQL injection check (<a href="https://github.com/presidentbeef/brakeman/issues/1669">#1669</a>)</li>
<li>Update <code class="language-plaintext highlighter-rouge">ruby_parser</code> for Ruby 3.1 support (<a href="https://github.com/sqbell">Merek Skubela</a>)</li>
</ul>
<h3 id="equality-checks-in-conditions">Equality Checks in Conditions</h3>
<p>When Brakeman comes across code like:</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">if</span> <span class="n">x</span> <span class="o">==</span> <span class="mi">1</span>
<span class="c1"># do something with x</span>
<span class="k">end</span>
</code></pre></div></div>
<p>It will now assume <code class="language-plaintext highlighter-rouge">x</code> is <code class="language-plaintext highlighter-rouge">1</code> inside of the <code class="language-plaintext highlighter-rouge">if</code> branch.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1681">changes</a>)</p>
<h3 id="unsafe-reflection-messages">Unsafe Reflection Messages</h3>
<p><a href="https://github.com/pedropb">Pedro Baracho</a> updated the messages for unsafe reflection to be clearer.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1670">changes</a>)</p>
<h3 id="another-string-joining-fix">Another String Joining Fix</h3>
<p><a href="https://github.com/Capncavedan">Dan Buettner</a> fixed an exception when a <code class="language-plaintext highlighter-rouge">nil</code> gets into a string joining operation.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1686">changes</a>)</p>
<h3 id="more-sql-injection">More SQL Injection</h3>
<p>When Brakeman checks for SQL injection, there are a number of methods (like <code class="language-plaintext highlighter-rouge">to_s</code> or <code class="language-plaintext highlighter-rouge">strip</code>) that essentially return the string itself.</p>
<p>This list of methods has been expanded to include <code class="language-plaintext highlighter-rouge">chop</code>, <code class="language-plaintext highlighter-rouge">lstrip</code>, <code class="language-plaintext highlighter-rouge">rstrip</code>, <code class="language-plaintext highlighter-rouge">scrub</code>, and <code class="language-plaintext highlighter-rouge">tr</code>.</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1682">changes</a>)</p>
<h3 id="update-rubyparser">Update RubyParser</h3>
<p>This version of Brakeman includes <a href="https://www.zenspider.com/releases/2022/03/ruby_parser-version-3-19-0-has-been-released.html">RubyParser 3.19</a> which adds support for Ruby 3.1 syntax. Thanks <a href="https://github.com/sqbell">Merek Skubela</a>!</p>
<p>(<a href="https://github.com/presidentbeef/brakeman/pull/1695">changes</a>)</p>
<h3 id="checksums">Checksums</h3>
<p>The SHA256 sums for this release are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>246c9540f5d90fbde39c95999d319f9706bf79668f66bb35419825c1cbef61ae brakeman-5.2.2.gem
1b559598d78919c0f6f3a8e8602b86ab35f825810b1d7daf872b7791b452e78b brakeman-lib-5.2.2.gem
4c34dcc1900bf872254eee2b313b1634ffacc9002fd7d26b8390259318cf6194 brakeman-min-5.2.2.gem
</code></pre></div></div>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://gitter.im/presidentbeef/brakeman">on Gitter</a> for questions and discussion.</p>Changes since 5.2.1:Brakeman 5.2.1 Released2022-01-30T11:30:00-08:002022-01-30T11:30:00-08:00https://brakemanscanner.org/blog/2022/01/30/5-dot-2-dot-1-released<p>Oops! Minor emergency fix release.</p>
<p><em>Changes since 5.2.0:</em></p>
<ul>
<li>Add warning codes for EOL Ruby and Rails check</li>
</ul>
<h3 id="reporting-issues">Reporting Issues</h3>
<p>Thank you to everyone who reported bugs and contributed to this release!</p>
<p>Please report any <a href="https://github.com/presidentbeef/brakeman/issues">issues</a> with this release. Take a look at <a href="https://github.com/presidentbeef/brakeman/wiki/How-to-Report-a-Brakeman-Issue">this guide</a> to reporting Brakeman problems.</p>
<p>Follow <a href="https://twitter.com/brakeman">@brakeman</a> on Twitter and hang out <a href="https://gitter.im/presidentbeef/brakeman">on Gitter</a> for questions and discussion.</p>Oops! Minor emergency fix release.