brakeman-lib 4.5.1 → 4.7.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +158 -109
- data/README.md +1 -2
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks/base_check.rb +50 -47
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +4 -4
- data/lib/brakeman/checks/check_deserialize.rb +3 -6
- data/lib/brakeman/checks/check_execute.rb +26 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +2 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +1 -1
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_session_settings.rb +5 -2
- data/lib/brakeman/checks/check_sql.rb +24 -22
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +4 -8
- data/lib/brakeman/file_path.rb +14 -0
- data/lib/brakeman/parsers/haml_embedded.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +3 -1
- data/lib/brakeman/processor.rb +2 -2
- data/lib/brakeman/processors/alias_processor.rb +15 -1
- data/lib/brakeman/processors/base_processor.rb +2 -0
- data/lib/brakeman/processors/controller_processor.rb +4 -4
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +87 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +28 -0
- data/lib/brakeman/processors/template_processor.rb +10 -6
- data/lib/brakeman/report/report_text.rb +4 -5
- data/lib/brakeman/rescanner.rb +4 -0
- data/lib/brakeman/tracker.rb +26 -2
- data/lib/brakeman/tracker/config.rb +38 -73
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +5 -3
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +4 -0
- data/lib/brakeman/warning_codes.rb +3 -0
- data/lib/ruby_parser/bm_sexp.rb +7 -2
- metadata +18 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ef101a185ff582733d1564d862fcb87afbedb1df01482f1c8815f130bd886a0b
|
4
|
+
data.tar.gz: 938ff3304347e001f5f21880d8d6dfca2bb1d3b26f29dae7d269db67350df70f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: de7d5d8fc614fd226145878158e4e75745e31afce19e87e84e73d19d5182b42128ff36d2a5fa45567286ec989513fa5c1ae40aa53353f56b04c3a7a52a11bef6
|
7
|
+
data.tar.gz: 78006970c55993fbcf96ac56783d3ed04beb1d5bf54d4b716a04158796398577ded0fb1bd7b7070e91074a6daff48e762b6b49515c10ca6d27c84cde0e7b0531
|
data/CHANGES.md
CHANGED
@@ -1,4 +1,53 @@
|
|
1
|
-
# 4.
|
1
|
+
# 4.7.2 - 2019-11-25
|
2
|
+
|
3
|
+
* Remove version guard for `named_scope` vs. `scope`
|
4
|
+
* Find SQL injection in `String#strip_heredoc` target
|
5
|
+
* Handle more `permit!` cases
|
6
|
+
* Ensure file name is set when processing model
|
7
|
+
* Add `request.params` as query parameters
|
8
|
+
|
9
|
+
# 4.7.1 - 2019-10-29
|
10
|
+
|
11
|
+
* Check string length against limit before joining
|
12
|
+
* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
|
13
|
+
* Fix flaky rails4 test (Adam Kiczula)
|
14
|
+
* Added release dates to each version in CHANGES (TheSpartan1980)
|
15
|
+
* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
|
16
|
+
* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
|
17
|
+
* Sort text report by file and line (Jacob Evelyn)
|
18
|
+
|
19
|
+
# 4.7.0 - 2019-10-16
|
20
|
+
|
21
|
+
* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
|
22
|
+
* Ignore interpolation in `%W[]`
|
23
|
+
* Fix `version_between?` (Andrey Glushkov)
|
24
|
+
* Add support for `ruby_parser` 3.14.0
|
25
|
+
* Ignore `form_for` for XSS check
|
26
|
+
* Update Haml support to Haml 5.x
|
27
|
+
* Catch shell injection from `-c` shell commands (Jacob Evelyn)
|
28
|
+
* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
|
29
|
+
|
30
|
+
# 4.6.1 - 2019-07-24
|
31
|
+
|
32
|
+
* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
|
33
|
+
|
34
|
+
# 4.6.0 - 2019-07-23
|
35
|
+
|
36
|
+
* Skip calls to `dup`
|
37
|
+
* Add reverse tabnabbing check (Linos Giannopoulos)
|
38
|
+
* Better handling of gems with no version declared
|
39
|
+
* Warn people that Haml 5 is not fully supported (Jared Beck)
|
40
|
+
* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
|
41
|
+
* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
|
42
|
+
* Restore `Warning#relative_path`
|
43
|
+
* Add check for cookie serialization with Marshal
|
44
|
+
* Index calls in initializers
|
45
|
+
* Improve template output handling in conditional branches
|
46
|
+
* Avoid assigning `nil` line numbers to `Sexp`s
|
47
|
+
* Add special warning code for custom checks
|
48
|
+
* Add call matching by regular expression
|
49
|
+
|
50
|
+
# 4.5.1 - 2019-05-11
|
2
51
|
|
3
52
|
* Add `Brakeman::FilePath` to represent file paths
|
4
53
|
* Handle trailing comma in block args
|
@@ -13,7 +62,7 @@
|
|
13
62
|
* Add initial Rails 6 support
|
14
63
|
* Add SQL injection checks for `destroy_by`/`delete_by`
|
15
64
|
|
16
|
-
# 4.5.0
|
65
|
+
# 4.5.0 - 2019-03-16
|
17
66
|
|
18
67
|
* Update `ruby_parser`, use `ruby_parser-legacy`
|
19
68
|
