brakeman-min 0.5.2 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGES +529 -0
- data/README.md +74 -28
- data/bin/brakeman +60 -266
- data/lib/brakeman.rb +422 -0
- data/lib/brakeman/app_tree.rb +101 -0
- data/lib/brakeman/brakeman.rake +10 -0
- data/lib/brakeman/call_index.rb +215 -0
- data/lib/brakeman/checks.rb +180 -0
- data/lib/brakeman/checks/base_check.rb +538 -0
- data/lib/brakeman/checks/check_basic_auth.rb +89 -0
- data/lib/brakeman/checks/check_content_tag.rb +162 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +334 -0
- data/lib/{checks → brakeman/checks}/check_default_routes.rb +13 -6
- data/lib/brakeman/checks/check_deserialize.rb +57 -0
- data/lib/brakeman/checks/check_digest_dos.rb +38 -0
- data/lib/brakeman/checks/check_escape_function.rb +21 -0
- data/lib/brakeman/checks/check_evaluation.rb +33 -0
- data/lib/brakeman/checks/check_execute.rb +98 -0
- data/lib/brakeman/checks/check_file_access.rb +62 -0
- data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
- data/lib/brakeman/checks/check_forgery_setting.rb +54 -0
- data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
- data/lib/brakeman/checks/check_json_parsing.rb +102 -0
- data/lib/brakeman/checks/check_link_to.rb +132 -0
- data/lib/brakeman/checks/check_link_to_href.rb +92 -0
- data/lib/{checks → brakeman/checks}/check_mail_to.rb +14 -13
- data/lib/brakeman/checks/check_mass_assignment.rb +143 -0
- data/lib/brakeman/checks/check_model_attr_accessible.rb +48 -0
- data/lib/brakeman/checks/check_model_attributes.rb +118 -0
- data/lib/brakeman/checks/check_model_serialize.rb +66 -0
- data/lib/{checks → brakeman/checks}/check_nested_attributes.rb +10 -6
- data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
- data/lib/brakeman/checks/check_redirect.rb +177 -0
- data/lib/brakeman/checks/check_render.rb +62 -0
- data/lib/brakeman/checks/check_response_splitting.rb +21 -0
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +54 -0
- data/lib/brakeman/checks/check_select_tag.rb +60 -0
- data/lib/brakeman/checks/check_select_vulnerability.rb +58 -0
- data/lib/brakeman/checks/check_send.rb +35 -0
- data/lib/brakeman/checks/check_send_file.rb +19 -0
- data/lib/brakeman/checks/check_session_settings.rb +145 -0
- data/lib/brakeman/checks/check_single_quotes.rb +101 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +62 -0
- data/lib/brakeman/checks/check_sql.rb +577 -0
- data/lib/brakeman/checks/check_strip_tags.rb +64 -0
- data/lib/brakeman/checks/check_symbol_dos.rb +67 -0
- data/lib/brakeman/checks/check_translate_bug.rb +45 -0
- data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
- data/lib/brakeman/checks/check_validation_regex.rb +88 -0
- data/lib/brakeman/checks/check_without_protection.rb +64 -0
- data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
- data/lib/brakeman/differ.rb +66 -0
- data/lib/{format → brakeman/format}/style.css +28 -0
- data/lib/brakeman/options.rb +256 -0
- data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
- data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
- data/lib/{scanner_erubis.rb → brakeman/parsers/rails3_erubis.rb} +8 -21
- data/lib/brakeman/processor.rb +102 -0
- data/lib/brakeman/processors/alias_processor.rb +780 -0
- data/lib/{processors → brakeman/processors}/base_processor.rb +90 -74
- data/lib/brakeman/processors/config_processor.rb +14 -0
- data/lib/brakeman/processors/controller_alias_processor.rb +334 -0
- data/lib/brakeman/processors/controller_processor.rb +265 -0
- data/lib/{processors → brakeman/processors}/erb_template_processor.rb +21 -19
- data/lib/brakeman/processors/erubis_template_processor.rb +96 -0
- data/lib/brakeman/processors/gem_processor.rb +59 -0
- data/lib/{processors → brakeman/processors}/haml_template_processor.rb +26 -21
