brakeman-lib 4.5.0 → 4.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +164 -108
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +59 -56
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +26 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +15 -17
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +10 -16
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +6 -4
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +27 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +6 -7
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +19 -14
- data/lib/brakeman/tracker.rb +30 -6
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -73
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +1 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +7 -2
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +27 -22
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1a0bb1fb9eebcf11e5493213b5cd4a40b6c5359952f754bd7aab4fe727fa3950
|
4
|
+
data.tar.gz: '07648dfb71e125045d345bd154a56547f0b8168f6ecd29f6b47442e7923fbd3a'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dd82f20198e48a73d7c7ddac934fcc9b192400e0b333f665033b7375c63ed5ffd5baf130ce31afd5aab48f7661cc93694a87b81ba87e29ad5a879c897052e1df
|
7
|
+
data.tar.gz: 5975dcd2ef58e1007d45b2206fcdf8232962b22739ccde18c9e72f3aafe72196efb11b4627051ca43bad2aaf7881dc0a7e35b25ef32436b33fea2853bb65b65b
|
data/CHANGES.md
CHANGED
@@ -1,4 +1,60 @@
|
|
1
|
-
# 4.
|
1
|
+
# 4.7.1 - 2019-10-29
|
2
|
+
|
3
|
+
* Check string length against limit before joining
|
4
|
+
* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
|
5
|
+
* Fix flaky rails4 test (Adam Kiczula)
|
6
|
+
* Added release dates to each version in CHANGES (TheSpartan1980)
|
7
|
+
* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
|
8
|
+
* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
|
9
|
+
* Sort text report by file and line (Jacob Evelyn)
|
10
|
+
|
11
|
+
# 4.7.0 - 2019-10-16
|
12
|
+
|
13
|
+
* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
|
14
|
+
* Ignore interpolation in `%W[]`
|
15
|
+
* Fix `version_between?` (Andrey Glushkov)
|
16
|
+
* Add support for `ruby_parser` 3.14.0
|
17
|
+
* Ignore `form_for` for XSS check
|
18
|
+
* Update Haml support to Haml 5.x
|
19
|
+
* Catch shell injection from `-c` shell commands (Jacob Evelyn)
|
20
|
+
* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
|
21
|
+
|
22
|
+
# 4.6.1 - 2019-07-24
|
23
|
+
|
24
|
+
* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
|
25
|
+
|
26
|
+
# 4.6.0 - 2019-07-23
|
27
|
+
|
28
|
+
* Skip calls to `dup`
|
29
|
+
* Add reverse tabnabbing check (Linos Giannopoulos)
|
30
|
+
* Better handling of gems with no version declared
|
31
|
+
* Warn people that Haml 5 is not fully supported (Jared Beck)
|
32
|
+
* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
|
33
|
+
* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
|
34
|
+
* Restore `Warning#relative_path`
|
35
|
+
* Add check for cookie serialization with Marshal
|
36
|
+
* Index calls in initializers
|
37
|
+
* Improve template output handling in conditional branches
|
38
|
+
* Avoid assigning `nil` line numbers to `Sexp`s
|
39
|
+
* Add special warning code for custom checks
|
40
|
+
* Add call matching by regular expression
|
41
|
+
|
42
|
+
# 4.5.1 - 2019-05-11
|
43
|
+
|
44
|
+
* Add `Brakeman::FilePath` to represent file paths
|
45
|
+
* Handle trailing comma in block args
|
46
|
+
* Properly handle empty partial name
|
47
|
+
* Use relative paths for `__FILE__`
|
48
|
+
* Convert `!!` calls to boolean value
|
49
|
+
* Add optional check for `config.force_ssl`
|
50
|
+
* Remove code for Ruby versions prior to 1.9
|
51
|
+
* Check `link_to` with block for href XSS
|
52
|
+
* Add SQL injection checks for `find_or_create_by` and friends
|
53
|
+
* Add deserialization warning for `Oj.load/object_load`
|
54
|
+
* Add initial Rails 6 support
|
55
|
+
* Add SQL injection checks for `destroy_by`/`delete_by`
|
56
|
+
|
57
|
+
# 4.5.0 - 2019-03-16
|
2
58
|
|
3
59
|
* Update `ruby_parser`, use `ruby_parser-legacy`
|
4
60
|
* More thoroughly handle `Shellwords` escaping
|
@@ -15,7 +71,7 @@
|
|
15
71
|
* Better handling of splat/kwsplat arguments
|
16
72
|
* Improve "user input" reported for SQL injection
|
17
73
|
|
18
|
-
# 4.4.0
|
74
|
+
# 4.4.0 - 2019-01-17
|
19
75
|
|
20
76
|
* Set default encoding to UTF-8
|
21
77
|
* Update to Slim 4.0.1 (Jake Peterson)
|
@@ -38,7 +94,7 @@
|
|
38
94
|
* Complete overhaul of warning message construction
|
39
95
|
* Deadcode and typo fixes found via Coverity
|
40
96
|
|
41
|
-
# 4.3.1
|
97
|
+