* More thoroughly handle `Shellwords` escaping
|
@@ -30,7 +79,7 @@
|
|
30
79
|
* Better handling of splat/kwsplat arguments
|
31
80
|
* Improve "user input" reported for SQL injection
|
32
81
|
|
33
|
-
# 4.4.0
|
82
|
+
# 4.4.0 - 2019-01-17
|
34
83
|
|
35
84
|
* Set default encoding to UTF-8
|
36
85
|
* Update to Slim 4.0.1 (Jake Peterson)
|
@@ -53,7 +102,7 @@
|
|
53
102
|
* Complete overhaul of warning message construction
|
54
103
|
* Deadcode and typo fixes found via Coverity
|
55
104
|
|
56
|
-
# 4.3.1
|
105
|
+
# 4.3.1 - 2018-06-07
|
57
106
|
|
58
107
|
* Ignore `Object#freeze`, use the target instead
|
59
108
|
* Ignore `foreign_key` calls in SQL
|
@@ -66,7 +115,7 @@
|
|
66
115
|
* Improve handling of conditionals in shell commands (Jacob Evelyn)
|
67
116
|
* Fix error when setting line number in implicit renders
|
68
117
|
|
69
|
-
# 4.3.0
|
118
|
+
# 4.3.0 - 2018-05-11
|
70
119
|
|
71
120
|
* Check exec-type calls even if they are targets
|
72
121
|
* Convert `Array#join` to string interpolation
|
@@ -82,14 +131,14 @@
|
|
82
131
|
* `--color` can be used to force color output
|
83
132
|
* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
|
84
133
|
|
85
|
-
# 4.2.1
|
134
|
+
# 4.2.1 - 2018-03-24
|
86
135
|
|
87
136
|
* Add warning for CVE-2018-3741
|
88
137
|
* Add warning for CVE-2018-8048
|
89
138
|
* Scan `app/jobs/` directory
|
90
139
|
* Handle `template_exists?` in controllers
|
91
140
|
|
92
|
-
# 4.2.0
|
141
|
+
# 4.2.0 - 2018-02-22
|
93
142
|
|
94
143
|
* Avoid warning about symbol DoS on `Model#attributes`
|
95
144
|
* Avoid warning about open redirects with model methods ending with `_path`
|
@@ -102,12 +151,12 @@
|
|
102
151
|
* Exclude template folders in `lib/` (kru0096)
|
103
152
|
* Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
|
104
153
|
|
105
|
-
# 4.1.1
|
154
|
+
# 4.1.1 - 2017-12-19
|
106
155
|
|
107
156
|
* Remove check for use of `permit` with `*_id` keys
|
108
157
|
* Avoid duplicate warnings about permitted attributes
|
109
158
|
|
110
|
-
# 4.1.0
|
159
|
+
# 4.1.0 - 2017-12-14
|
111
160
|
|
112
161
|
* Process models as root sexp instead of each sexp
|
113
162
|
* Avoid CSRF warning in Rails 5.2 default config
|
@@ -130,12 +179,12 @@
|
|
130
179
|
* Refactor Code Climate engine options parsing (Noah Davis)
|
131
180
|
* Fix upgrade version for CVE-2016-6316
|
132
181
|
|
133
|
-
# 4.0.1
|
182
|
+
# 4.0.1 - 2017-09-25
|
134
183
|
|
135
184
|
* Disable pager when `CI` environment variable is set
|
136
185
|
* Fix output when pager fails
|
137
186
|
|
138
|
-
# 4.0.0
|
187
|
+
# 4.0.0 - 2017-09-25
|
139
188
|
|
140
189
|
* Add simple pager for reports output to terminal
|
141
190
|
* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
|
@@ -149,11 +198,11 @@
|
|
149
198
|
* --exit-on-error and --exit-on-warn are now the default
|
150
199
|
* Fix --exit-on-error and --exit-on-warn in config files
|
151
200
|
|
152
|
-
# 3.7.2
|
201
|
+
# 3.7.2 - 2017-08-16
|
153
202
|
|
154
203
|
* Fix --ensure-latest (David Guyon)
|
155
204
|
|
156
|
-
# 3.7.1
|
205
|
+
# 3.7.1 - 2017-08-16
|
157
206
|
|
158
207
|
* Handle simple guard with return at end of branch
|
159
208
|
* Modularize bin/brakeman
|
@@ -161,7 +210,7 @@
|
|
161
210
|
* Add more collection methods for iteration detection
|
162
211
|
* Update ruby2ruby and ruby_parser
|
163
212
|
|
164
|
-
# 3.7.0
|
213
|
+
# 3.7.0 - 2017-06-30
|
165
214
|
|
166
215
|
* Improve support for rails4/rails5 options in config file
|
167
216
|
* Track more information about constant assignments
|
@@ -170,7 +219,7 @@
|
|
170
219
|
* Fix false positive for redirect_to in Rails 4 (Mário Areias)
|
171
220
|
* Avoid interpolating hashes/arrays on failed access
|
172
221
|
|
173
|
-
# 3.6.2
|
222
|
+
# 3.6.2 - 2017-05-19
|
174
223
|
|
175
224
|
* Handle safe call operator in checks
|
176
225
|
* Better handling of `if` expressions in HAML rendering
|
@@ -185,11 +234,11 @@
|
|
185
234
|
* Handle empty `if` expressions when finding return values
|
186
235
|
* Fix finding return value from empty `if`
|
187
236
|
|
188
|
-
# 3.6.1
|
237
|
+
# 3.6.1 - 2017-03-24
|
189
238
|
|
190
239
|
* Fix error when using `--compare` (Sean Gransee)
|
191
240
|
|
192
|
-
# 3.6.0
|
241
|
+
# 3.6.0 - 2017-03-23
|
193
242
|
|
194
243
|
* Avoid recursive Concerns
|
195
244
|
* Branch inside of `case` expressions
|
@@ -200,7 +249,7 @@
|
|
200
249
|
* Only report CVE-2015-3227 when exact version is known
|
201
250
|
* Check targetless SQL calls outside of known models
|
202
251
|
|
203
|
-
# 3.5.0
|
252
|
+
# 3.5.0 - 2017-02-01
|
204
253
|
|
205
254
|
* Allow `-t None`
|
206
255
|
* Fail on invalid checks specified by `-x` or `-t`
|
@@ -215,7 +264,7 @@
|
|
215
264
|
* Handle `included` block in concerns
|
216
265
|
* Process concerns before controllers