- data/lib/brakeman/processors/lib/find_all_calls.rb +185 -0
- data/lib/{processors → brakeman/processors}/lib/find_call.rb +23 -28
- data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
- data/lib/brakeman/processors/lib/processor_helper.rb +82 -0
- data/lib/{processors/config_processor.rb → brakeman/processors/lib/rails2_config_processor.rb} +32 -35
- data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb +60 -52
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +129 -0
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +282 -0
- data/lib/{processors → brakeman/processors}/lib/render_helper.rb +54 -20
- data/lib/brakeman/processors/lib/route_helper.rb +62 -0
- data/lib/{processors → brakeman/processors}/library_processor.rb +24 -17
- data/lib/{processors → brakeman/processors}/model_processor.rb +46 -22
- data/lib/{processors → brakeman/processors}/output_processor.rb +34 -40
- data/lib/brakeman/processors/route_processor.rb +17 -0
- data/lib/brakeman/processors/slim_template_processor.rb +113 -0
- data/lib/brakeman/processors/template_alias_processor.rb +120 -0
- data/lib/{processors → brakeman/processors}/template_processor.rb +10 -7
- data/lib/brakeman/report.rb +68 -0
- data/lib/brakeman/report/ignore/config.rb +130 -0
- data/lib/brakeman/report/ignore/interactive.rb +311 -0
- data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
- data/lib/brakeman/report/initializers/multi_json.rb +29 -0
- data/lib/brakeman/report/renderer.rb +24 -0
- data/lib/brakeman/report/report_base.rb +279 -0
- data/lib/brakeman/report/report_csv.rb +56 -0
- data/lib/brakeman/report/report_hash.rb +22 -0
- data/lib/brakeman/report/report_html.rb +203 -0
- data/lib/brakeman/report/report_json.rb +46 -0
- data/lib/brakeman/report/report_table.rb +109 -0
- data/lib/brakeman/report/report_tabs.rb +17 -0
- data/lib/brakeman/report/templates/controller_overview.html.erb +18 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +17 -0
- data/lib/brakeman/report/templates/error_overview.html.erb +25 -0
- data/lib/brakeman/report/templates/header.html.erb +44 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +21 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +17 -0
- data/lib/brakeman/report/templates/overview.html.erb +34 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +19 -0
- data/lib/brakeman/report/templates/template_overview.html.erb +17 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +30 -0
- data/lib/brakeman/report/templates/warning_overview.html.erb +13 -0
- data/lib/brakeman/rescanner.rb +446 -0
- data/lib/brakeman/scanner.rb +362 -0
- data/lib/brakeman/tracker.rb +296 -0
- data/lib/brakeman/util.rb +413 -0
- data/lib/brakeman/version.rb +3 -0
- data/lib/brakeman/warning.rb +217 -0
- data/lib/brakeman/warning_codes.rb +68 -0
- data/lib/ruby_parser/bm_sexp.rb +562 -0
- data/lib/ruby_parser/bm_sexp_processor.rb +230 -0
- metadata +152 -66
- data/lib/checks.rb +0 -71
- data/lib/checks/base_check.rb +0 -357
- data/lib/checks/check_cross_site_scripting.rb +0 -336
- data/lib/checks/check_evaluation.rb +0 -27
- data/lib/checks/check_execute.rb +0 -110
- data/lib/checks/check_file_access.rb +0 -46
- data/lib/checks/check_forgery_setting.rb +0 -42
- data/lib/checks/check_mass_assignment.rb +0 -74
- data/lib/checks/check_model_attributes.rb +0 -36
- data/lib/checks/check_redirect.rb +0 -98
- data/lib/checks/check_render.rb +0 -65
- data/lib/checks/check_send_file.rb +0 -15
- data/lib/checks/check_session_settings.rb +0 -79
- data/lib/checks/check_sql.rb +0 -146
- data/lib/checks/check_validation_regex.rb +0 -60
- data/lib/processor.rb +0 -86
- data/lib/processors/alias_processor.rb +0 -384
- data/lib/processors/controller_alias_processor.rb +0 -237
- data/lib/processors/controller_processor.rb +0 -202
