![]() Revise checking for request.env to only consider request headers.Add redirect_back and redirect_back_or_to to open redirect check.Add Rails 6.1 and 7.0 default configuration values.Several changes in this release are updates to Brakeman’s open redirect check. This report format matches the -json output. Note that the report will include all fingerprints in the ignore configuration that are not in the current report, even if they were already obsolete. These fingerprints are warnings that are configured to be ignored, but no longer exist. When using the -compare option, the output JSON will now include an obsolete key with an array of fingerprints. ( changes Obsolete Warnings in Comparison Report Now Brakeman correctly handles the default configuration values.īrakeman will no longer warn about user input in content_tag attribute names in Rails 6.1.6+ Brakeman assumed the protection was enabled based on the Rails version. Since Rails 5.2.0, new applications have had cross-site request forgery protection enabled. ![]() ( changes) Missing CSRF Protection Warning Official support for the 2.x line of Ruby has ended, so it is a good time to bump up the minimum requirement and adopt more modern language features. The minimum Ruby version to run Brakeman is now 3.0.0. But since it has been eight years since Ruby 1.9 has been unmaintained… it is time to let go. Brakeman was depending on the ruby_parser-legacy gem for these older versions. Ruby_parser, the gem Brakeman depends on for parsing Ruby, dropped support quite a while ago. This version of Brakeman no longer supports parsing Ruby 1.8/1.9 syntax.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |