Lots of great contributions in this release, thanks!

Changes since 6.1.2:

• Add optional support for Prism parser
• Handle parallel assignment with splats (#1833)
• Warn about unscoped finds with find_by! (#1786)
• Add initial Rails 8 support (Ron Shinall)
• Add support for symbolic links (Lu Zhu)
• Support YAML aliases in secret configs (Chedli Bourguiba)
• Add --show-ignored option (Gabriel Arcangel Zayas)
• Treat ::X and X the same, for now (Jill Klang)
• Remediation advice for command injection Nicholas Barone
• Fix compatibility with default frozen string literals (Jean Boussier)
• Fix Ruby warnings in test suite (Jean Boussier)

What happened to 6.2.0? Packaging issue! No other changes.

Optional Support for Prism Parser

Prism is a new Ruby parsing library which is intended to bring together all the various Ruby parsing libraries together.

This release adds optional support for the Prism parser.

To enable use of Prism, install it directly or add it to your Gemfile. Then enable it with --prism.

(changes)

Parallel Assignment with Splats

Support splats in parallel assignments like

a, *b = 1, 2, 3

(changes)

Unscoped Finds with find_by!

Warn about insecure direct object references in code using find_by!:

User.find_by!(id: params[:id])

(changes)

Initial Rails 8 Support

While there is no specific behavior added yet for Rails 8, Brakeman will detect it properly and the -8/--rails8 options have been added.

Thanks to Ron Shinall for proactively adding this functionality.

(changes)

Support for Symbolic Links

Thanks to Lu Zhu, Brakeman will now follow symbolic links for directories - in particular links to files outside of the root directory of the Rails application.

(changes)

YAML Aliases in Secrets Config

Chedli Bourguiba enabled support for use of aliases in secrets configuration files.

(changes)

Option to Show Ignored Warnings in Text Report

In response to this request, Gabriel Arcangel Zayas added the --show-ignored option to list ignored warnings in the default text report.

(changes)

Top-Level Constants

While it may be semantically incorrect, Brakeman will now treat ::Foo and Foo the same. This helps when matching against known constants like ViewComponent::Base and ::ViewComponent::Base. Thanks to Jill Klang for addressing this one.

(changes)

Remediation Advice for Command Injection

Nicholas Barone added a note about using shellescape to make shell commands safer.

(changes)

Frozen String Support

(Jean Boussier) has made Brakeman compatible with use of Ruby’s frozen string literals (e.g. --enable-frozen-string-literal), avoiding any future issues if/when frozen strings are the default.

Along the way, they also fixed up some Ruby warnings in the test suite.

(changes)

Checksums

The SHA256 sums for this release are:

862e709caa1abf00dd0c47045682404c349f64876c7be74a8e6a4d6be5f61a1d  brakeman-6.2.1.gem
7c3b5268a83d53069b778056624e5f215d17f24902ca7f381299c2ba7dc7b684  brakeman-lib-6.2.1.gem
cb839d5f1e0d356c33141dda377f401712a89e4d501748f1c01faa41c9d0f70e  brakeman-min-6.2.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.