brakeman

• Add optional support for Prism parser (use --prism)
• Handle parallel assignment with splats (#1833)
• Warn about unscoped finds with find_by! (#1786)
• Add initial Rails 8 support (Ron Shinall)
• Add support for symbolic links (Lu Zhu)
• Support YAML aliases in secret configs (Chedli Bourguiba)
• Add --show-ignored option (Gabriel Arcangel Zayas)
• Treat ::X and X the same, for now (Jill Klang)
• Remediation advice for command injection Nicholas Barone
• Fix compatibility with default frozen string literals (Jean Boussier)
• Fix Ruby warnings in test suite (Jean Boussier)

• Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
• Avoid detecting ViewComponentContrib::Base as dynamic render paths (vividmuimui)
• Avoid copying Sexps that are too large (#1818, #1546)
• Add EOL date for Ruby 3.3.0
• Remove deprecated use of Kernel#open("|...")
• Remove safe_yaml gem dependency
• Update Highline to 3.0 (#1812)

• Handle racc as a default gem in Ruby 3.3.0

• Add check for unfiltered search with Ransack
• Add --timing to add timing duration for scan steps
• Add PG::Connection.escape_string as a SQL sanitization method (Joévin Soulenq)
• Handle class << self
• Fix class method lookup in parent classes
• Fix keyword splats in filter arguments

This release is to fix the Ruby version used in the Docker image.

No other changes.

• Drop support for Ruby 1.8/1.9 syntax
• Raise minimum Ruby version to 3.0
• Add obsolete fingerprints to comparison report (#1758)
• Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
• Fix false positive with content_tag in newer Rails (#1778)
• Scan directories that include the word public
• Fix end-of-life dates for Ruby

• Add Rails 6.1 and 7.0 default configuration values
• Support Rails 7 redirect options
• Add redirect_back and redirect_back_or_to to open redirect check
• Revise checking for request.env to only consider request headers
• Prevent redirects using url_from being marked as unsafe (Lachlan Sylvester)
• Warn about unscoped find for find_by(id: ...)
• Support presence, presence_in and in? (#1569)
• Fix issue with if expressions in when clauses (#1743)
• Fix file/line location for EOL software warnings

• Add check for weak RSA key sizes and padding modes (#1736)
• Add check for absolute paths issue with Pathname (#1721)
• Handle multiple values and splats in case/when (#1730)
• Ignore more model methods in redirects (#1723)
• Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)
• Use relative paths for CodeClimate report format (Mike Poage)

• Fix version range for CVE-2022-32209

• Add CWE information to warnings (Stephen Aghaulor)
• Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
• Add check for CVE-2022-32209
• Load rexml as a Brakeman dependency
• Fix "full call" information propagating unnecessarily

• Fix error with hash shorthand syntax (#1700)
• Match order of interactive options with help message (@roryokane)

• Respect equality in if conditions (#1683)
• Update message for unsafe reflection (Pedro Baracho)
• Handle nil when joining values (Dan Buettner)
• Add additional String methods for SQL injection check (#1669)
• Update ruby_parser for Ruby 3.1 support (Merek Skubela)

• Add warning codes for EOL software warnings (#1671)

• Initial Rails 7 support (#1653)
• Require Ruby 2.5.0+ (#1649)
• Fix issue with calls to foo.root in routes (#1640)
• Ignore I18n.locale in SQL queries (#1597)
• Do not treat sanitize_sql_like as safe
• Add new checks for unsupported Ruby and Rails version
• Bundled version of ruby_parser updated to 3.18.1

• Updated ruby_parser (Ryan Davis)
• Fix issue where the previous output is still visible (Jason Frey)
• Handle cases where enums are not symbols (#1627)
• Support newer Haml with ::Haml::AttributeBuilder.build
• Fix sorting with nil line numbers

• Unrefactor IgnoreConfig's use of Brakeman::FilePath

(Fixes bugs with -I and also relative paths for -i.)

• Report Formats
  • Add GitHub Actions format (Klaus Badelt)
  • Add ignored warnings to SARIF report (Eli Block)
  • Fix SARIF report when checks have no description (Eli Block)
  • Adjust copy of --interactive menu (Elia Schito)
• Performance
  • Read and parse files in parallel
• Ruby Interpretation
  • Initial support for ActiveRecord enums (#1492)
  • Interprocedural dataflow from very simple class methods
  • Support Array#fetch and Hash#fetch (#1571)
  • Support Array#push
  • Support Array#*
  • Better Array#join support
  • Support Hash#values and Hash#values_at
  • Support Hash#include?
• SQL Injection
  • Update SQL injection check for Rails 6.0/6.1
  • Add --sql-safe-methods option (Esty Scheiner)
  • Ignore dates in SQL
  • Ignore sanitize_sql_like in SQL (#1571)
  • Ignore method calls on numbers in SQL (#1571)
• Other Fixes
  • Ignore renderables in dynamic render path check (Brad Parker)
  • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
  • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
  • Check for user-controlled evaluation even if it's a call target (#1590)
• Refactoring
  • Refactor cookie?/param? methods (Keenan Brock)
  • Better method definition tracking and lookup

• Update bundled ruby_parser to include argument forwarding support (brakeman gem only)

• Fix Loofah version check

• Support loading slim/smart (#1570)
• Set more line numbers on Sexps (#1579)
• Detect ::Rails.application.configure too (#1584)
• Always ignore slice/only calls for mass assignment
• Don't fail if $HOME/$USER are not defined
• Convert splat array arguments to arguments
• Bundle unreleased RubyParser changes