-
Notifications
You must be signed in to change notification settings - Fork 726
/
CHANGES
178 lines (123 loc) · 4.64 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
## 1.0
* Better handling of assignments inside ifs
* Check more expressions for SQL injection
* Use latest ruby_parser for better 1.9 syntax support
* Better behavior for Brakeman as a library
## 1.0.0rc1
* Brakeman can now be used as a library
* Faster call search
* Add option to return error code if warnings are found (tw-ngreen)
* Allow truncated messages to be expanded in HTML
* Fix summary when using warning thresholds
* Better support for Rails 3 routes
* Reduce SQL injection duplicate warnings
* Lower confidence on mass assignment with no user input
* Ignore mass assignment using all literal arguments
* Keep expanded context in view with HTML output
## 0.9.2
* Fix Rails 3 configuration parsing
* Add t() helper to check for translate XSS bug
## 0.9.1
* Add warning for translator helper XSS vulnerability
## 0.9.0
* Process Rails 3 configuration files
* Fix CSV output
* Check for config.active_record.whitelist_attributes = true
* Always produce a warning for without_protection => true
## 0.8.4
* Option for separate attr_accessible warnings
* Option to set CSS file for HTML output
* Add file names for version-specific warnings
* Add line number for default routes in a controller
* Fix hash_insert()
* Remove use of Queue from threaded checks
## 0.8.3
* Respect -w flag in .tabs format (tw-ngreen)
* Escape HTML output of error messages
* Add --skip-libs option
## 0.8.2
* Run checks in parallel threads by default
* Fix compatibility with ruby_parser 2.3.1
## 0.8.1
* Add option to assume all controller methods are actions
* Recover from errors when parsing routes
## 0.8.0
* Add check for mass assignment using without_protection
* Add check for password in http_basic_authenticate_with
* Warn on user input in hash argument with mass assignment
* auto_link is now considered safe for Rails >= 3.0.6
* Output detected Rails version in report
* Keep track of methods called in class definition
* Add ruby_parser hack for Ruby 1.9 hash syntax
* Add a few Rails 3.1 tests
## 0.7.2
* Fix handling of params and cookies with nested access
* Add CVEs for checks added in 0.7.0
## 0.7.1
* Require BaseProcessor for GemProcessor
## 0.7.0
* Allow local variable as a class name
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
* Check for default routes in Rails 3 apps
* Look in Gemfile or Gemfile.lock for Rails version
## 0.6.1
* Fix XSS check for cookies as parameters in output
* Don't bother calling super in CheckSessionSettings
* Add escape_once as a safe method
* Accept '\Z' or '\z' in model validations
## 0.6.0
* Tests are in place and fully functional
* Hide errors by default in HTML output
* Warn if routes.rb cannot be found
* Narrow methods assumed to be file access
* Increase confidence for methods known to not escape output
* Fixes to output processing for Erubis
* Fixes for Rails 3 XSS checks
* Fixes to line numbers with Erubis
* Fixes to escaped output scanning
* Update CSRF CVE-2011-0447 message to be less assertive
## 0.5.2
* Output report file name when finished
* Add initial tests for Rails 2.x
* Fix ERB line numbers when using Ruby 1.9
## 0.5.1
* Fix issue with 'has_one' => in routes
## 0.5.0
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
* Allow empty blocks in Rails 3 routes
* Check initializer for session settings
* Add line numbers to session setting warnings
* Add --checks option to list checks
## 0.4.1
* Fix reported line numbers when using new Erubis parser
(Mostly affects Rails 3 apps)
## 0.4.0
* Handle Rails XSS protection properly
* More detection options for rails_xss
* Add --escape-html option
## 0.3.2
* Autodetect Rails 3 applications
* Turn on auto-escaping for Rails 3 apps
* Check Model.create() for mass assignment
## 0.3.1
* Always output a line number in tabbed output format
* Restrict characters in category name in tabbed output format to
word characters and spaces, for Hudson/Jenkins plugin
## 0.3.0
* Check for SQL injection in calls using constantize()
* Check for SQL injection in calls to count_by_sql()
## 0.2.2
* Fix version_between? when no Rails version is specified
## 0.2.1
* Add code snippet to tab output messages
## 0.2.0
* Add check for mail_to vulnerability - CVE-2011-0446
* Add check for CSRF weakness - CVE-2011-0447
## 0.1.1
* Be more permissive with ActiveSupport version
## 0.1.0
* Check link_to for XSS (because arguments are not escaped)
* Process layouts better (although not perfectly yet)
* Load custom Haml filters if they are in lib/
* Tab separated output via .tabs output extension
* Switch to normal versioning scheme