4.7.0

• Update Haml support to Haml 5.x (#1044)
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Fix version_between? (Andrey Glushkov)
• Ignore interpolation in %W[] (#1399)
• Ignore form_for for XSS check

4.6.1

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0

• Add check for cookie serialization with Marshal (#1316)
• Add reverse tabnabbing check (Linos Giannopoulos)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression
• Skip calls to dup (#1374)
• Restore Warning#relative_path
• Better handling of gems with no version declared

4.5.1

• Add initial Rails 6 support
• Add optional check for config.force_ssl (#1181)
• Add deserialization warning for Oj.load/object_load
• Add SQL injection checks for destroy_by/delete_by
• Add SQL injection checks for find_or_create_by and friends
• Check link_to with block for href XSS (#1339)
• Convert !! calls to boolean value (#1343)
• Use relative paths for __FILE__
• Represent file paths internally as Brakeman::FilePath
• Handle empty partial names
• Handle trailing comma in block args
• Remove code for Ruby versions prior to 1.9

4.5.0

• Officially drop support for running with older Ruby versions
• More thoroughly handle Shellwords escaping (#1323)
• Handle non-integer version number comparisons (#1305)
• Better handling of splat/kwsplat arguments (#1204)
• Handle ** inside Hash literals
• Add support for CoffeeScript in Slim templates
• Improve support for embedded template "filters"
• Remove Sass dependency
• Avoid joining strings with different encodings
• Improve "user input" reported for SQL injection
• Stop swallowing exceptions in AliasProcessor
• Add original exception to Tracker#errors list
• Use FileParser in Scanner to parse files
• Set location information in CheckContentTag
• Update RubyParser to 3.13.0

4.4.0

• Add check for CVE-2018-3760
• Add --enable option to enable optional checks
• Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
• Handle empty secrets.yml files (Naoki Kimura)
• Ignore Tempfiles in FileAccess warnings (Christina Koller)
• Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
• Treat if not like unless (#1225)
• Fix Rails 4 configuration handling
• Set default encoding to UTF-8
• Support reading gem versions from gemspecs
• Support gem versions which are just major.minor (e.g. 3.0)
• Correctly set rel="noreferrer" in HTML reports
• Fix thread-safety issue in CallIndex
• Fix trim mode for ERb templates in old Rails versions
• Avoid nil errors when concatenating arrays
• Add rendered template information to render paths
• Trim some unnecessary files from bundled gems
• Deadcode and typo fixes found via Coverity
• Complete overhaul of warning message construction
• Update to Slim 4.0.1 (Jake Peterson)
• Update to RubyParser 3.12.0
• Updated license

4.3.1

• Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
• Handle Array#map and Array#each over literal arrays (#1208 / #1224)
• Use safe literal when accessing literal hash with unknown key (#1213)
• Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
• Improve handling of conditionals in shell commands (Jacob Evelyn)
• Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
• Ignore Object#freeze, use the target instead (#1211)
• Ignore foreign_key calls in SQL (#1202)
• Handle included calls outside of classes/modules (#1209)
• Fix error when setting line number in implicit renders (#1210)

4.3.0

• Add --parser-timeout option
• Improve timeout error messages
• Check exec-type calls even if they are targets (#1199)
• Index Kernel#` calls even if they are targets (#1183)
• BaseCheck#include_interp? should return first string interpolation (#1189)
• Ignore Process.pid in system calls
• Warn about dangerous link_to href with sanitize() (#1187)
• Ignore params#to_h and params#to_hash in SQL checks (#1180)
• Convert Array#join to string interpolation (#1179)
• Change "".freeze to just "" (#1182)
• --color can be used to force color output (#1175)
• Track parent calls in call index
• Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
• Code Climate: omit leading dot from only_files (Todd Mazierski)

4.2.1

• Add warning for CVE-2018-3741
• Add warning for CVE-2018-8048
• Scan app/jobs/ directory
• Handle template_exists? in controllers (#1124)

4.2.0

• Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
• Exclude template folders in lib/ (kru0096)
• Warn about SQL injection with not
• Avoid warning about symbol DoS on Model#attributes (#1096)
• Avoid warning about open redirects with model methods ending with _path(#1117)
• Avoid warning about command injection with Shellwords.escape (#1159)
• Use ivars from initialize in libraries
• Fix multiple assignment of globals (#1155)
• Sexp#body= can accept :rlist from Sexp#body_list
• Update RubyParser to 3.11.0