- data/lib/processors/erubis_template_processor.rb +0 -85
- data/lib/processors/lib/find_model_call.rb +0 -39
- data/lib/processors/lib/processor_helper.rb +0 -36
- data/lib/processors/lib/rails3_route_processor.rb +0 -184
- data/lib/processors/lib/route_helper.rb +0 -34
- data/lib/processors/params_processor.rb +0 -77
- data/lib/processors/route_processor.rb +0 -11
- data/lib/processors/template_alias_processor.rb +0 -86
- data/lib/report.rb +0 -680
- data/lib/scanner.rb +0 -227
- data/lib/tracker.rb +0 -144
- data/lib/util.rb +0 -141
- data/lib/version.rb +0 -1
- data/lib/warning.rb +0 -99
data/CHANGES
ADDED
@@ -0,0 +1,529 @@
|
|
1
|
+
# 2.1.0
|
2
|
+
|
3
|
+
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
|
4
|
+
* Support for ignoring warnings
|
5
|
+
* Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
|
6
|
+
* Update to ruby_parser 3.2.2
|
7
|
+
* Add brakeman-min gemspec
|
8
|
+
* Load gem dependencies on-demand
|
9
|
+
* Output JSON diff to file if -o option is used
|
10
|
+
* Add check for authenticate_or_request_with_http_basic
|
11
|
+
* Refactor of SQL injection check code (Bart ten Brinke)
|
12
|
+
* Fix detection of duplicate XSS warnings
|
13
|
+
* Refactor reports into separate classes
|
14
|
+
* Allow use of Slim 2.x (Ian Zabel)
|
15
|
+
* Return error exit code when application path is not found
|
16
|
+
* Add `--branch-limit` option, limit to 5 by default
|
17
|
+
* Add more methods to check for command injection
|
18
|
+
* Fix output format detection to be more strict again
|
19
|
+
* Allow empty Brakeman configuration file
|
20
|
+
|
21
|
+
# 2.0.0
|
22
|
+
|
23
|
+
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
|
24
|
+
* Add Marshal/CSV deserialization check
|
25
|
+
* Combine deserialization checks into single check
|
26
|
+
* Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
|
27
|
+
* Avoid duplicate results for Symbol DoS check
|
28
|
+
* Medium confidence for mass assignment to attr_protected models
|
29
|
+
* Remove "timestamp" key from JSON reports
|
30
|
+
* Remove deprecated config file locations
|
31
|
+
* Relative paths are used by default in JSON reports
|
32
|
+
* `--absolute-paths` replaces `--relative-paths`
|
33
|
+
* Only treat classes with names containing `Controller` like controllers
|
34
|
+
* Better handling of classes nested inside controllers
|
35
|
+
* Better handling of controller classes nested in classes/modules
|
36
|
+
* Handle `->` lambdas with no arguments
|
37
|
+
* Handle explicit block argument destructuring
|
38
|
+
* Skip Rails config options that are real objects
|
39
|
+
* Detect Rails 3 JSON escape config option
|
40
|
+
* Much better tracking of warning file names
|
41
|
+
* Fix errors when using `--separate-models` (Noah Davis)
|
42
|
+
* Fix fingerprint generation to actually use the file path
|
43
|
+
* Fix text report console output in JRuby
|
44
|
+
* Fix false positives on `Model#id`
|
45
|
+
* Fix false positives on `params.to_json`
|
46
|
+
* Fix model path guesses to use "models/" instead of "controllers/"
|
47
|
+
* Clean up SQL CVE warning messages
|
48
|
+
* Use exceptions instead of abort in brakeman lib
|
49
|
+
* Update to Ruby2Ruby 2.0.5
|
50
|
+
|
51
|
+
# 1.9.5
|
52
|
+
|
53
|
+
* Add check for unsafe symbol creation
|
54
|
+
* Do not warn on mass assignment with `slice`/`only`
|
55
|
+
* Do not warn on session secret if in `.gitignore`
|
56
|
+
* Fix scoping for blocks and block arguments
|
57
|
+
* Fix error when modifying blocks in templates
|
58
|
+
* Fix session secret check for Rails 4
|
59
|
+
* Fix crash on `before_filter` outside controller
|
60
|
+
* Fix `Sexp` hash cache invalidation
|
61
|
+
* Respect `quiet` option in configuration file
|
62
|
+