|
217
266
|
|
218
|
-
# 3.4.1
|
267
|
+
# 3.4.1 - 2016-11-02
|
219
268
|
|
220
269
|
* Show action help at start of interactive ignore
|
221
270
|
* Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
|
@@ -225,7 +274,7 @@
|
|
225
274
|
* Avoid warning about `where_values_hash` in SQLi
|
226
275
|
* Fix ignoring link interpolation not at beginning of string
|
227
276
|
|
228
|
-
# 3.4.0
|
277
|
+
# 3.4.0 - 2016-09-08
|
229
278
|
|
230
279
|
* Add new `plain` report format
|
231
280
|
* Add option to prune ignore file with `-I`
|
@@ -234,18 +283,18 @@
|
|
234
283
|
* Support creating reports in non-existent paths
|
235
284
|
* Add `--no-exit-warn`
|
236
285
|
|
237
|
-
# 3.3.5
|
286
|
+
# 3.3.5 - 2016-08-12
|
238
287
|
|
239
288
|
* Fix bug in reports when using --debug option
|
240
289
|
|
241
|
-
# 3.3.4
|
290
|
+
# 3.3.4 - 2016-08-12
|
242
291
|
|
243
292
|
* Add generic warning for CVE-2016-6316
|
244
293
|
* Warn about dangerous use of `content_tag` with CVE-2016-6316
|
245
294
|
* Add warning for CVE-2016-6317
|
246
295
|
* Use Minitest
|
247
296
|
|
248
|
-
# 3.3.3
|
297
|
+
# 3.3.3 - 2016-07-21
|
249
298
|
|
250
299
|
* Show path when no Rails app found (Neil Matatall)
|
251
300
|
* Index calls in view helpers
|
@@ -258,11 +307,11 @@
|
|
258
307
|
* Sexp#value returns nil when there is no value
|
259
308
|
* Improve return value estimation
|
260
309
|
|
261
|
-
# 3.3.2
|
310
|
+
# 3.3.2 - 2016-06-10
|
262
311
|
|
263
312
|
* Fix serious performance regression with global constant tracking
|
264
313
|
|
265
|
-
# 3.3.1
|
314
|
+
# 3.3.1 - 2016-06-03
|
266
315
|
|
267
316
|
* Delay loading vendored gems and modifying load path
|
268
317
|
* Avoid warning about SQL injection with `quoted_primary_key`
|
@@ -273,7 +322,7 @@
|
|
273
322
|
* Add `--force-scan` option (Neil Matatall)
|
274
323
|
* Improved line number accuracy in ERB templates (Patrick Toomey)
|
275
324
|
|
276
|
-
# 3.3.0
|
325
|
+
# 3.3.0 - 2016-05-05
|
277
326
|
|
278
327
|
* Skip processing obviously false if branches (more broadly)
|
279
328
|
* Skip if branches with `Rails.env.test?`
|
@@ -291,11 +340,11 @@
|
|
291
340
|
* [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
|
292
341
|
* [Code Climate engine] Report end lines for issues (Gordon Diggs)
|
293
342
|
|
294
|
-
# 3.2.1
|
343
|
+
# 3.2.1 - 2016-02-25
|
295
344
|
|
296
345
|
* Remove `multi_json` dependency from `bin/brakeman`
|
297
346
|
|
298
|
-
# 3.2.0
|
347
|
+
# 3.2.0 - 2016-02-25
|
299
348
|
|
300
349
|
* Skip Symbol DoS check on Rails 5
|
301
350
|
* Only update ignore config file on changes
|
@@ -309,7 +358,7 @@
|
|
309
358
|
* Avoid render warnings about params[:action]/params[:controller]
|
310
359
|
* Index calls in class bodies but outside methods
|
311
360
|
|
312
|
-
# 3.1.5
|
361
|
+
# 3.1.5 - 2016-01-28
|
313
362
|
|
314
363
|
* Fix CodeClimate construction of --only-files (Will Fleming)
|
315
364
|
* Add check for denial of service via routes (CVE-2015-7581)
|
@@ -328,7 +377,7 @@
|
|
328
377
|
* Handle module names with self methods
|
329
378
|
* Add session manipulation documentation
|
330
379
|
|
331
|
-
# 3.1.4
|
380
|
+
# 3.1.4 - 2015-12-22
|
332
381
|
|
333
382
|
* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
|
334
383
|
* Ignore secrets.yml if in .gitignore
|
@@ -336,7 +385,7 @@
|
|
336
385
|
* Increase test coverage for option parsing (Zander Mackie)
|
337
386
|
* Work around safe_yaml error
|
338
387
|
|
339
|
-
# 3.1.3
|
388
|
+
# 3.1.3 - 2015-12-03
|
340
389
|
|
341
390
|
* Check for session secret in secrets.yml
|
342
391
|
* Respect `exit_on_warn` in config file
|
@@ -350,7 +399,7 @@
|
|
350
399
|
* Depend on safe_yaml 1.0 or later
|
351
400
|
* Test coverage improvements for Brakema module (Bethany Rentz)
|
352
401
|
|
353
|
-
# 3.1.2
|
402
|
+
# 3.1.2 - 2015-10-28
|
354
403
|
|
355
404
|
* Treat `current_user` like a model
|
356
405
|
* Set user input value for inline renders
|
@@ -368,7 +417,7 @@
|
|
368
417
|
* Sortable tables in HTML report (David Lanner)
|
369
418
|
* Search for config file relative to application root
|
370
419
|
|
371
|
-
# 3.1.1
|
420
|
+
# 3.1.1 - 2015-09-23
|
372
421
|
|
373
422
|
* Add optional check for use of MD5 and SHA1
|
374
423
|
* Avoid warning when linking to decorated models
|
@@ -382,7 +431,7 @@
|
|
382
431
|
* Support newer terminal-table releases
|
383
432
|
* Allow searching call index methods by regex (Alex Ianus)
|
384
433
|
|
385
|
-
# 3.1.0
|
434
|
+
# 3.1.0 - 2015-08-31
|
386
435
|
|
387
436
|
* Add support for gems.rb/gems.locked
|
388
437
|
* Update render path information in JSON reports
|
@@ -401,18 +450,18 @@
|
|
401
450
|
* Expand safe methods to match methods with targets
|
402
451
|
* Avoid duplicate eval() warnings
|
403
452
|
