Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
1335 lines (1075 sloc) 46.9 KB

5.2.0 - 2021-12-15

  • Initial Rails 7 support
  • Require Ruby 2.5.0+
  • Fix issue with calls to foo.root in routes
  • Ignore I18n.locale in SQL queries
  • Do not treat sanitize_sql_like as safe
  • Add new checks for unsupported Ruby and Rails versions

5.1.2 - 2021-10-28

  • Handle cases where enums are not symbols
  • Support newer Haml with
  • Fix issue where the previous output is still visible (Jason Frey)
  • Fix warning sorting with nil line numbers
  • Update for latest RubyParser (Ryan Davis)

5.1.1 - 2021-07-19

  • Unrefactor IgnoreConfig's use of Brakeman::FilePath

5.1.0 - 2021-07-19

  • Initial support for ActiveRecord enums
  • Support Hash#include?
  • Interprocedural dataflow from very simple class methods
  • Fix SARIF report when checks have no description (Eli Block)
  • Add ignored warnings to SARIF report (Eli Block)
  • Add --sql-safe-methods option (Esty Scheiner)
  • Update SQL injection check for Rails 6.0/6.1
  • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
  • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
  • Ignore dates in SQL
  • Refactor cookie?/param? methods (Keenan Brock)
  • Ignore renderables in dynamic render path check (Brad Parker)
  • Support Array#push
  • Better Array#join support
  • Adjust copy of --interactive menu (Elia Schito)
  • Support Array#*
  • Better method definition tracking and lookup
  • Support Hash#values and Hash#values_at
  • Check for user-controlled evaluation even if it's a call target
  • Support Array#fetch and Hash#fetch
  • Ignore sanitize_sql_like in SQL
  • Ignore method calls on numbers in SQL
  • Add GitHub Actions format (Klaus Badelt)
  • Read and parse files in parallel

5.0.4 - 2021-06-08

(brakeman gem release only)

  • Update bundled ruby_parser to include argument forwarding support

5.0.2 - 2021-06-07

  • Fix Loofah version check

5.0.1 - 2021-04-27

  • Detect ::Rails.application.configure too
  • Set more line numbers on Sexps
  • Support loading slim/smart
  • Don't fail if $HOME/$USER are not defined
  • Always ignore slice/only calls for mass assignment
  • Convert splat array arguments to arguments

5.0.0 - 2021-01-26

  • Ignore uuid as a safe attribute
  • Collapse __send__ calls
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Revamp CSV report to a CSV list of warnings
  • Set Rails configuration defaults based on load_defaults version
  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

5.0.0.pre1 - 2020-11-17

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.0 - 2020-09-28

  • Add SARIF report format (Steve Winton)

4.9.1 - 2020-09-04

  • Check chomped strings for SQL injection
  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Always set line number for joined arrays
  • Avoid warning about missing attr_accessible if protected_attributes gem is used

4.9.0 - 2020-08-04

  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Add check for user input in (Matt Hickman)
  • Add --ensure-ignore-notes (Eli Block)
  • Remove whitelist/blacklist language, add clarifications
  • Do not warn about mass assignment with params.permit!.slice
  • Add "full call" information to call index results
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
  • Always scan environment.rb

4.8.2 - 2020-05-12

  • Add check for CVE-2020-8159
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)
  • Add --text-fields option
  • Add check for escaping HTML entities in JSON configuration

4.8.1 - 2020-04-06

  • Check SQL query strings using String#strip or String.squish
  • Handle non-symbol keys in locals hash for render()
  • Warn about global(!) mass assignment
  • Index calls in render arguments

4.8.0 - 2020-02-18

  • Add JUnit-XML report format (Naoki Kimura)
  • Sort ignore files by fingerprint and line (Ngan Pham)
  • Freeze call index results
  • Fix output test when using newer Minitest
  • Properly render confidence in Markdown report
  • Report old warnings as fixed if zero warnings reported
  • Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
  • Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
  • Initialize Rails version with nil (Carsten Wirth)

4.7.2 - 2019-11-25

  • Remove version guard for named_scope vs. scope
  • Find SQL injection in String#strip_heredoc target
  • Handle more permit! cases
  • Ensure file name is set when processing model
  • Add request.params as query parameters

4.7.1 - 2019-10-29

  • Check string length against limit before joining
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Fix flaky rails4 test (Adam Kiczula)
  • Added release dates to each version in CHANGES (TheSpartan1980)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call
  • Sort text report by file and line (Jacob Evelyn)

4.7.0 - 2019-10-16

  • Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
  • Ignore interpolation in %W[]
  • Fix version_between? (Andrey Glushkov)
  • Add support for ruby_parser 3.14.0
  • Ignore form_for for XSS check
  • Update Haml support to Haml 5.x
  • Catch shell injection from -c shell commands (Jacob Evelyn)
  • Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)

4.6.1 - 2019-07-24

  • Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0 - 2019-07-23

  • Skip calls to dup
  • Add reverse tabnabbing check (Linos Giannopoulos)
  • Better handling of gems with no version declared
  • Warn people that Haml 5 is not fully supported (Jared Beck)
  • Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
  • Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
  • Restore Warning#relative_path
  • Add check for cookie serialization with Marshal
  • Index calls in initializers
  • Improve template output handling in conditional branches
  • Avoid assigning nil line numbers to Sexps
  • Add special warning code for custom checks
  • Add call matching by regular expression