* Convert assignment to simple `if` expressions to `or`
|
63
|
+
* More fixes for assignments inside branches
|
64
|
+
* Pin to ruby2ruby version 2.0.3
|
65
|
+
|
66
|
+
# 1.9.4
|
67
|
+
|
68
|
+
* Add check for CVE-2013-1854
|
69
|
+
* Add check for CVE-2013-1855
|
70
|
+
* Add check for CVE-2013-1856
|
71
|
+
* Add check for CVE-2013-1857
|
72
|
+
* Fix `--compare` to work with older versions
|
73
|
+
* Add "no-referrer' to HTML report links
|
74
|
+
* Don't warn when invoking `send` on user input
|
75
|
+
* Slightly faster cloning of Sexps
|
76
|
+
* Detect another way to add `strong_parameters`
|
77
|
+
|
78
|
+
# 1.9.3
|
79
|
+
|
80
|
+
* Add render path to JSON report
|
81
|
+
* Add warning fingerprints
|
82
|
+
* Add check for unsafe reflection (Gabriel Quadros)
|
83
|
+
* Add check for skipping authentication methods with blacklist
|
84
|
+
* Add support for Slim templates
|
85
|
+
* Remove empty tables from reports (Owen Ben Davies)
|
86
|
+
* Handle `prepend/append_before_filter`
|
87
|
+
* Performance improvements when handling branches
|
88
|
+
* Fix processing of `production.rb`
|
89
|
+
* Fix version check for Ruby 2.0
|
90
|
+
* Expand HAML dependency to include 4.0
|
91
|
+
* Scroll errors into view when expanding in HTML report
|
92
|
+
|
93
|
+
# 1.9.2
|
94
|
+
|
95
|
+
* Add check for CVE-2013-0269
|
96
|
+
* Add check for CVE-2013-0276
|
97
|
+
* Add check for CVE-2013-0277
|
98
|
+
* Add check for CVE-2013-0333
|
99
|
+
* Check for more send-like methods
|
100
|
+
* Check for more SQL injection locations
|
101
|
+
* Check for more dangerous YAML methods
|
102
|
+
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
|
103
|
+
|
104
|
+
# 1.9.1
|
105
|
+
|
106
|
+
* Update to RubyParser 3.1.1 (neersighted)
|
107
|
+
* Remove ActiveSupport dependency (Neil Matatall)
|
108
|
+
* Do not warn on arrays passed to `link_to` (Neil Matatall)
|
109
|
+
* Warn on secret tokens
|
110
|
+
* Warn on more mass assignment methods
|
111
|
+
* Add check for CVE-2012-5664
|
112
|
+
* Add check for CVE-2013-0155
|
113
|
+
* Add check for CVE-2013-0156
|
114
|
+
* Add check for unsafe `YAML.load`
|
115
|
+
|
116
|
+
# 1.9.0
|
117
|
+
|
118
|
+
* Update to RubyParser 3
|
119
|
+
* Ignore route information by default
|
120
|
+
* Support `strong_parameters`
|
121
|
+
* Support newer `validates :format` call
|
122
|
+
* Add scan time to reports
|
123
|
+
* Add Brakeman version to reports
|
124
|
+
* Fix `CheckExecute` to warn on all string interpolation
|
125
|
+
* Fix false positive on `to_sql` calls
|
126
|
+
* Don't mangle whitespace in JSON code formatting
|
127
|
+
* Add AppTree as facade for filesystem (brynary)
|
128
|
+
* Add link for translate vulnerability warning (grosser)
|
129
|
+
* Rename LICENSE to MIT-LICENSE, remove from README (grosser)
|
130
|
+
* Add Rakefile to run tests (grosser)
|
131
|
+
* Better default config file locations (grosser)
|
132
|
+
* Reduce Sexp creation
|
133
|
+
* Handle empty model files
|
134
|
+
* Remove "find by regex" feature from `CallIndex`
|
135
|
+
|
136
|
+
# 1.8.3
|
137
|
+
|
138
|
+
* Use `multi_json` gem for better harmony
|
139
|
+
* Performance improvement for call indexing
|
140
|
+
* Fix issue with processing HAML files
|
141
|
+
* Handle pre-release versions when processing `Gemfile.lock`
|
142
|
+
* Only check first argument of `redirect_to`
|
143
|
+
* Fix false positives from `Model.arel_table` accesses
|
144
|
+
* Fix false positives on redirects to models decorated with Draper gem
|
145
|
+
* Fix false positive on redirect to model association
|
146
|
+
* Fix false positive on `YAML.load`
|
147
|
+
* Fix false positive XSS on any `to_i` output
|
148
|
+
* Fix error on Rails 2 name routes with no args
|
149
|
+
* Fix error in rescan of mixins with symbols in method name