|
404
|
-
# 3.0.5
|
453
|
+
# 3.0.5 - 2015-06-20
|
405
454
|
|
406
455
|
* Fix check for CVE-2015-3227
|
407
456
|
|
408
|
-
# 3.0.4
|
457
|
+
# 3.0.4 - 2015-06-18
|
409
458
|
|
410
459
|
* Add check for CVE-2015-3226 (XSS via JSON keys)
|
411
460
|
* Add check for CVE-2015-3227 (XML DoS)
|
412
461
|
* Treat `<%==` as unescaped output
|
413
462
|
* Update `ruby_parser` dependency to 3.7.0
|
414
463
|
|
415
|
-
# 3.0.3
|
464
|
+
# 3.0.3 - 2015-04-20
|
416
465
|
|
417
466
|
* Ignore more Arel methods in SQL
|
418
467
|
* Warn about protect_from_forgery without exceptions (Neil Matatall)
|
@@ -423,7 +472,7 @@
|
|
423
472
|
* Do not ignore targets of `to_s` in SQL
|
424
473
|
* Add Rake task to exit with error code on warnings (masarakki)
|
425
474
|
|
426
|
-
# 3.0.2
|
475
|
+
# 3.0.2 - 2015-03-09
|
427
476
|
|
428
477
|
* Alias process methods called in class scope on models
|
429
478
|
* Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
|
@@ -439,7 +488,7 @@
|
|
439
488
|
* Fix CSV output when there are no warnings
|
440
489
|
* Handle processing of explicitly shadowed block arguments
|
441
490
|
|
442
|
-
# 3.0.1
|
491
|
+
# 3.0.1 - 2015-01-23
|
443
492
|
|
444
493
|
* Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
|
445
494
|
* Properly format command interpolation (again)
|
@@ -448,7 +497,7 @@
|
|
448
497
|
* Add `--add-libs-path` for additional libraries (Patrick Toomey)
|
449
498
|
* Properly process libraries (Patrick Toomey)
|
450
499
|
|
451
|
-
# 3.0.0
|
500
|
+
# 3.0.0 - 2015-01-03
|
452
501
|
|
453
502
|
* Add check for CVE-2014-7829
|
454
503
|
* Add check for cross-site scripting via inline renders
|
@@ -467,7 +516,7 @@
|
|
467
516
|
* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
|
468
517
|
* Change `--separate-models` to be the default
|
469
518
|
|
470
|
-
# 2.6.3
|
519
|
+
# 2.6.3 - 2014-10-14
|
471
520
|
|
472
521
|
* Whitelist `exists` arel method from SQL injection check
|
473
522
|
* Avoid warning about Symbol DoS on safe parameters as method targets
|
@@ -476,7 +525,7 @@
|
|
476
525
|
* Add framework for optional checks
|
477
526
|
* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
|
478
527
|
|
479
|
-
# 2.6.2
|
528
|
+
# 2.6.2 - 2014-08-18
|
480
529
|
|
481
530
|
* Add check for CVE-2014-3415
|
482
531
|
* Avoid warning about symbolizing safe parameters
|
@@ -490,13 +539,13 @@
|
|
490
539
|
* Fix block statement endings in Erubis
|
491
540
|
* Fix undefined variable in controller processing error (Jason Barnabe)
|
492
541
|
|
493
|
-
# 2.6.1
|
542
|
+
# 2.6.1 - 2014-07-02
|
494
543
|
|
495
544
|
* Add check for CVE-2014-3482 and CVE-2014-3483
|
496
545
|
* Add support for keyword arguments in blocks
|
497
546
|
* Remove unused warning codes (Bill Fischer)
|
498
547
|
|
499
|
-
# 2.6.0
|
548
|
+
# 2.6.0 - 2014-06-06
|
500
549
|
|
501
550
|
* Fix detection of `:host` setting in redirects with chained calls
|
502
551
|
* Add check for CVE-2014-0130
|
@@ -510,7 +559,7 @@
|
|
510
559
|
* Ignore more model methods in redirects
|
511
560
|
* Fix CheckRender with nested render calls
|
512
561
|
|
513
|
-
# 2.5.0
|
562
|
+
# 2.5.0 - 2014-04-30
|
514
563
|
|
515
564
|
* Add support for RailsLTS 2.3.18.7 and 2.3.18.8
|
516
565
|
* Add support for Rails 4 `before_actions` and friends
|
@@ -525,11 +574,11 @@
|
|
525
574
|
* Handle more non-literals in routes
|
526
575
|
* Add check for regex denial of service (Ben Toews)
|
527
576
|
|
528
|
-
# 2.4.3
|
577
|
+
# 2.4.3 - 2014-03-23
|
529
578
|
|
530
579
|
No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
|
531
580
|
|
532
|
-
# 2.4.2
|
581
|
+
# 2.4.2 - 2014-03-21
|
533
582
|
|
534
583
|
* Remove `rescue Exception`
|
535
584
|
* Fix duplicate warnings about sanitize CVE
|
@@ -538,13 +587,13 @@
|
|
538
587
|
* Skip identically rendered templates
|
539
588
|
* Fix HAML template processing
|
540
589
|
|
541
|
-
# 2.4.1
|
590
|
+
# 2.4.1 - 2014-02-19
|
542
591
|
|
543
592
|
* Add check for CVE-2014-0082
|
544
593
|
* Add check for CVE-2014-0081, replaces CVE-2013-6415
|
545
594
|
* Add check for CVE-2014-0080
|
546
595
|
|
547
|
-
# 2.4.0
|
596
|
+
# 2.4.0 - 2014-02-05
|
548
597
|
|
549
598
|
* Detect Rails LTS versions
|
550
599
|
* Reduce false positives for SQL injection in string building
|
@@ -559,12 +608,12 @@
|
|
559
608
|
* No longer raise exceptions if a class name cannot be determined
|
560
609
|
* Fingerprint attribute warnings individually (Case Taintor)
|
561
610
|
|
562
|
-
# 2.3.1
|
611
|
+
# 2.3.1 - 2013-12-13
|
563
612
|
|
564
613
|
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
|
565
614
|
* Fix link for CVE-2013-6415 (number_to_currency)
|
566
615
|
|
567
|
-
# 2.3.0
|
616
|
+
# 2.3.0 - 2013-12-12
|
568
617
|
|
569
618
|
* Add check for Parameters#permit!