# 4.3.1 - 2018-06-07
|
42
98
|
|
43
99
|
* Ignore `Object#freeze`, use the target instead
|
44
100
|
* Ignore `foreign_key` calls in SQL
|
@@ -51,7 +107,7 @@
|
|
51
107
|
* Improve handling of conditionals in shell commands (Jacob Evelyn)
|
52
108
|
* Fix error when setting line number in implicit renders
|
53
109
|
|
54
|
-
# 4.3.0
|
110
|
+
# 4.3.0 - 2018-05-11
|
55
111
|
|
56
112
|
* Check exec-type calls even if they are targets
|
57
113
|
* Convert `Array#join` to string interpolation
|
@@ -67,14 +123,14 @@
|
|
67
123
|
* `--color` can be used to force color output
|
68
124
|
* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
|
69
125
|
|
70
|
-
# 4.2.1
|
126
|
+
# 4.2.1 - 2018-03-24
|
71
127
|
|
72
128
|
* Add warning for CVE-2018-3741
|
73
129
|
* Add warning for CVE-2018-8048
|
74
130
|
* Scan `app/jobs/` directory
|
75
131
|
* Handle `template_exists?` in controllers
|
76
132
|
|
77
|
-
# 4.2.0
|
133
|
+
# 4.2.0 - 2018-02-22
|
78
134
|
|
79
135
|
* Avoid warning about symbol DoS on `Model#attributes`
|
80
136
|
* Avoid warning about open redirects with model methods ending with `_path`
|
@@ -87,12 +143,12 @@
|
|
87
143
|
* Exclude template folders in `lib/` (kru0096)
|
88
144
|
* Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
|
89
145
|
|
90
|
-
# 4.1.1
|
146
|
+
# 4.1.1 - 2017-12-19
|
91
147
|
|
92
148
|
* Remove check for use of `permit` with `*_id` keys
|
93
149
|
* Avoid duplicate warnings about permitted attributes
|
94
150
|
|
95
|
-
# 4.1.0
|
151
|
+
# 4.1.0 - 2017-12-14
|
96
152
|
|
97
153
|
* Process models as root sexp instead of each sexp
|
98
154
|
* Avoid CSRF warning in Rails 5.2 default config
|
@@ -115,12 +171,12 @@
|
|
115
171
|
* Refactor Code Climate engine options parsing (Noah Davis)
|
116
172
|
* Fix upgrade version for CVE-2016-6316
|
117
173
|
|
118
|
-
# 4.0.1
|
174
|
+
# 4.0.1 - 2017-09-25
|
119
175
|
|
120
176
|
* Disable pager when `CI` environment variable is set
|
121
177
|
* Fix output when pager fails
|
122
178
|
|
123
|
-
# 4.0.0
|
179
|
+
# 4.0.0 - 2017-09-25
|
124
180
|
|
125
181
|
* Add simple pager for reports output to terminal
|
126
182
|
* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
|
@@ -134,11 +190,11 @@
|
|
134
190
|
* --exit-on-error and --exit-on-warn are now the default
|
135
191
|
* Fix --exit-on-error and --exit-on-warn in config files
|
136
192
|
|
137
|
-
# 3.7.2
|
193
|
+
# 3.7.2 - 2017-08-16
|
138
194
|
|
139
195
|
* Fix --ensure-latest (David Guyon)
|
140
196
|
|
141
|
-
# 3.7.1
|
197
|
+
# 3.7.1 - 2017-08-16
|
142
198
|
|
143
199
|
* Handle simple guard with return at end of branch
|
144
200
|
* Modularize bin/brakeman
|
@@ -146,7 +202,7 @@
|
|
146
202
|
* Add more collection methods for iteration detection
|
147
203
|
* Update ruby2ruby and ruby_parser
|
148
204
|
|
149
|
-
# 3.7.0
|
205
|
+
# 3.7.0 - 2017-06-30
|
150
206
|
|
151
207
|
* Improve support for rails4/rails5 options in config file
|
152
208
|
* Track more information about constant assignments
|
@@ -155,7 +211,7 @@
|
|
155
211
|
* Fix false positive for redirect_to in Rails 4 (Mário Areias)
|
156
212
|
* Avoid interpolating hashes/arrays on failed access
|
157
213
|
|
158
|
-
# 3.6.2
|
214
|
+
# 3.6.2 - 2017-05-19
|
159
215
|
|
160
216
|
* Handle safe call operator in checks
|
161
217
|
* Better handling of `if` expressions in HAML rendering
|
@@ -170,11 +226,11 @@
|
|
170
226
|
* Handle empty `if` expressions when finding return values
|
171
227
|
* Fix finding return value from empty `if`
|
172
228
|
|
173
|
-
# 3.6.1
|
229
|
+
# 3.6.1 - 2017-03-24
|
174
230
|
|
175
231
|
* Fix error when using `--compare` (Sean Gransee)
|
176
232
|
|
177
|
-
# 3.6.0
|
233
|
+
# 3.6.0 - 2017-03-23
|
178
234
|
|
179
235
|
* Avoid recursive Concerns
|
180
236
|
* Branch inside of `case` expressions
|
@@ -185,7 +241,7 @@
|
|
185
241
|
* Only report CVE-2015-3227 when exact version is known
|
186
242
|
* Check targetless SQL calls outside of known models
|
187
243
|
|
188
|
-
# 3.5.0
|
244
|
+
# 3.5.0 - 2017-02-01
|
189
245
|
|
190
246
|
* Allow `-t None`
|
191
247
|
* Fail on invalid checks specified by `-x` or `-t`
|
@@ -200,7 +256,7 @@
|
|
200
256
|
* Handle `included` block in concerns
|
201
257
|
* Process concerns before controllers
|
202
258
|
|
203
|
-
# 3.4.1
|
259
|
+
# 3.4.1 - 2016-11-02
|
204
260
|
|
205
261
|
* Show action help at start of interactive ignore
|
206
262
|
* Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
|
@@ -210,7 +266,7 @@
|
|
210
266
|
* Avoid warning about `where_values_hash` in SQLi
|
211
267
|
* Fix ignoring link interpolation not at beginning of string
