Switch branches/tags
Find file
Fetching contributors…
Cannot retrieve contributors at this time
395 lines (301 sloc) 12.1 KB
# 1.8.3
* Use `multi_json` gem for better harmony
* Performance improvement for call indexing
* Fix issue with processing HAML files
* Handle pre-release versions when processing `Gemfile.lock`
* Only check first argument of `redirect_to`
* Fix false positives from `Model.arel_table` accesses
* Fix false positives on redirects to models decorated with Draper gem
* Fix false positive on redirect to model association
* Fix false positive on `YAML.load`
* Fix false positive XSS on any `to_i` output
* Fix error on Rails 2 name routes with no args
* Fix error in rescan of mixins with symbols in method name
* Do not rescan non-Ruby files in config/
# 1.8.2
* Fixed rescanning problems caused by 1.8.0 changes
* Fix scope calls with single argument
* Report specific model name in rendered collections
* Handle overwritten JSON escape settings
* Much improved test coverage
* Add CHANGES to gemspec
# 1.8.1
* Recover from errors in output formatting
* Fix false positive in redirect_to (Neil Matatall)
* Fix problems with removal of `Sexp#method_missing`
* Fix array indexing in alias processing
* Fix old mail_to vulnerability check
* Fix rescans when only controller action changes
* Allow comparison of versions with unequal lengths
* Handle super calls with blocks
* Respect `-q` flag for "Rails 3 detected" message
# 1.8.0
* Support relative paths in reports (fsword)
* Allow Brakeman to be run without tty (fsword)
* Fix exit code with `--compare` (fsword)
* Fix `--rake` option (Deepak Kumar)
* Add high confidence warnings for `to_json` XSS (Neil Matatall)
* Fix `redirect_to` false negative
* Fix duplicate warnings with `raw` calls
* Fix shadowing of rendered partials
* Add "render chain" to HTML reports
* Add check for XSS in `content_tag`
* Add full backtrace for errors in debug mode
* Treat model attributes in `or` expressions as immediate values
* Switch to method access for Sexp nodes
# 1.7.1
* Add check for CVE-2012-3463
* Add check for CVE-2012-3464
* Add check for CVE-2012-3465
* Add charset to HTML report (hooopo)
* Report XSS in select() for Rails 2
# 1.7.0
* Add check for CVE-2012-3424
* Link report types to descriptions on website
* Report errors raised while running check
* Improve processing of Rails 3 routes
* Fix "empty char-class" error
* Improve file access check
* Avoid warning on non-ActiveModel models
* Speed improvements by stripping down SexpProcessor
* Fix how `params[:x] ||=` is handled
* Treat user input in `or` expressions as immediate values
* Fix processing of negative array indexes
* Add line breaks to truncated table rows
# 1.6.2
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
* Avoid warning when redirecting to a model instance
* Add `request.parameters` as a parameters hash
* Raise confidence level for model attributes in redirects
* Return non-zero exit code when missing dependencies
* Fix `before_filter :except` logic
* Only accept symbol literals as before_filter names
* Cache before_filter lookups
* Turn off quiet mode by default for `--compare`
# 1.6.1
* Major rewrite of CheckSQL
* Fix rescanning of deleted templates
* Process actions mixed into controllers
* Handle `render :template => ...`
* Check for inherited attr_accessible (Neil Matatall)
* Fix highlighting of HTML escaped values in HTML report
* Report line number of highlighted value, if available
# 1.6.0
* Remove the Ruport dependency (Neil Matatall)
* Add more informational JSON output (Neil Matatall)
* Add comparison to previous JSON report (Neil Matatall)
* Add highlighting of dangerous values in HTML/text reports
* Model#update_attribute should not raise mass assignment warning (Dave Worth)
* Don't check `find_by_*` method for SQL injection
* Fix duplicate reporting of mass assignment and SQL injection
* Fix rescanning of deleted files
* Properly check for rails_xss in Gemfile