|
570
619
|
* Add check for CVE-2013-4491 (i18n XSS)
|
@@ -578,7 +627,7 @@
|
|
578
627
|
* Whitelist `Model#create` for redirects
|
579
628
|
* Fix scoping issues with instance variables and blocks
|
580
629
|
|
581
|
-
# 2.2.0
|
630
|
+
# 2.2.0 - 2013-10-28
|
582
631
|
|
583
632
|
* Reduce command injection false positives
|
584
633
|
* Use Rails version from Gemfile if it is available
|
@@ -587,14 +636,14 @@
|
|
587
636
|
* Support scanning Rails engines (Geoffrey Hichborn)
|
588
637
|
* Add check for detailed exceptions in production
|
589
638
|
|
590
|
-
# 2.1.2
|
639
|
+
# 2.1.2 - 2013-09-18
|
591
640
|
|
592
641
|
* Do not attempt to load custom Haml filters
|
593
642
|
* Do not warn about `to_json` XSS in Rails 4
|
594
643
|
* Add --table-width option to set width of text reports (ssendev)
|
595
644
|
* Remove fuzzy matching on dangerous attr_accessible values
|
596
645
|
|
597
|
-
# 2.1.1
|
646
|
+
# 2.1.1 - 2013-08-21
|
598
647
|
|
599
648
|
* New warning code for dangerous attributes in attr_accessible
|
600
649
|
* Do not warn on attr_accessible using roles
|
@@ -605,7 +654,7 @@
|
|
605
654
|
* Fix infinite loop when run as rake task (Matthew Shanley)
|
606
655
|
* Respect ignored warnings in tabs format reports
|
607
656
|
|
608
|
-
# 2.1.0
|
657
|
+
# 2.1.0 - 2013-07-17
|
609
658
|
|
610
659
|
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
|
611
660
|
* Support for ignoring warnings
|
@@ -625,7 +674,7 @@
|
|
625
674
|
* Fix output format detection to be more strict again
|
626
675
|
* Allow empty Brakeman configuration file
|
627
676
|
|
628
|
-
# 2.0.0
|
677
|
+
# 2.0.0 - 2013-05-20
|
629
678
|
|
630
679
|
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
|
631
680
|
* Add Marshal/CSV deserialization check
|
@@ -655,7 +704,7 @@
|
|
655
704
|
* Use exceptions instead of abort in brakeman lib
|
656
705
|
* Update to Ruby2Ruby 2.0.5
|
657
706
|
|
658
|
-
# 1.9.5
|
707
|
+
# 1.9.5 - 2013-04-05
|
659
708
|
|
660
709
|
* Add check for unsafe symbol creation
|
661
710
|
* Do not warn on mass assignment with `slice`/`only`
|
@@ -670,7 +719,7 @@
|
|
670
719
|
* More fixes for assignments inside branches
|
671
720
|
* Pin to ruby2ruby version 2.0.3
|
672
721
|
|
673
|
-
# 1.9.4
|
722
|
+
# 1.9.4 - 2013-03-19
|
674
723
|
|
675
724
|
* Add check for CVE-2013-1854
|
676
725
|
* Add check for CVE-2013-1855
|
@@ -682,7 +731,7 @@
|
|
682
731
|
* Slightly faster cloning of Sexps
|
683
732
|
* Detect another way to add `strong_parameters`
|
684
733
|
|
685
|
-
# 1.9.3
|
734
|
+
# 1.9.3 - 2013-03-01
|
686
735
|
|
687
736
|
* Add render path to JSON report
|
688
737
|
* Add warning fingerprints
|
@@ -697,7 +746,7 @@
|
|
697
746
|
* Expand HAML dependency to include 4.0
|
698
747
|
* Scroll errors into view when expanding in HTML report
|
699
748
|
|
700
|
-
# 1.9.2
|
749
|
+
# 1.9.2 - 2013-02-14
|
701
750
|
|
702
751
|
* Add check for CVE-2013-0269
|
703
752
|
* Add check for CVE-2013-0276
|
@@ -708,7 +757,7 @@
|
|
708
757
|
* Check for more dangerous YAML methods
|
709
758
|
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
|
710
759
|
|
711
|
-
# 1.9.1
|
760
|
+
# 1.9.1 - 2013-01-19
|
712
761
|
|
713
762
|
* Update to RubyParser 3.1.1 (neersighted)
|
714
763
|
* Remove ActiveSupport dependency (Neil Matatall)
|
@@ -720,7 +769,7 @@
|
|
720
769
|
* Add check for CVE-2013-0156
|
721
770
|
* Add check for unsafe `YAML.load`
|
722
771
|
|
723
|
-
# 1.9.0
|
772
|
+
# 1.9.0 - 2012-12-25
|
724
773
|
|
725
774
|
* Update to RubyParser 3
|
726
775
|
* Ignore route information by default
|
@@ -740,7 +789,7 @@
|
|
740
789
|
* Handle empty model files
|
741
790
|
* Remove "find by regex" feature from `CallIndex`
|
742
791
|
|
743
|
-
# 1.8.3
|
792
|
+
# 1.8.3 - 2012-11-13
|
744
793
|
|
745
794
|
* Use `multi_json` gem for better harmony
|
746
795
|
* Performance improvement for call indexing
|
@@ -756,7 +805,7 @@
|
|
756
805
|
* Fix error in rescan of mixins with symbols in method name
|
757
806
|
* Do not rescan non-Ruby files in config/
|
758
807
|
|
759
|
-
# 1.8.2
|
808
|
+
# 1.8.2 - 2012-10-17
|
760
809
|
|
761
810
|