|
212
268
|
|
213
|
-
# 3.4.0
|
269
|
+
# 3.4.0 - 2016-09-08
|
214
270
|
|
215
271
|
* Add new `plain` report format
|
216
272
|
* Add option to prune ignore file with `-I`
|
@@ -219,18 +275,18 @@
|
|
219
275
|
* Support creating reports in non-existent paths
|
220
276
|
* Add `--no-exit-warn`
|
221
277
|
|
222
|
-
# 3.3.5
|
278
|
+
# 3.3.5 - 2016-08-12
|
223
279
|
|
224
280
|
* Fix bug in reports when using --debug option
|
225
281
|
|
226
|
-
# 3.3.4
|
282
|
+
# 3.3.4 - 2016-08-12
|
227
283
|
|
228
284
|
* Add generic warning for CVE-2016-6316
|
229
285
|
* Warn about dangerous use of `content_tag` with CVE-2016-6316
|
230
286
|
* Add warning for CVE-2016-6317
|
231
287
|
* Use Minitest
|
232
288
|
|
233
|
-
# 3.3.3
|
289
|
+
# 3.3.3 - 2016-07-21
|
234
290
|
|
235
291
|
* Show path when no Rails app found (Neil Matatall)
|
236
292
|
* Index calls in view helpers
|
@@ -243,11 +299,11 @@
|
|
243
299
|
* Sexp#value returns nil when there is no value
|
244
300
|
* Improve return value estimation
|
245
301
|
|
246
|
-
# 3.3.2
|
302
|
+
# 3.3.2 - 2016-06-10
|
247
303
|
|
248
304
|
* Fix serious performance regression with global constant tracking
|
249
305
|
|
250
|
-
# 3.3.1
|
306
|
+
# 3.3.1 - 2016-06-03
|
251
307
|
|
252
308
|
* Delay loading vendored gems and modifying load path
|
253
309
|
* Avoid warning about SQL injection with `quoted_primary_key`
|
@@ -258,7 +314,7 @@
|
|
258
314
|
* Add `--force-scan` option (Neil Matatall)
|
259
315
|
* Improved line number accuracy in ERB templates (Patrick Toomey)
|
260
316
|
|
261
|
-
# 3.3.0
|
317
|
+
# 3.3.0 - 2016-05-05
|
262
318
|
|
263
319
|
* Skip processing obviously false if branches (more broadly)
|
264
320
|
* Skip if branches with `Rails.env.test?`
|
@@ -276,11 +332,11 @@
|
|
276
332
|
* [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
|
277
333
|
* [Code Climate engine] Report end lines for issues (Gordon Diggs)
|
278
334
|
|
279
|
-
# 3.2.1
|
335
|
+
# 3.2.1 - 2016-02-25
|
280
336
|
|
281
337
|
* Remove `multi_json` dependency from `bin/brakeman`
|
282
338
|
|
283
|
-
# 3.2.0
|
339
|
+
# 3.2.0 - 2016-02-25
|
284
340
|
|
285
341
|
* Skip Symbol DoS check on Rails 5
|
286
342
|
* Only update ignore config file on changes
|
@@ -294,7 +350,7 @@
|
|
294
350
|
* Avoid render warnings about params[:action]/params[:controller]
|
295
351
|
* Index calls in class bodies but outside methods
|
296
352
|
|
297
|
-
# 3.1.5
|
353
|
+
# 3.1.5 - 2016-01-28
|
298
354
|
|
299
355
|
* Fix CodeClimate construction of --only-files (Will Fleming)
|
300
356
|
* Add check for denial of service via routes (CVE-2015-7581)
|
@@ -313,7 +369,7 @@
|
|
313
369
|
* Handle module names with self methods
|
314
370
|
* Add session manipulation documentation
|
315
371
|
|
316
|
-
# 3.1.4
|
372
|
+
# 3.1.4 - 2015-12-22
|
317
373
|
|
318
374
|
* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
|
319
375
|
* Ignore secrets.yml if in .gitignore
|
@@ -321,7 +377,7 @@
|
|
321
377
|
* Increase test coverage for option parsing (Zander Mackie)
|
322
378
|
* Work around safe_yaml error
|
323
379
|
|
324
|
-
# 3.1.3
|
380
|
+
# 3.1.3 - 2015-12-03
|
325
381
|
|
326
382
|
* Check for session secret in secrets.yml
|
327
383
|
* Respect `exit_on_warn` in config file
|
@@ -335,7 +391,7 @@
|
|
335
391
|
* Depend on safe_yaml 1.0 or later
|
336
392
|
* Test coverage improvements for Brakema module (Bethany Rentz)
|
337
393
|
|
338
|
-
# 3.1.2
|
394
|
+
# 3.1.2 - 2015-10-28
|
339
395
|
|
340
396
|
* Treat `current_user` like a model
|
341
397
|
* Set user input value for inline renders
|
@@ -353,7 +409,7 @@
|
|
353
409
|
* Sortable tables in HTML report (David Lanner)
|
354
410
|
* Search for config file relative to application root
|
355
411
|
|
356
|
-
# 3.1.1
|
412
|
+
# 3.1.1 - 2015-09-23
|
357
413
|
|
358
414
|
* Add optional check for use of MD5 and SHA1
|
359
415
|
* Avoid warning when linking to decorated models
|
@@ -367,7 +423,7 @@
|
|
367
423
|
* Support newer terminal-table releases
|
368
424
|
* Allow searching call index methods by regex (Alex Ianus)
|
369
425
|
|
370
|
-
# 3.1.0
|
426
|
+
# 3.1.0 - 2015-08-31
|
371
427
|
|
372
428
|
* Add support for gems.rb/gems.locked
|
373
429
|
* Update render path information in JSON reports
|
@@ -386,18 +442,18 @@
|
|
386
442
|
* Expand safe methods to match methods with targets
|
387
443
|
* Avoid duplicate eval() warnings
|
388
444
|
|
389
|
-
# 3.0.5
|
445
|
+
# 3.0.5 - 2015-06-20
|
390
446
|
|
391
447
|
* Fix check for CVE-2015-3227
|
392
448
|
|
393
|
-
# 3.0.4
|
449
|
+
# 3.0.4 - 2015-06-18
|
394
450