|
150
|
+
* Do not rescan non-Ruby files in config/
|
151
|
+
|
152
|
+
# 1.8.2
|
153
|
+
|
154
|
+
* Fixed rescanning problems caused by 1.8.0 changes
|
155
|
+
* Fix scope calls with single argument
|
156
|
+
* Report specific model name in rendered collections
|
157
|
+
* Handle overwritten JSON escape settings
|
158
|
+
* Much improved test coverage
|
159
|
+
* Add CHANGES to gemspec
|
160
|
+
|
161
|
+
# 1.8.1
|
162
|
+
|
163
|
+
* Recover from errors in output formatting
|
164
|
+
* Fix false positive in redirect_to (Neil Matatall)
|
165
|
+
* Fix problems with removal of `Sexp#method_missing`
|
166
|
+
* Fix array indexing in alias processing
|
167
|
+
* Fix old mail_to vulnerability check
|
168
|
+
* Fix rescans when only controller action changes
|
169
|
+
* Allow comparison of versions with unequal lengths
|
170
|
+
* Handle super calls with blocks
|
171
|
+
* Respect `-q` flag for "Rails 3 detected" message
|
172
|
+
|
173
|
+
# 1.8.0
|
174
|
+
|
175
|
+
* Support relative paths in reports (fsword)
|
176
|
+
* Allow Brakeman to be run without tty (fsword)
|
177
|
+
* Fix exit code with `--compare` (fsword)
|
178
|
+
* Fix `--rake` option (Deepak Kumar)
|
179
|
+
* Add high confidence warnings for `to_json` XSS (Neil Matatall)
|
180
|
+
* Fix `redirect_to` false negative
|
181
|
+
* Fix duplicate warnings with `raw` calls
|
182
|
+
* Fix shadowing of rendered partials
|
183
|
+
* Add "render chain" to HTML reports
|
184
|
+
* Add check for XSS in `content_tag`
|
185
|
+
* Add full backtrace for errors in debug mode
|
186
|
+
* Treat model attributes in `or` expressions as immediate values
|
187
|
+
* Switch to method access for Sexp nodes
|
188
|
+
|
189
|
+
# 1.7.1
|
190
|
+
|
191
|
+
* Add check for CVE-2012-3463
|
192
|
+
* Add check for CVE-2012-3464
|
193
|
+
* Add check for CVE-2012-3465
|
194
|
+
* Add charset to HTML report (hooopo)
|
195
|
+
* Report XSS in select() for Rails 2
|
196
|
+
|
197
|
+
# 1.7.0
|
198
|
+
|
199
|
+
* Add check for CVE-2012-3424
|
200
|
+
* Link report types to descriptions on website
|
201
|
+
* Report errors raised while running check
|
202
|
+
* Improve processing of Rails 3 routes
|
203
|
+
* Fix "empty char-class" error
|
204
|
+
* Improve file access check
|
205
|
+
* Avoid warning on non-ActiveModel models
|
206
|
+
* Speed improvements by stripping down SexpProcessor
|
207
|
+
* Fix how `params[:x] ||=` is handled
|
208
|
+
* Treat user input in `or` expressions as immediate values
|
209
|
+
* Fix processing of negative array indexes
|
210
|
+
* Add line breaks to truncated table rows
|
211
|
+
|
212
|
+
# 1.6.2
|
213
|
+
|
214
|
+
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
|
215
|
+
* Avoid warning when redirecting to a model instance
|
216
|
+
* Add `request.parameters` as a parameters hash
|
217
|
+
* Raise confidence level for model attributes in redirects
|
218
|
+
* Return non-zero exit code when missing dependencies
|
219
|
+
* Fix `before_filter :except` logic
|
220
|
+
* Only accept symbol literals as before_filter names
|
221
|
+
* Cache before_filter lookups
|
222
|
+
* Turn off quiet mode by default for `--compare`
|
223
|
+
|
224
|
+
# 1.6.1
|
225
|
+
|
226
|
+
* Major rewrite of CheckSQL
|
227
|
+
* Fix rescanning of deleted templates
|
228
|
+
* Process actions mixed into controllers
|
229
|
+
* Handle `render :template => ...`
|
230
|
+
* Check for inherited attr_accessible (Neil Matatall)
|
231
|
+
* Fix highlighting of HTML escaped values in HTML report
|
232
|
+
* Report line number of highlighted value, if available
|
233
|
+
|
234
|
+
# 1.6.0
|
235
|
+
|
236
|
+
* Remove the Ruport dependency (Neil Matatall)
|
237
|
+
* Add more informational JSON output (Neil Matatall)
|
238
|
+