* Fixed rescanning problems caused by 1.8.0 changes
|
762
811
|
* Fix scope calls with single argument
|
@@ -765,7 +814,7 @@
|
|
765
814
|
* Much improved test coverage
|
766
815
|
* Add CHANGES to gemspec
|
767
816
|
|
768
|
-
# 1.8.1
|
817
|
+
# 1.8.1 - 2012-09-24
|
769
818
|
|
770
819
|
* Recover from errors in output formatting
|
771
820
|
* Fix false positive in redirect_to (Neil Matatall)
|
@@ -777,7 +826,7 @@
|
|
777
826
|
* Handle super calls with blocks
|
778
827
|
* Respect `-q` flag for "Rails 3 detected" message
|
779
828
|
|
780
|
-
# 1.8.0
|
829
|
+
# 1.8.0 - 2012-09-05
|
781
830
|
|
782
831
|
* Support relative paths in reports (fsword)
|
783
832
|
* Allow Brakeman to be run without tty (fsword)
|
@@ -793,7 +842,7 @@
|
|
793
842
|
* Treat model attributes in `or` expressions as immediate values
|
794
843
|
* Switch to method access for Sexp nodes
|
795
844
|
|
796
|
-
# 1.7.1
|
845
|
+
# 1.7.1 - 2012-08-13
|
797
846
|
|
798
847
|
* Add check for CVE-2012-3463
|
799
848
|
* Add check for CVE-2012-3464
|
@@ -801,7 +850,7 @@
|
|
801
850
|
* Add charset to HTML report (hooopo)
|
802
851
|
* Report XSS in select() for Rails 2
|
803
852
|
|
804
|
-
# 1.7.0
|
853
|
+
# 1.7.0 - 2012-07-31
|
805
854
|
|
806
855
|
* Add check for CVE-2012-3424
|
807
856
|
* Link report types to descriptions on website
|
@@ -816,7 +865,7 @@
|
|
816
865
|
* Fix processing of negative array indexes
|
817
866
|
* Add line breaks to truncated table rows
|
818
867
|
|
819
|
-
# 1.6.2
|
868
|
+
# 1.6.2 - 2012-06-13
|
820
869
|
|
821
870
|
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
|
822
871
|
* Avoid warning when redirecting to a model instance
|
@@ -828,7 +877,7 @@
|
|
828
877
|
* Cache before_filter lookups
|
829
878
|
* Turn off quiet mode by default for `--compare`
|
830
879
|
|
831
|
-
# 1.6.1
|
880
|
+
# 1.6.1 - 2012-05-23
|
832
881
|
|
833
882
|
* Major rewrite of CheckSQL
|
834
883
|
* Fix rescanning of deleted templates
|
@@ -838,7 +887,7 @@
|
|
838
887
|
* Fix highlighting of HTML escaped values in HTML report
|
839
888
|
* Report line number of highlighted value, if available
|
840
889
|
|
841
|
-
# 1.6.0
|
890
|
+
# 1.6.0 - 2012-04-20
|
842
891
|
|
843
892
|
* Remove the Ruport dependency (Neil Matatall)
|
844
893
|
* Add more informational JSON output (Neil Matatall)
|
@@ -850,7 +899,7 @@
|
|
850
899
|
* Fix rescanning of deleted files
|
851
900
|
* Properly check for rails_xss in Gemfile
|
852
901
|
|
853
|
-
# 1.5.3
|
902
|
+
# 1.5.3 - 2012-04-10
|
854
903
|
|
855
904
|
* Add check for user input in Object#send (Neil Matatall)
|
856
905
|
* Handle render :layout in views
|
@@ -864,7 +913,7 @@
|
|
864
913
|
* Improve handling of modules and nesting
|
865
914
|
* Test for zero errors in test reports
|
866
915
|
|
867
|
-
# 1.5.2
|
916
|
+
# 1.5.2 - 2012-03-22
|
868
917
|
|
869
918
|
* Fix link_to checks for Rails 2.0 and 2.3
|
870
919
|
* Fix rescanning of lib files (Neil Matatall)
|
@@ -875,7 +924,7 @@
|
|
875
924
|
* Fix handling of views when using rails_xss
|
876
925
|
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
|
877
926
|
|
878
|
-
# 1.5.1
|
927
|
+
# 1.5.1- 2012-03-06
|
879
928
|
|
880
929
|
* Fix detection of global mass assignment setting
|
881
930
|
* Fix partial rendering in Rails 3
|
@@ -885,7 +934,7 @@
|
|
885
934
|
* Add tracking of module and class to Brakeman::BaseProcessor
|
886
935
|
* Report module when using Brakeman::FindCall
|
887
936
|
|
888
|
-
# 1.5.0
|
937
|
+
# 1.5.0 - 2012-03-02
|
889
938
|
|
890
939
|
* Add version check for SafeBuffer vulnerability
|
891
940
|
* Add check for select vulnerability in Rails 3
|
@@ -896,7 +945,7 @@
|
|
896
945
|
* Standardize methods to check for SQL injection
|
897
946
|
* Fix Rails 2 route parsing issue with nested routes
|
898
947
|
|
899
|
-
# 1.4.0
|
948
|
+
# 1.4.0 - 2012-02-24
|
900
949
|
|
901
950
|
* Add check for user input in link_to href parameter
|
902
951
|
* Match ERB processing to rails_xss plugin when plugin used
|
@@ -904,7 +953,7 @@
|
|
904
953
|
* Warnings below minimum confidence are dropped completely
|
905
954
|
* Brakeman.run always returns a Tracker