|
|
395
451
|
* Add check for CVE-2015-3226 (XSS via JSON keys)
|
396
452
|
* Add check for CVE-2015-3227 (XML DoS)
|
397
453
|
* Treat `<%==` as unescaped output
|
398
454
|
* Update `ruby_parser` dependency to 3.7.0
|
399
455
|
|
400
|
-
# 3.0.3
|
456
|
+
# 3.0.3 - 2015-04-20
|
401
457
|
|
402
458
|
* Ignore more Arel methods in SQL
|
403
459
|
* Warn about protect_from_forgery without exceptions (Neil Matatall)
|
@@ -408,7 +464,7 @@
|
|
408
464
|
* Do not ignore targets of `to_s` in SQL
|
409
465
|
* Add Rake task to exit with error code on warnings (masarakki)
|
410
466
|
|
411
|
-
# 3.0.2
|
467
|
+
# 3.0.2 - 2015-03-09
|
412
468
|
|
413
469
|
* Alias process methods called in class scope on models
|
414
470
|
* Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
|
@@ -424,7 +480,7 @@
|
|
424
480
|
* Fix CSV output when there are no warnings
|
425
481
|
* Handle processing of explicitly shadowed block arguments
|
426
482
|
|
427
|
-
# 3.0.1
|
483
|
+
# 3.0.1 - 2015-01-23
|
428
484
|
|
429
485
|
* Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
|
430
486
|
* Properly format command interpolation (again)
|
@@ -433,7 +489,7 @@
|
|
433
489
|
* Add `--add-libs-path` for additional libraries (Patrick Toomey)
|
434
490
|
* Properly process libraries (Patrick Toomey)
|
435
491
|
|
436
|
-
# 3.0.0
|
492
|
+
# 3.0.0 - 2015-01-03
|
437
493
|
|
438
494
|
* Add check for CVE-2014-7829
|
439
495
|
* Add check for cross-site scripting via inline renders
|
@@ -452,7 +508,7 @@
|
|
452
508
|
* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
|
453
509
|
* Change `--separate-models` to be the default
|
454
510
|
|
455
|
-
# 2.6.3
|
511
|
+
# 2.6.3 - 2014-10-14
|
456
512
|
|
457
513
|
* Whitelist `exists` arel method from SQL injection check
|
458
514
|
* Avoid warning about Symbol DoS on safe parameters as method targets
|
@@ -461,7 +517,7 @@
|
|
461
517
|
* Add framework for optional checks
|
462
518
|
* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
|
463
519
|
|
464
|
-
# 2.6.2
|
520
|
+
# 2.6.2 - 2014-08-18
|
465
521
|
|
466
522
|
* Add check for CVE-2014-3415
|
467
523
|
* Avoid warning about symbolizing safe parameters
|
@@ -475,13 +531,13 @@
|
|
475
531
|
* Fix block statement endings in Erubis
|
476
532
|
* Fix undefined variable in controller processing error (Jason Barnabe)
|
477
533
|
|
478
|
-
# 2.6.1
|
534
|
+
# 2.6.1 - 2014-07-02
|
479
535
|
|
480
536
|
* Add check for CVE-2014-3482 and CVE-2014-3483
|
481
537
|
* Add support for keyword arguments in blocks
|
482
538
|
* Remove unused warning codes (Bill Fischer)
|
483
539
|
|
484
|
-
# 2.6.0
|
540
|
+
# 2.6.0 - 2014-06-06
|
485
541
|
|
486
542
|
* Fix detection of `:host` setting in redirects with chained calls
|
487
543
|
* Add check for CVE-2014-0130
|
@@ -495,7 +551,7 @@
|
|
495
551
|
* Ignore more model methods in redirects
|
496
552
|
* Fix CheckRender with nested render calls
|
497
553
|
|
498
|
-
# 2.5.0
|
554
|
+
# 2.5.0 - 2014-04-30
|
499
555
|
|
500
556
|
* Add support for RailsLTS 2.3.18.7 and 2.3.18.8
|
501
557
|
* Add support for Rails 4 `before_actions` and friends
|
@@ -510,11 +566,11 @@
|
|
510
566
|
* Handle more non-literals in routes
|
511
567
|
* Add check for regex denial of service (Ben Toews)
|
512
568
|
|
513
|
-
# 2.4.3
|
569
|
+
# 2.4.3 - 2014-03-23
|
514
570
|
|
515
571
|
No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
|
516
572
|
|
517
|
-
# 2.4.2
|
573
|
+
# 2.4.2 - 2014-03-21
|
518
574
|
|
519
575
|
* Remove `rescue Exception`
|
520
576
|
* Fix duplicate warnings about sanitize CVE
|
@@ -523,13 +579,13 @@
|
|
523
579
|
* Skip identically rendered templates
|
524
580
|
* Fix HAML template processing
|
525
581
|
|
526
|
-
# 2.4.1
|
582
|
+
# 2.4.1 - 2014-02-19
|
527
583
|
|
528
584
|
* Add check for CVE-2014-0082
|
529
585
|
* Add check for CVE-2014-0081, replaces CVE-2013-6415
|
530
586
|
* Add check for CVE-2014-0080
|
531
587
|
|
532
|
-
# 2.4.0
|
588
|
+
# 2.4.0 - 2014-02-05
|
533
589
|
|
534
590
|
* Detect Rails LTS versions
|
535
591
|
* Reduce false positives for SQL injection in string building
|
@@ -544,12 +600,12 @@
|
|
544
600
|
* No longer raise exceptions if a class name cannot be determined
|
545
601
|
* Fingerprint attribute warnings individually (Case Taintor)
|
546
602
|
|
547
|
-
# 2.3.1
|
603
|
+
# 2.3.1 - 2013-12-13
|
548
604
|
|
549
605
|
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
|
550
606
|
* Fix link for CVE-2013-6415 (number_to_currency)
|
551
607
|
|
552
|
-
# 2.3.0
|
608
|
+
# 2.3.0 - 2013-12-12
|
553
609
|
|
554
610
|
* Add check for Parameters#permit!