* Add comparison to previous JSON report (Neil Matatall)
|
239
|
+
* Add highlighting of dangerous values in HTML/text reports
|
240
|
+
* Model#update_attribute should not raise mass assignment warning (Dave Worth)
|
241
|
+
* Don't check `find_by_*` method for SQL injection
|
242
|
+
* Fix duplicate reporting of mass assignment and SQL injection
|
243
|
+
* Fix rescanning of deleted files
|
244
|
+
* Properly check for rails_xss in Gemfile
|
245
|
+
|
246
|
+
# 1.5.3
|
247
|
+
|
248
|
+
* Add check for user input in Object#send (Neil Matatall)
|
249
|
+
* Handle render :layout in views
|
250
|
+
* Support output to multiple formats (Nick Green)
|
251
|
+
* Prevent infinite loops in mutually recursive templates
|
252
|
+
* Only check eval arguments for user input, not targets
|
253
|
+
* Search subdirectories for models
|
254
|
+
* Set values in request hashes and propagate to views
|
255
|
+
* Add rake task file to gemspec (Anton Ageev)
|
256
|
+
* Filter rescanning of templates (Neil Matatall)
|
257
|
+
* Improve handling of modules and nesting
|
258
|
+
* Test for zero errors in test reports
|
259
|
+
|
260
|
+
# 1.5.2
|
261
|
+
|
262
|
+
* Fix link_to checks for Rails 2.0 and 2.3
|
263
|
+
* Fix rescanning of lib files (Neil Matatall)
|
264
|
+
* Output stack trace on interrupt when debugging
|
265
|
+
* Ignore user input in if statement conditions
|
266
|
+
* Fix --skip-files option
|
267
|
+
* Only warn on user input in render paths
|
268
|
+
* Fix handling of views when using rails_xss
|
269
|
+
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
|
270
|
+
|
271
|
+
# 1.5.1
|
272
|
+
|
273
|
+
* Fix detection of global mass assignment setting
|
274
|
+
* Fix partial rendering in Rails 3
|
275
|
+
* Show backtrace when interrupt received (Ruby 1.9 only)
|
276
|
+
* More debug output
|
277
|
+
* Remove duplicate method in Brakeman::Rails2XSSErubis
|
278
|
+
* Add tracking of module and class to Brakeman::BaseProcessor
|
279
|
+
* Report module when using Brakeman::FindCall
|
280
|
+
|
281
|
+
# 1.5.0
|
282
|
+
|
283
|
+
* Add version check for SafeBuffer vulnerability
|
284
|
+
* Add check for select vulnerability in Rails 3
|
285
|
+
* select() is no longer considered safe in Rails 2
|
286
|
+
* Add check for skipping CSRF protection with a blacklist
|
287
|
+
* Add JSON report format
|
288
|
+
* Model#id should not be considered XSS
|
289
|
+
* Standardize methods to check for SQL injection
|
290
|
+
* Fix Rails 2 route parsing issue with nested routes
|
291
|
+
|
292
|
+
# 1.4.0
|
293
|
+
|
294
|
+
* Add check for user input in link_to href parameter
|
295
|
+
* Match ERB processing to rails_xss plugin when plugin used
|
296
|
+
* Add Brakeman::Report#to_json, Brakeman::Warning#to_json
|
297
|
+
* Warnings below minimum confidence are dropped completely
|
298
|
+
* Brakeman.run always returns a Tracker
|
299
|
+
|
300
|
+
# 1.3.0
|
301
|
+
|
302
|
+
* Add file paths to HTML report
|
303
|
+
* Add caching of filters
|
304
|
+
* Add --skip-files option
|
305
|
+
* Add support for attr_protected
|
306
|
+
* Add detection of request.env as user input
|
307
|
+
* Descriptions of checks in -k output
|
308
|
+
* Improved processing of named scopes
|
309
|
+
* Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
|
310
|
+
* Better variable substitution
|
311
|
+
* Table output option for rescan reports
|
312
|
+
|
313
|
+
# 1.2.2
|
314
|
+
|
315
|
+
* --no-progress works again
|
316
|
+
* Make CheckLinkTo a separate check
|
317
|
+
* Don't fail on unknown options to resource(s)
|
318
|
+
* Handle empty resource(s) blocks
|
319
|
+
* Add RescanReport#existing_warnings
|
320
|
+
|
321
|
+
## 1.2.1
|
322
|
+
|
323
|
+
* Remove link_to warning for Rails 3.x or when using rails_xss
|
324
|
+