|
906
955
|
|
907
|
-
# 1.3.0
|
956
|
+
# 1.3.0 - 2012-02-09
|
908
957
|
|
909
958
|
* Add file paths to HTML report
|
910
959
|
* Add caching of filters
|
@@ -917,7 +966,7 @@
|
|
917
966
|
* Better variable substitution
|
918
967
|
* Table output option for rescan reports
|
919
968
|
|
920
|
-
# 1.2.2
|
969
|
+
# 1.2.2 - 2012-01-26
|
921
970
|
|
922
971
|
* --no-progress works again
|
923
972
|
* Make CheckLinkTo a separate check
|
@@ -925,7 +974,7 @@
|
|
925
974
|
* Handle empty resource(s) blocks
|
926
975
|
* Add RescanReport#existing_warnings
|
927
976
|
|
928
|
-
## 1.2.1
|
977
|
+
## 1.2.1 - 2012-01-20
|
929
978
|
|
930
979
|
* Remove link_to warning for Rails 3.x or when using rails_xss
|
931
980
|
* Don't warn if first argument to link_to is escaped
|
@@ -937,7 +986,7 @@
|
|
937
986
|
* Add Brakeman::RescanReport#to_s
|
938
987
|
* Add Brakeman::Warning#to_s
|
939
988
|
|
940
|
-
## 1.2.0
|
989
|
+
## 1.2.0 - 2012-01-14
|
941
990
|
|
942
991
|
* Speed improvements for CheckExecute and CheckRender
|
943
992
|
* Check named_scope() and scope() for SQL injection
|
@@ -946,7 +995,7 @@
|
|
946
995
|
* Add --summary option to only output summary
|
947
996
|
* Fix a problem with Rails 3 routes
|
948
997
|
|
949
|
-
## 1.1.0
|
998
|
+
## 1.1.0 - 2011-12-22
|
950
999
|
|
951
1000
|
* Relax required versions for dependencies
|
952
1001
|
* Performance improvements for source processing
|
@@ -956,14 +1005,14 @@
|
|
956
1005
|
* Compatibility with newer Haml versions
|
957
1006
|
* Fix some warnings
|
958
1007
|
|
959
|
-
## 1.0.0
|
1008
|
+
## 1.0.0 - 2011-12-08
|
960
1009
|
|
961
1010
|
* Better handling of assignments inside ifs
|
962
1011
|
* Check more expressions for SQL injection
|
963
1012
|
* Use latest ruby_parser for better 1.9 syntax support
|
964
1013
|
* Better behavior for Brakeman as a library
|
965
1014
|
|
966
|
-
## 1.0.0rc1
|
1015
|
+
## 1.0.0rc1 - 2011-12-06
|
967
1016
|
|
968
1017
|
* Brakeman can now be used as a library
|
969
1018
|
* Faster call search
|
@@ -976,23 +1025,23 @@
|
|
976
1025
|
* Ignore mass assignment using all literal arguments
|
977
1026
|
* Keep expanded context in view with HTML output
|
978
1027
|
|
979
|
-
## 0.9.2
|
1028
|
+
## 0.9.2 - 2011-11-22
|
980
1029
|
|
981
1030
|
* Fix Rails 3 configuration parsing
|
982
1031
|
* Add t() helper to check for translate XSS bug
|
983
1032
|
|
984
|
-
## 0.9.1
|
1033
|
+
## 0.9.1 - 2011-11-18
|
985
1034
|
|
986
1035
|
* Add warning for translator helper XSS vulnerability
|
987
1036
|
|
988
|
-
## 0.9.0
|
1037
|
+
## 0.9.0 - 2011-11-17
|
989
1038
|
|
990
1039
|
* Process Rails 3 configuration files
|
991
1040
|
* Fix CSV output
|
992
1041
|
* Check for config.active_record.whitelist_attributes = true
|
993
1042
|
* Always produce a warning for without_protection => true
|
994
1043
|
|
995
|
-
## 0.8.4
|
1044
|
+
## 0.8.4 - 2011-11-04
|
996
1045
|
|
997
1046
|
* Option for separate attr_accessible warnings
|
998
1047
|
* Option to set CSS file for HTML output
|
@@ -1001,23 +1050,23 @@
|
|
1001
1050
|
* Fix hash_insert()
|
1002
1051
|
* Remove use of Queue from threaded checks
|
1003
1052
|
|
1004
|
-
## 0.8.3
|
1053
|
+
## 0.8.3 - 2011-10-25
|
1005
1054
|
|
1006
1055
|
* Respect -w flag in .tabs format (tw-ngreen)
|
1007
1056
|
* Escape HTML output of error messages
|
1008
1057
|
* Add --skip-libs option
|
1009
1058
|
|
1010
|
-
## 0.8.2
|
1059
|
+
## 0.8.2 - 2011-10-01
|
1011
1060
|
|
1012
1061
|
* Run checks in parallel threads by default
|
1013
1062
|
* Fix compatibility with ruby_parser 2.3.1
|
1014
1063
|
|
1015
|
-
## 0.8.1
|
1064
|
+
## 0.8.1 - 2011-09-28
|
1016
1065
|
|
1017
1066
|
* Add option to assume all controller methods are actions
|
1018
1067
|
* Recover from errors when parsing routes
|
1019
1068
|
|
1020
|
-
## 0.8.0
|
1069
|
+
## 0.8.0 - 2011-09-15
|
1021
1070
|
|
1022
1071
|
* Add check for mass assignment using without_protection
|
1023
1072
|
* Add check for password in http_basic_authenticate_with
|
@@ -1028,30 +1077,30 @@
|
|
1028
1077
|
* Add ruby_parser hack for Ruby 1.9 hash syntax
|
1029
1078
|