|
555
611
|
* Add check for CVE-2013-4491 (i18n XSS)
|
@@ -563,7 +619,7 @@
|
|
563
619
|
* Whitelist `Model#create` for redirects
|
564
620
|
* Fix scoping issues with instance variables and blocks
|
565
621
|
|
566
|
-
# 2.2.0
|
622
|
+
# 2.2.0 - 2013-10-28
|
567
623
|
|
568
624
|
* Reduce command injection false positives
|
569
625
|
* Use Rails version from Gemfile if it is available
|
@@ -572,14 +628,14 @@
|
|
572
628
|
* Support scanning Rails engines (Geoffrey Hichborn)
|
573
629
|
* Add check for detailed exceptions in production
|
574
630
|
|
575
|
-
# 2.1.2
|
631
|
+
# 2.1.2 - 2013-09-18
|
576
632
|
|
577
633
|
* Do not attempt to load custom Haml filters
|
578
634
|
* Do not warn about `to_json` XSS in Rails 4
|
579
635
|
* Add --table-width option to set width of text reports (ssendev)
|
580
636
|
* Remove fuzzy matching on dangerous attr_accessible values
|
581
637
|
|
582
|
-
# 2.1.1
|
638
|
+
# 2.1.1 - 2013-08-21
|
583
639
|
|
584
640
|
* New warning code for dangerous attributes in attr_accessible
|
585
641
|
* Do not warn on attr_accessible using roles
|
@@ -590,7 +646,7 @@
|
|
590
646
|
* Fix infinite loop when run as rake task (Matthew Shanley)
|
591
647
|
* Respect ignored warnings in tabs format reports
|
592
648
|
|
593
|
-
# 2.1.0
|
649
|
+
# 2.1.0 - 2013-07-17
|
594
650
|
|
595
651
|
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
|
596
652
|
* Support for ignoring warnings
|
@@ -610,7 +666,7 @@
|
|
610
666
|
* Fix output format detection to be more strict again
|
611
667
|
* Allow empty Brakeman configuration file
|
612
668
|
|
613
|
-
# 2.0.0
|
669
|
+
# 2.0.0 - 2013-05-20
|
614
670
|
|
615
671
|
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
|
616
672
|
* Add Marshal/CSV deserialization check
|
@@ -640,7 +696,7 @@
|
|
640
696
|
* Use exceptions instead of abort in brakeman lib
|
641
697
|
* Update to Ruby2Ruby 2.0.5
|
642
698
|
|
643
|
-
# 1.9.5
|
699
|
+
# 1.9.5 - 2013-04-05
|
644
700
|
|
645
701
|
* Add check for unsafe symbol creation
|
646
702
|
* Do not warn on mass assignment with `slice`/`only`
|
@@ -655,7 +711,7 @@
|
|
655
711
|
* More fixes for assignments inside branches
|
656
712
|
* Pin to ruby2ruby version 2.0.3
|
657
713
|
|
658
|
-
# 1.9.4
|
714
|
+
# 1.9.4 - 2013-03-19
|
659
715
|
|
660
716
|
* Add check for CVE-2013-1854
|
661
717
|
* Add check for CVE-2013-1855
|
@@ -667,7 +723,7 @@
|
|
667
723
|
* Slightly faster cloning of Sexps
|
668
724
|
* Detect another way to add `strong_parameters`
|
669
725
|
|
670
|
-
# 1.9.3
|
726
|
+
# 1.9.3 - 2013-03-01
|
671
727
|
|
672
728
|
* Add render path to JSON report
|
673
729
|
* Add warning fingerprints
|
@@ -682,7 +738,7 @@
|
|
682
738
|
* Expand HAML dependency to include 4.0
|
683
739
|
* Scroll errors into view when expanding in HTML report
|
684
740
|
|
685
|
-
# 1.9.2
|
741
|
+
# 1.9.2 - 2013-02-14
|
686
742
|
|
687
743
|
* Add check for CVE-2013-0269
|
688
744
|
* Add check for CVE-2013-0276
|
@@ -693,7 +749,7 @@
|
|
693
749
|
* Check for more dangerous YAML methods
|
694
750
|
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
|
695
751
|
|
696
|
-
# 1.9.1
|
752
|
+
# 1.9.1 - 2013-01-19
|
697
753
|
|
698
754
|
* Update to RubyParser 3.1.1 (neersighted)
|
699
755
|
* Remove ActiveSupport dependency (Neil Matatall)
|
@@ -705,7 +761,7 @@
|
|
705
761
|
* Add check for CVE-2013-0156
|
706
762
|
* Add check for unsafe `YAML.load`
|
707
763
|
|
708
|
-
# 1.9.0
|
764
|
+
# 1.9.0 - 2012-12-25
|
709
765
|
|
710
766
|
* Update to RubyParser 3
|
711
767
|
* Ignore route information by default
|
@@ -725,7 +781,7 @@
|
|
725
781
|
* Handle empty model files
|
726
782
|
* Remove "find by regex" feature from `CallIndex`
|
727
783
|
|
728
|
-
# 1.8.3
|
784
|
+
# 1.8.3 - 2012-11-13
|
729
785
|
|
730
786
|
* Use `multi_json` gem for better harmony
|
731
787
|
* Performance improvement for call indexing
|
@@ -741,7 +797,7 @@
|
|
741
797
|
* Fix error in rescan of mixins with symbols in method name
|
742
798
|
* Do not rescan non-Ruby files in config/
|
743
799
|
|
744
|
-
# 1.8.2
|
800
|
+
# 1.8.2 - 2012-10-17
|
745
801
|
|
746
802
|