* Don't warn if first argument to link_to is escaped
|
325
|
+
* Detect usage of attr_accessible with no arguments
|
326
|
+
* Fix error when rendering a partial from a view but not through a controller
|
327
|
+
* Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
|
328
|
+
* Simplify Brakeman Rake task
|
329
|
+
* Avoid modifying $VERBOSE
|
330
|
+
* Add Brakeman::RescanReport#to_s
|
331
|
+
* Add Brakeman::Warning#to_s
|
332
|
+
|
333
|
+
## 1.2.0
|
334
|
+
|
335
|
+
* Speed improvements for CheckExecute and CheckRender
|
336
|
+
* Check named_scope() and scope() for SQL injection
|
337
|
+
* Add --rake option to create rake task to run Brakeman
|
338
|
+
* Add experimental support for rescanning a subset of files
|
339
|
+
* Add --summary option to only output summary
|
340
|
+
* Fix a problem with Rails 3 routes
|
341
|
+
|
342
|
+
## 1.1.0
|
343
|
+
|
344
|
+
* Relax required versions for dependencies
|
345
|
+
* Performance improvements for source processing
|
346
|
+
* Better progress reporting
|
347
|
+
* Handle basic operators like << + - * /
|
348
|
+
* Rescue more errors to prevent complete crashes
|
349
|
+
* Compatibility with newer Haml versions
|
350
|
+
* Fix some warnings
|
351
|
+
|
352
|
+
## 1.0.0
|
353
|
+
|
354
|
+
* Better handling of assignments inside ifs
|
355
|
+
* Check more expressions for SQL injection
|
356
|
+
* Use latest ruby_parser for better 1.9 syntax support
|
357
|
+
* Better behavior for Brakeman as a library
|
358
|
+
|
359
|
+
## 1.0.0rc1
|
360
|
+
|
361
|
+
* Brakeman can now be used as a library
|
362
|
+
* Faster call search
|
363
|
+
* Add option to return error code if warnings are found (tw-ngreen)
|
364
|
+
* Allow truncated messages to be expanded in HTML
|
365
|
+
* Fix summary when using warning thresholds
|
366
|
+
* Better support for Rails 3 routes
|
367
|
+
* Reduce SQL injection duplicate warnings
|
368
|
+
* Lower confidence on mass assignment with no user input
|
369
|
+
* Ignore mass assignment using all literal arguments
|
370
|
+
* Keep expanded context in view with HTML output
|
371
|
+
|
372
|
+
## 0.9.2
|
373
|
+
|
374
|
+
* Fix Rails 3 configuration parsing
|
375
|
+
* Add t() helper to check for translate XSS bug
|
376
|
+
|
377
|
+
## 0.9.1
|
378
|
+
|
379
|
+
* Add warning for translator helper XSS vulnerability
|
380
|
+
|
381
|
+
## 0.9.0
|
382
|
+
|
383
|
+
* Process Rails 3 configuration files
|
384
|
+
* Fix CSV output
|
385
|
+
* Check for config.active_record.whitelist_attributes = true
|
386
|
+
* Always produce a warning for without_protection => true
|
387
|
+
|
388
|
+
## 0.8.4
|
389
|
+
|
390
|
+
* Option for separate attr_accessible warnings
|
391
|
+
* Option to set CSS file for HTML output
|
392
|
+
* Add file names for version-specific warnings
|
393
|
+
* Add line number for default routes in a controller
|
394
|
+
* Fix hash_insert()
|
395
|
+
* Remove use of Queue from threaded checks
|
396
|
+
|
397
|
+
## 0.8.3
|
398
|
+
|
399
|
+
* Respect -w flag in .tabs format (tw-ngreen)
|
400
|
+
* Escape HTML output of error messages
|
401
|
+
* Add --skip-libs option
|
402
|
+
|
403
|
+
## 0.8.2
|
404
|
+
|
405
|
+
* Run checks in parallel threads by default
|
406
|
+
* Fix compatibility with ruby_parser 2.3.1
|
407
|
+
|
408
|
+
## 0.8.1
|
409
|
+
|
410
|
+
* Add option to assume all controller methods are actions
|
411
|
+
* Recover from errors when parsing routes
|
412
|
+
|
413
|
+
## 0.8.0
|
414
|
+
|
415
|
+
* Add check for mass assignment using without_protection
|
416
|
+
* Add check for password in http_basic_authenticate_with
|
417
|
+
* Warn on user input in hash argument with mass assignment
|
418
|
+
* auto_link is now considered safe for Rails >= 3.0.6
|
419
|
+
* Output detected Rails version in report
|
420
|
+