* Add a few Rails 3.1 tests
|
1030
1079
|
|
1031
|
-
## 0.7.2
|
1080
|
+
## 0.7.2 - 2011-08-27
|
1032
1081
|
|
1033
1082
|
* Fix handling of params and cookies with nested access
|
1034
1083
|
* Add CVEs for checks added in 0.7.0
|
1035
1084
|
|
1036
|
-
## 0.7.1
|
1085
|
+
## 0.7.1 - 2011-08-18
|
1037
1086
|
|
1038
1087
|
* Require BaseProcessor for GemProcessor
|
1039
1088
|
|
1040
|
-
## 0.7.0
|
1089
|
+
## 0.7.0 - 2011-08-17
|
1041
1090
|
|
1042
1091
|
* Allow local variable as a class name
|
1043
1092
|
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
|
1044
1093
|
* Check for default routes in Rails 3 apps
|
1045
1094
|
* Look in Gemfile or Gemfile.lock for Rails version
|
1046
1095
|
|
1047
|
-
## 0.6.1
|
1096
|
+
## 0.6.1 - 2011-07-29
|
1048
1097
|
|
1049
1098
|
* Fix XSS check for cookies as parameters in output
|
1050
1099
|
* Don't bother calling super in CheckSessionSettings
|
1051
1100
|
* Add escape_once as a safe method
|
1052
1101
|
* Accept '\Z' or '\z' in model validations
|
1053
1102
|
|
1054
|
-
## 0.6.0
|
1103
|
+
## 0.6.0 - 2011-07-20
|
1055
1104
|
|
1056
1105
|
* Tests are in place and fully functional
|
1057
1106
|
* Hide errors by default in HTML output
|
@@ -1064,17 +1113,17 @@
|
|
1064
1113
|
* Fixes to escaped output scanning
|
1065
1114
|
* Update CSRF CVE-2011-0447 message to be less assertive
|
1066
1115
|
|
1067
|
-
## 0.5.2
|
1116
|
+
## 0.5.2 - 2011-06-29
|
1068
1117
|
|
1069
1118
|
* Output report file name when finished
|
1070
1119
|
* Add initial tests for Rails 2.x
|
1071
1120
|
* Fix ERB line numbers when using Ruby 1.9
|
1072
1121
|
|
1073
|
-
## 0.5.1
|
1122
|
+
## 0.5.1 - 2011-06-17
|
1074
1123
|
|
1075
1124
|
* Fix issue with 'has_one' => in routes
|
1076
1125
|
|
1077
|
-
## 0.5.0
|
1126
|
+
## 0.5.0 - 2011-06-08
|
1078
1127
|
|
1079
1128
|
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
|
1080
1129
|
* Allow empty blocks in Rails 3 routes
|
@@ -1082,52 +1131,52 @@
|
|
1082
1131
|
* Add line numbers to session setting warnings
|
1083
1132
|
* Add --checks option to list checks
|
1084
1133
|
|
1085
|
-
## 0.4.1
|
1134
|
+
## 0.4.1 - 2011-05-23
|
1086
1135
|
|
1087
1136
|
* Fix reported line numbers when using new Erubis parser
|
1088
1137
|
(Mostly affects Rails 3 apps)
|
1089
1138
|
|
1090
|
-
## 0.4.0
|
1139
|
+
## 0.4.0 - 2011-05-19
|
1091
1140
|
|
1092
1141
|
* Handle Rails XSS protection properly
|
1093
1142
|
* More detection options for rails_xss
|
1094
1143
|
* Add --escape-html option
|
1095
1144
|
|
1096
|
-
## 0.3.2
|
1145
|
+
## 0.3.2 - 2011-05-12
|
1097
1146
|
|
1098
1147
|
* Autodetect Rails 3 applications
|
1099
1148
|
* Turn on auto-escaping for Rails 3 apps
|
1100
1149
|
* Check Model.create() for mass assignment
|
1101
1150
|
|
1102
|
-
## 0.3.1
|
1151
|
+
## 0.3.1 - 2011-05-03
|
1103
1152
|
|
1104
1153
|
* Always output a line number in tabbed output format
|
1105
1154
|
* Restrict characters in category name in tabbed output format to
|
1106
1155
|
word characters and spaces, for Hudson/Jenkins plugin
|
1107
1156
|
|
1108
|
-
## 0.3.0
|
1157
|
+
## 0.3.0 - 2011-03-21
|
1109
1158
|
|
1110
1159
|
* Check for SQL injection in calls using constantize()
|
1111
1160
|
* Check for SQL injection in calls to count_by_sql()
|
1112
1161
|
|
1113
|
-
## 0.2.2
|
1162
|
+
## 0.2.2 - 2011-02-22
|
1114
1163
|
|
1115
1164
|
* Fix version_between? when no Rails version is specified
|
1116
1165
|
|
1117
|
-
## 0.2.1
|
1166
|
+
## 0.2.1 - 2011-02-18
|
1118
1167
|
|
1119
1168
|
* Add code snippet to tab output messages
|
1120
1169
|
|
1121
|
-
## 0.2.0
|
1170
|
+
## 0.2.0 - 2011-02-16
|
1122
1171
|
|
1123
1172
|
* Add check for mail_to vulnerability - CVE-2011-0446
|
1124
1173
|
* Add check for CSRF weakness - CVE-2011-0447
|
1125
1174
|
|
1126
|
-
## 0.1.1
|
1175
|
+
## 0.1.1 - 2011-01-25
|
1127
1176
|
|
1128
1177
|
* Be more permissive with ActiveSupport version
|
1129
1178
|
|
1130
|
-
## 0.1.0
|
1179
|
+
## 0.1.0 - 2011-01-18
|
1131
1180
|
|
1132
1181
|
* Check link_to for XSS (because arguments are not escaped)
|
1133
1182
|
* Process layouts better (although not perfectly yet)
|