* Fixed rescanning problems caused by 1.8.0 changes
|
747
803
|
* Fix scope calls with single argument
|
@@ -750,7 +806,7 @@
|
|
750
806
|
* Much improved test coverage
|
751
807
|
* Add CHANGES to gemspec
|
752
808
|
|
753
|
-
# 1.8.1
|
809
|
+
# 1.8.1 - 2012-09-24
|
754
810
|
|
755
811
|
* Recover from errors in output formatting
|
756
812
|
* Fix false positive in redirect_to (Neil Matatall)
|
@@ -762,7 +818,7 @@
|
|
762
818
|
* Handle super calls with blocks
|
763
819
|
* Respect `-q` flag for "Rails 3 detected" message
|
764
820
|
|
765
|
-
# 1.8.0
|
821
|
+
# 1.8.0 - 2012-09-05
|
766
822
|
|
767
823
|
* Support relative paths in reports (fsword)
|
768
824
|
* Allow Brakeman to be run without tty (fsword)
|
@@ -778,7 +834,7 @@
|
|
778
834
|
* Treat model attributes in `or` expressions as immediate values
|
779
835
|
* Switch to method access for Sexp nodes
|
780
836
|
|
781
|
-
# 1.7.1
|
837
|
+
# 1.7.1 - 2012-08-13
|
782
838
|
|
783
839
|
* Add check for CVE-2012-3463
|
784
840
|
* Add check for CVE-2012-3464
|
@@ -786,7 +842,7 @@
|
|
786
842
|
* Add charset to HTML report (hooopo)
|
787
843
|
* Report XSS in select() for Rails 2
|
788
844
|
|
789
|
-
# 1.7.0
|
845
|
+
# 1.7.0 - 2012-07-31
|
790
846
|
|
791
847
|
* Add check for CVE-2012-3424
|
792
848
|
* Link report types to descriptions on website
|
@@ -801,7 +857,7 @@
|
|
801
857
|
* Fix processing of negative array indexes
|
802
858
|
* Add line breaks to truncated table rows
|
803
859
|
|
804
|
-
# 1.6.2
|
860
|
+
# 1.6.2 - 2012-06-13
|
805
861
|
|
806
862
|
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
|
807
863
|
* Avoid warning when redirecting to a model instance
|
@@ -813,7 +869,7 @@
|
|
813
869
|
* Cache before_filter lookups
|
814
870
|
* Turn off quiet mode by default for `--compare`
|
815
871
|
|
816
|
-
# 1.6.1
|
872
|
+
# 1.6.1 - 2012-05-23
|
817
873
|
|
818
874
|
* Major rewrite of CheckSQL
|
819
875
|
* Fix rescanning of deleted templates
|
@@ -823,7 +879,7 @@
|
|
823
879
|
* Fix highlighting of HTML escaped values in HTML report
|
824
880
|
* Report line number of highlighted value, if available
|
825
881
|
|
826
|
-
# 1.6.0
|
882
|
+
# 1.6.0 - 2012-04-20
|
827
883
|
|
828
884
|
* Remove the Ruport dependency (Neil Matatall)
|
829
885
|
* Add more informational JSON output (Neil Matatall)
|
@@ -835,7 +891,7 @@
|
|
835
891
|
* Fix rescanning of deleted files
|
836
892
|
* Properly check for rails_xss in Gemfile
|
837
893
|
|
838
|
-
# 1.5.3
|
894
|
+
# 1.5.3 - 2012-04-10
|
839
895
|
|
840
896
|
* Add check for user input in Object#send (Neil Matatall)
|
841
897
|
* Handle render :layout in views
|
@@ -849,7 +905,7 @@
|
|
849
905
|
* Improve handling of modules and nesting
|
850
906
|
* Test for zero errors in test reports
|
851
907
|
|
852
|
-
# 1.5.2
|
908
|
+
# 1.5.2 - 2012-03-22
|
853
909
|
|
854
910
|
* Fix link_to checks for Rails 2.0 and 2.3
|
855
911
|
* Fix rescanning of lib files (Neil Matatall)
|
@@ -860,7 +916,7 @@
|
|
860
916
|
* Fix handling of views when using rails_xss
|
861
917
|
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
|
862
918
|
|
863
|
-
# 1.5.1
|
919
|
+
# 1.5.1- 2012-03-06
|
864
920
|
|
865
921
|
* Fix detection of global mass assignment setting
|
866
922
|
* Fix partial rendering in Rails 3
|
@@ -870,7 +926,7 @@
|
|
870
926
|
* Add tracking of module and class to Brakeman::BaseProcessor
|
871
927
|
* Report module when using Brakeman::FindCall
|
872
928
|
|
873
|
-
# 1.5.0
|
929
|
+
# 1.5.0 - 2012-03-02
|
874
930
|
|
875
931
|
* Add version check for SafeBuffer vulnerability
|
876
932
|
* Add check for select vulnerability in Rails 3
|
@@ -881,7 +937,7 @@
|
|
881
937
|
* Standardize methods to check for SQL injection
|
882
938
|
* Fix Rails 2 route parsing issue with nested routes
|
883
939
|
|
884
|
-
# 1.4.0
|
940
|
+
# 1.4.0 - 2012-02-24
|
885
941
|
|
886
942
|
* Add check for user input in link_to href parameter
|
887
943
|
* Match ERB processing to rails_xss plugin when plugin used
|
@@ -889,7 +945,7 @@
|
|
889
945
|
* Warnings below minimum confidence are dropped completely
|
890
946
|