# 1.5.3
* Add check for user input in Object#send (Neil Matatall)
* Handle render :layout in views
* Support output to multiple formats (Nick Green)
* Prevent infinite loops in mutually recursive templates
* Only check eval arguments for user input, not targets
* Search subdirectories for models
* Set values in request hashes and propagate to views
* Add rake task file to gemspec (Anton Ageev)
* Filter rescanning of templates (Neil Matatall)
* Improve handling of modules and nesting
* Test for zero errors in test reports
# 1.5.2
* Fix link_to checks for Rails 2.0 and 2.3
* Fix rescanning of lib files (Neil Matatall)
* Output stack trace on interrupt when debugging
* Ignore user input in if statement conditions
* Fix --skip-files option
* Only warn on user input in render paths
* Fix handling of views when using rails_xss
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
# 1.5.1
* Fix detection of global mass assignment setting
* Fix partial rendering in Rails 3
* Show backtrace when interrupt received (Ruby 1.9 only)
* More debug output
* Remove duplicate method in Brakeman::Rails2XSSErubis
* Add tracking of module and class to Brakeman::BaseProcessor
* Report module when using Brakeman::FindCall
# 1.5.0
* Add version check for SafeBuffer vulnerability
* Add check for select vulnerability in Rails 3
* select() is no longer considered safe in Rails 2
* Add check for skipping CSRF protection with a blacklist
* Add JSON report format
* Model#id should not be considered XSS
* Standardize methods to check for SQL injection
* Fix Rails 2 route parsing issue with nested routes
# 1.4.0
* Add check for user input in link_to href parameter
* Match ERB processing to rails_xss plugin when plugin used
* Add Brakeman::Report#to_json, Brakeman::Warning#to_json
* Warnings below minimum confidence are dropped completely
* always returns a Tracker
# 1.3.0
* Add file paths to HTML report
* Add caching of filters
* Add --skip-files option
* Add support for attr_protected
* Add detection of request.env as user input
* Descriptions of checks in -k output
* Improved processing of named scopes
* Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
* Better variable substitution
* Table output option for rescan reports
# 1.2.2
* --no-progress works again
* Make CheckLinkTo a separate check
* Don't fail on unknown options to resource(s)
* Handle empty resource(s) blocks
* Add RescanReport#existing_warnings
## 1.2.1
* Remove link_to warning for Rails 3.x or when using rails_xss
* Don't warn if first argument to link_to is escaped
* Detect usage of attr_accessible with no arguments
* Fix error when rendering a partial from a view but not through a controller
* Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
* Simplify Brakeman Rake task
* Avoid modifying $VERBOSE
* Add Brakeman::RescanReport#to_s
* Add Brakeman::Warning#to_s
## 1.2.0
* Speed improvements for CheckExecute and CheckRender
* Check named_scope() and scope() for SQL injection
* Add --rake option to create rake task to run Brakeman
* Add experimental support for rescanning a subset of files
* Add --summary option to only output summary
* Fix a problem with Rails 3 routes
## 1.1.0
* Relax required versions for dependencies
* Performance improvements for source processing
* Better progress reporting
* Handle basic operators like << + - * /
* Rescue more errors to prevent complete crashes
* Compatibility with newer Haml versions
* Fix some warnings
## 1.0.0
* Better handling of assignments inside ifs
* Check more expressions for SQL injection
* Use latest ruby_parser for better 1.9 syntax support
* Better behavior for Brakeman as a library
## 1.0.0rc1
* Brakeman can now be used as a library
* Faster call search
* Add option to return error code if warnings are found (tw-ngreen)
* Allow truncated messages to be expanded in HTML
* Fix summary when using warning thresholds
* Better support for Rails 3 routes
* Reduce SQL injection duplicate warnings
* Lower confidence on mass assignment with no user input