* Keep track of methods called in class definition
|
421
|
+
* Add ruby_parser hack for Ruby 1.9 hash syntax
|
422
|
+
* Add a few Rails 3.1 tests
|
423
|
+
|
424
|
+
## 0.7.2
|
425
|
+
|
426
|
+
* Fix handling of params and cookies with nested access
|
427
|
+
* Add CVEs for checks added in 0.7.0
|
428
|
+
|
429
|
+
## 0.7.1
|
430
|
+
|
431
|
+
* Require BaseProcessor for GemProcessor
|
432
|
+
|
433
|
+
## 0.7.0
|
434
|
+
|
435
|
+
* Allow local variable as a class name
|
436
|
+
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
|
437
|
+
* Check for default routes in Rails 3 apps
|
438
|
+
* Look in Gemfile or Gemfile.lock for Rails version
|
439
|
+
|
440
|
+
## 0.6.1
|
441
|
+
|
442
|
+
* Fix XSS check for cookies as parameters in output
|
443
|
+
* Don't bother calling super in CheckSessionSettings
|
444
|
+
* Add escape_once as a safe method
|
445
|
+
* Accept '\Z' or '\z' in model validations
|
446
|
+
|
447
|
+
## 0.6.0
|
448
|
+
|
449
|
+
* Tests are in place and fully functional
|
450
|
+
* Hide errors by default in HTML output
|
451
|
+
* Warn if routes.rb cannot be found
|
452
|
+
* Narrow methods assumed to be file access
|
453
|
+
* Increase confidence for methods known to not escape output
|
454
|
+
* Fixes to output processing for Erubis
|
455
|
+
* Fixes for Rails 3 XSS checks
|
456
|
+
* Fixes to line numbers with Erubis
|
457
|
+
* Fixes to escaped output scanning
|
458
|
+
* Update CSRF CVE-2011-0447 message to be less assertive
|
459
|
+
|
460
|
+
## 0.5.2
|
461
|
+
|
462
|
+
* Output report file name when finished
|
463
|
+
* Add initial tests for Rails 2.x
|
464
|
+
* Fix ERB line numbers when using Ruby 1.9
|
465
|
+
|
466
|
+
## 0.5.1
|
467
|
+
|
468
|
+
* Fix issue with 'has_one' => in routes
|
469
|
+
|
470
|
+
## 0.5.0
|
471
|
+
|
472
|
+
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
|
473
|
+
* Allow empty blocks in Rails 3 routes
|
474
|
+
* Check initializer for session settings
|
475
|
+
* Add line numbers to session setting warnings
|
476
|
+
* Add --checks option to list checks
|
477
|
+
|
478
|
+
## 0.4.1
|
479
|
+
|
480
|
+
* Fix reported line numbers when using new Erubis parser
|
481
|
+
(Mostly affects Rails 3 apps)
|
482
|
+
|
483
|
+
## 0.4.0
|
484
|
+
|
485
|
+
* Handle Rails XSS protection properly
|
486
|
+
* More detection options for rails_xss
|
487
|
+
* Add --escape-html option
|
488
|
+
|
489
|
+
## 0.3.2
|
490
|
+
|
491
|
+
* Autodetect Rails 3 applications
|
492
|
+
* Turn on auto-escaping for Rails 3 apps
|
493
|
+
* Check Model.create() for mass assignment
|
494
|
+
|
495
|
+
## 0.3.1
|
496
|
+
|
497
|
+
* Always output a line number in tabbed output format
|
498
|
+
* Restrict characters in category name in tabbed output format to
|
499
|
+
word characters and spaces, for Hudson/Jenkins plugin
|
500
|
+
|
501
|
+
## 0.3.0
|
502
|
+
|
503
|
+
* Check for SQL injection in calls using constantize()
|
504
|
+
* Check for SQL injection in calls to count_by_sql()
|
505
|
+
|
506
|
+
## 0.2.2
|
507
|
+
|
508
|
+
* Fix version_between? when no Rails version is specified
|
509
|
+
|
510
|
+
## 0.2.1
|
511
|
+
|
512
|
+
* Add code snippet to tab output messages
|
513
|
+
|
514
|
+
## 0.2.0
|
515
|
+
|
516
|
+
* Add check for mail_to vulnerability - CVE-2011-0446
|
517
|
+
* Add check for CSRF weakness - CVE-2011-0447
|
518
|
+
|
519
|
+
## 0.1.1
|
520
|
+
|
521
|
+
* Be more permissive with ActiveSupport version
|
522
|
+
|
523
|
+
## 0.1.0
|
524
|
+
|
525
|
+
* Check link_to for XSS (because arguments are not escaped)
|
526
|
+
* Process layouts better (although not perfectly yet)
|
527
|
+
* Load custom Haml filters if they are in lib/
|
528
|
+
* Tab separated output via .tabs output extension
|
529
|
+
* Switch to normal versioning scheme
|