* Brakeman.run always returns a Tracker
|
891
947
|
|
892
|
-
# 1.3.0
|
948
|
+
# 1.3.0 - 2012-02-09
|
893
949
|
|
894
950
|
* Add file paths to HTML report
|
895
951
|
* Add caching of filters
|
@@ -902,7 +958,7 @@
|
|
902
958
|
* Better variable substitution
|
903
959
|
* Table output option for rescan reports
|
904
960
|
|
905
|
-
# 1.2.2
|
961
|
+
# 1.2.2 - 2012-01-26
|
906
962
|
|
907
963
|
* --no-progress works again
|
908
964
|
* Make CheckLinkTo a separate check
|
@@ -910,7 +966,7 @@
|
|
910
966
|
* Handle empty resource(s) blocks
|
911
967
|
* Add RescanReport#existing_warnings
|
912
968
|
|
913
|
-
## 1.2.1
|
969
|
+
## 1.2.1 - 2012-01-20
|
914
970
|
|
915
971
|
* Remove link_to warning for Rails 3.x or when using rails_xss
|
916
972
|
* Don't warn if first argument to link_to is escaped
|
@@ -922,7 +978,7 @@
|
|
922
978
|
* Add Brakeman::RescanReport#to_s
|
923
979
|
* Add Brakeman::Warning#to_s
|
924
980
|
|
925
|
-
## 1.2.0
|
981
|
+
## 1.2.0 - 2012-01-14
|
926
982
|
|
927
983
|
* Speed improvements for CheckExecute and CheckRender
|
928
984
|
* Check named_scope() and scope() for SQL injection
|
@@ -931,7 +987,7 @@
|
|
931
987
|
* Add --summary option to only output summary
|
932
988
|
* Fix a problem with Rails 3 routes
|
933
989
|
|
934
|
-
## 1.1.0
|
990
|
+
## 1.1.0 - 2011-12-22
|
935
991
|
|
936
992
|
* Relax required versions for dependencies
|
937
993
|
* Performance improvements for source processing
|
@@ -941,14 +997,14 @@
|
|
941
997
|
* Compatibility with newer Haml versions
|
942
998
|
* Fix some warnings
|
943
999
|
|
944
|
-
## 1.0.0
|
1000
|
+
## 1.0.0 - 2011-12-08
|
945
1001
|
|
946
1002
|
* Better handling of assignments inside ifs
|
947
1003
|
* Check more expressions for SQL injection
|
948
1004
|
* Use latest ruby_parser for better 1.9 syntax support
|
949
1005
|
* Better behavior for Brakeman as a library
|
950
1006
|
|
951
|
-
## 1.0.0rc1
|
1007
|
+
## 1.0.0rc1 - 2011-12-06
|
952
1008
|
|
953
1009
|
* Brakeman can now be used as a library
|
954
1010
|
* Faster call search
|
@@ -961,23 +1017,23 @@
|
|
961
1017
|
* Ignore mass assignment using all literal arguments
|
962
1018
|
* Keep expanded context in view with HTML output
|
963
1019
|
|
964
|
-
## 0.9.2
|
1020
|
+
## 0.9.2 - 2011-11-22
|
965
1021
|
|
966
1022
|
* Fix Rails 3 configuration parsing
|
967
1023
|
* Add t() helper to check for translate XSS bug
|
968
1024
|
|
969
|
-
## 0.9.1
|
1025
|
+
## 0.9.1 - 2011-11-18
|
970
1026
|
|
971
1027
|
* Add warning for translator helper XSS vulnerability
|
972
1028
|
|
973
|
-
## 0.9.0
|
1029
|
+
## 0.9.0 - 2011-11-17
|
974
1030
|
|
975
1031
|
* Process Rails 3 configuration files
|
976
1032
|
* Fix CSV output
|
977
1033
|
* Check for config.active_record.whitelist_attributes = true
|
978
1034
|
* Always produce a warning for without_protection => true
|
979
1035
|
|
980
|
-
## 0.8.4
|
1036
|
+
## 0.8.4 - 2011-11-04
|
981
1037
|
|
982
1038
|
* Option for separate attr_accessible warnings
|
983
1039
|
* Option to set CSS file for HTML output
|
@@ -986,23 +1042,23 @@
|
|
986
1042
|
* Fix hash_insert()
|
987
1043
|
* Remove use of Queue from threaded checks
|
988
1044
|
|
989
|
-
## 0.8.3
|
1045
|
+
## 0.8.3 - 2011-10-25
|
990
1046
|
|
991
1047
|
* Respect -w flag in .tabs format (tw-ngreen)
|
992
1048
|
* Escape HTML output of error messages
|
993
1049
|
* Add --skip-libs option
|
994
1050
|
|
995
|
-
## 0.8.2
|
1051
|
+
## 0.8.2 - 2011-10-01
|
996
1052
|
|
997
1053
|
* Run checks in parallel threads by default
|
998
1054
|
* Fix compatibility with ruby_parser 2.3.1
|
999
1055
|
|
1000
|
-
## 0.8.1
|
1056
|
+
## 0.8.1 - 2011-09-28
|
1001
1057
|
|
1002
1058
|
* Add option to assume all controller methods are actions
|
1003
1059
|
* Recover from errors when parsing routes
|
1004
1060
|
|
1005
|
-
## 0.8.0
|
1061
|
+
## 0.8.0 - 2011-09-15
|
1006
1062
|
|
1007
1063
|
* Add check for mass assignment using without_protection
|
1008
1064
|
* Add check for password in http_basic_authenticate_with
|
@@ -1013,30 +1069,30 @@
|
|
1013
1069
|
* Add ruby_parser hack for Ruby 1.9 hash syntax
|
1014
1070
|
* Add a few Rails 3.1 tests