* Ignore mass assignment using all literal arguments
* Keep expanded context in view with HTML output
## 0.9.2
* Fix Rails 3 configuration parsing
* Add t() helper to check for translate XSS bug
## 0.9.1
* Add warning for translator helper XSS vulnerability
## 0.9.0
* Process Rails 3 configuration files
* Fix CSV output
* Check for config.active_record.whitelist_attributes = true
* Always produce a warning for without_protection => true
## 0.8.4
* Option for separate attr_accessible warnings
* Option to set CSS file for HTML output
* Add file names for version-specific warnings
* Add line number for default routes in a controller
* Fix hash_insert()
* Remove use of Queue from threaded checks
## 0.8.3
* Respect -w flag in .tabs format (tw-ngreen)
* Escape HTML output of error messages
* Add --skip-libs option
## 0.8.2
* Run checks in parallel threads by default
* Fix compatibility with ruby_parser 2.3.1
## 0.8.1
* Add option to assume all controller methods are actions
* Recover from errors when parsing routes
## 0.8.0
* Add check for mass assignment using without_protection
* Add check for password in http_basic_authenticate_with
* Warn on user input in hash argument with mass assignment
* auto_link is now considered safe for Rails >= 3.0.6
* Output detected Rails version in report
* Keep track of methods called in class definition
* Add ruby_parser hack for Ruby 1.9 hash syntax
* Add a few Rails 3.1 tests
## 0.7.2
* Fix handling of params and cookies with nested access
* Add CVEs for checks added in 0.7.0
## 0.7.1
* Require BaseProcessor for GemProcessor
## 0.7.0
* Allow local variable as a class name
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
* Check for default routes in Rails 3 apps
* Look in Gemfile or Gemfile.lock for Rails version
## 0.6.1
* Fix XSS check for cookies as parameters in output
* Don't bother calling super in CheckSessionSettings
* Add escape_once as a safe method
* Accept '\Z' or '\z' in model validations
## 0.6.0
* Tests are in place and fully functional
* Hide errors by default in HTML output
* Warn if routes.rb cannot be found
* Narrow methods assumed to be file access
* Increase confidence for methods known to not escape output
* Fixes to output processing for Erubis
* Fixes for Rails 3 XSS checks
* Fixes to line numbers with Erubis
* Fixes to escaped output scanning
* Update CSRF CVE-2011-0447 message to be less assertive
## 0.5.2
* Output report file name when finished
* Add initial tests for Rails 2.x
* Fix ERB line numbers when using Ruby 1.9
## 0.5.1
* Fix issue with 'has_one' => in routes
## 0.5.0
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
* Allow empty blocks in Rails 3 routes
* Check initializer for session settings
* Add line numbers to session setting warnings
* Add --checks option to list checks
## 0.4.1
* Fix reported line numbers when using new Erubis parser
(Mostly affects Rails 3 apps)
## 0.4.0
* Handle Rails XSS protection properly
* More detection options for rails_xss
* Add --escape-html option
## 0.3.2
* Autodetect Rails 3 applications
* Turn on auto-escaping for Rails 3 apps
* Check Model.create() for mass assignment
## 0.3.1
* Always output a line number in tabbed output format
* Restrict characters in category name in tabbed output format to
word characters and spaces, for Hudson/Jenkins plugin
## 0.3.0
* Check for SQL injection in calls using constantize()
* Check for SQL injection in calls to count_by_sql()
## 0.2.2
* Fix version_between? when no Rails version is specified
## 0.2.1
* Add code snippet to tab output messages
## 0.2.0
* Add check for mail_to vulnerability - CVE-2011-0446
* Add check for CSRF weakness - CVE-2011-0447
## 0.1.1
* Be more permissive with ActiveSupport version
## 0.1.0
* Check link_to for XSS (because arguments are not escaped)
* Process layouts better (although not perfectly yet)
* Load custom Haml filters if they are in lib/
* Tab separated output via .tabs output extension
* Switch to normal versioning scheme