|
1015
1071
|
|
1016
|
-
## 0.7.2
|
1072
|
+
## 0.7.2 - 2011-08-27
|
1017
1073
|
|
1018
1074
|
* Fix handling of params and cookies with nested access
|
1019
1075
|
* Add CVEs for checks added in 0.7.0
|
1020
1076
|
|
1021
|
-
## 0.7.1
|
1077
|
+
## 0.7.1 - 2011-08-18
|
1022
1078
|
|
1023
1079
|
* Require BaseProcessor for GemProcessor
|
1024
1080
|
|
1025
|
-
## 0.7.0
|
1081
|
+
## 0.7.0 - 2011-08-17
|
1026
1082
|
|
1027
1083
|
* Allow local variable as a class name
|
1028
1084
|
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
|
1029
1085
|
* Check for default routes in Rails 3 apps
|
1030
1086
|
* Look in Gemfile or Gemfile.lock for Rails version
|
1031
1087
|
|
1032
|
-
## 0.6.1
|
1088
|
+
## 0.6.1 - 2011-07-29
|
1033
1089
|
|
1034
1090
|
* Fix XSS check for cookies as parameters in output
|
1035
1091
|
* Don't bother calling super in CheckSessionSettings
|
1036
1092
|
* Add escape_once as a safe method
|
1037
1093
|
* Accept '\Z' or '\z' in model validations
|
1038
1094
|
|
1039
|
-
## 0.6.0
|
1095
|
+
## 0.6.0 - 2011-07-20
|
1040
1096
|
|
1041
1097
|
* Tests are in place and fully functional
|
1042
1098
|
* Hide errors by default in HTML output
|
@@ -1049,17 +1105,17 @@
|
|
1049
1105
|
* Fixes to escaped output scanning
|
1050
1106
|
* Update CSRF CVE-2011-0447 message to be less assertive
|
1051
1107
|
|
1052
|
-
## 0.5.2
|
1108
|
+
## 0.5.2 - 2011-06-29
|
1053
1109
|
|
1054
1110
|
* Output report file name when finished
|
1055
1111
|
* Add initial tests for Rails 2.x
|
1056
1112
|
* Fix ERB line numbers when using Ruby 1.9
|
1057
1113
|
|
1058
|
-
## 0.5.1
|
1114
|
+
## 0.5.1 - 2011-06-17
|
1059
1115
|
|
1060
1116
|
* Fix issue with 'has_one' => in routes
|
1061
1117
|
|
1062
|
-
## 0.5.0
|
1118
|
+
## 0.5.0 - 2011-06-08
|
1063
1119
|
|
1064
1120
|
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
|
1065
1121
|
* Allow empty blocks in Rails 3 routes
|
@@ -1067,52 +1123,52 @@
|
|
1067
1123
|
* Add line numbers to session setting warnings
|
1068
1124
|
* Add --checks option to list checks
|
1069
1125
|
|
1070
|
-
## 0.4.1
|
1126
|
+
## 0.4.1 - 2011-05-23
|
1071
1127
|
|
1072
1128
|
* Fix reported line numbers when using new Erubis parser
|
1073
1129
|
(Mostly affects Rails 3 apps)
|
1074
1130
|
|
1075
|
-
## 0.4.0
|
1131
|
+
## 0.4.0 - 2011-05-19
|
1076
1132
|
|
1077
1133
|
* Handle Rails XSS protection properly
|
1078
1134
|
* More detection options for rails_xss
|
1079
1135
|
* Add --escape-html option
|
1080
1136
|
|
1081
|
-
## 0.3.2
|
1137
|
+
## 0.3.2 - 2011-05-12
|
1082
1138
|
|
1083
1139
|
* Autodetect Rails 3 applications
|
1084
1140
|
* Turn on auto-escaping for Rails 3 apps
|
1085
1141
|
* Check Model.create() for mass assignment
|
1086
1142
|
|
1087
|
-
## 0.3.1
|
1143
|
+
## 0.3.1 - 2011-05-03
|
1088
1144
|
|
1089
1145
|
* Always output a line number in tabbed output format
|
1090
1146
|
* Restrict characters in category name in tabbed output format to
|
1091
1147
|
word characters and spaces, for Hudson/Jenkins plugin
|
1092
1148
|
|
1093
|
-
## 0.3.0
|
1149
|
+
## 0.3.0 - 2011-03-21
|
1094
1150
|
|
1095
1151
|
* Check for SQL injection in calls using constantize()
|
1096
1152
|
* Check for SQL injection in calls to count_by_sql()
|
1097
1153
|
|
1098
|
-
## 0.2.2
|
1154
|
+
## 0.2.2 - 2011-02-22
|
1099
1155
|
|
1100
1156
|
* Fix version_between? when no Rails version is specified
|
1101
1157
|
|
1102
|
-
## 0.2.1
|
1158
|
+
## 0.2.1 - 2011-02-18
|
1103
1159
|
|
1104
1160
|
* Add code snippet to tab output messages
|
1105
1161
|
|
1106
|
-
## 0.2.0
|
1162
|
+
## 0.2.0 - 2011-02-16
|
1107
1163
|
|
1108
1164
|
* Add check for mail_to vulnerability - CVE-2011-0446
|
1109
1165
|
* Add check for CSRF weakness - CVE-2011-0447
|
1110
1166
|
|
1111
|
-
## 0.1.1
|
1167
|
+
## 0.1.1 - 2011-01-25
|
1112
1168
|
|
1113
1169
|
* Be more permissive with ActiveSupport version
|
1114
1170
|
|
1115
|
-
## 0.1.0
|
1171
|
+
## 0.1.0 - 2011-01-18
|
1116
1172
|
|
1117
1173
|
* Check link_to for XSS (because arguments are not escaped)
|
1118
1174
|
* Process layouts better (although not perfectly yet)
|