4.5.1 - 2019-05-11

  • Add Brakeman::FilePath to represent file paths
  • Handle trailing comma in block args
  • Properly handle empty partial name
  • Use relative paths for __FILE__
  • Convert !! calls to boolean value
  • Add optional check for config.force_ssl
  • Remove code for Ruby versions prior to 1.9
  • Check link_to with block for href XSS
  • Add SQL injection checks for find_or_create_by and friends
  • Add deserialization warning for Oj.load/object_load
  • Add initial Rails 6 support
  • Add SQL injection checks for destroy_by/delete_by

4.5.0 - 2019-03-16

  • Update ruby_parser, use ruby_parser-legacy
  • More thoroughly handle Shellwords escaping
  • Handle non-integer version number comparisons
  • Use FileParser in Scanner to parse files
  • Add original exception to Tracker#errors list
  • Add support for CoffeeScript in Slim templates
  • Improve support for embedded template "filters"
  • Remove Sass dependency
  • Set location information in CheckContentTag
  • Stop swallowing exceptions in AliasProcessor
  • Avoid joining strings with different encodings
  • Handle ** inside Hash literals
  • Better handling of splat/kwsplat arguments
  • Improve "user input" reported for SQL injection

4.4.0 - 2019-01-17

  • Set default encoding to UTF-8
  • Update to Slim 4.0.1 (Jake Peterson)
  • Update to RubyParser 3.12.0
  • Add rendered template information to render paths
  • Fix trim mode for ERb templates in old Rails versions
  • Fix thread-safety issue in CallIndex
  • Add --enable option to enable optional checks
  • Support reading gem versions from gemspecs
  • Support gem versions which are just major.minor (e.g. 3.0)
  • Treat if not like unless
  • Handle empty secrets.yml files (Naoki Kimura)
  • Correctly set rel="noreferrer" in HTML reports
  • Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
  • Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
  • Trim some unnecessary files from bundled gems
  • Add check for CVE-2018-3760
  • Avoid nils when concatenating arrays
  • Ignore Tempfiles in FileAccess warnings (Christina Koller)
  • Complete overhaul of warning message construction
  • Deadcode and typo fixes found via Coverity

4.3.1 - 2018-06-07

  • Ignore Object#freeze, use the target instead
  • Ignore foreign_key calls in SQL
  • Handle included calls outside of classes/modules
  • Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
  • Handle Array#map and Array#each over literal arrays
  • Use safe literal when accessing literal hash with unknown key
  • Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
  • Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
  • Improve handling of conditionals in shell commands (Jacob Evelyn)
  • Fix error when setting line number in implicit renders

4.3.0 - 2018-05-11

  • Check exec-type calls even if they are targets
  • Convert Array#join to string interpolation
  • BaseCheck#include_interp? should return first string interpolation
  • Add --parser-timeout option
  • Track parent calls in CallIndex
  • Warn about dangerous link_to href with sanitize()
  • Ignore params#to_h and params#to_hash in SQL checks
  • Change "".freeze to just ""
  • Ignore in system calls
  • Index Kernel#` calls even if they are targets
  • Code Climate: omit leading dot from only_files (Todd Mazierski)
  • --color can be used to force color output
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048

4.2.1 - 2018-03-24

  • Add warning for CVE-2018-3741
  • Add warning for CVE-2018-8048
  • Scan app/jobs/ directory
  • Handle template_exists? in controllers

4.2.0 - 2018-02-22

  • Avoid warning about symbol DoS on Model#attributes
  • Avoid warning about open redirects with model methods ending with _path
  • Avoid warning about command injection with Shellwords.escape
  • Use ivars from initialize in libraries
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0
  • Fix multiple assignment of globals
  • Warn about SQL injection in not
  • Exclude template folders in lib/ (kru0096)
  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)

4.1.1 - 2017-12-19

  • Remove check for use of permit with *_id keys
  • Avoid duplicate warnings about permitted attributes

4.1.0 - 2017-12-14

  • Process models as root sexp instead of each sexp
  • Avoid CSRF warning in Rails 5.2 default config
  • Show better location for Sass errors (Andrew Bromwich)
  • Warn about dynamic values in Arel.sql
  • Fix include_paths for Code Climate engine (Will Fleming)
  • Add check for dangerous keys in permit
  • Try to guess options for less pager
  • Better processing of op_asgn1 (e.g. x[:y] += 1)
  • Add optional check for divide by zero
  • Remove errors about divide by zero
  • Avoid warning about file access for temp files
  • Do not warn on params.permit with safe values
  • Add Sexp#call_chain
  • Use HTTPS for warning links
  • Handle nested destructuring/multiple assignment
  • Leave results on screen after paging
  • Do not page if results fit on screen
  • Support app_path configuration for Code Climate engine (Noah Davis)
  • Refactor Code Climate engine options parsing (Noah Davis)
  • Fix upgrade version for CVE-2016-6316

4.0.1 - 2017-09-25

  • Disable pager when CI environment variable is set
  • Fix output when pager fails

4.0.0 - 2017-09-25

  • Add simple pager for reports output to terminal
  • Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
  • Rearrange tests a little bit
  • Treat request.cookies like cookies
  • Treat fail/raise like early returns
  • Remove reliance on CONFIDENCE constant in checks
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • "Plain" report output is now the default
  • --exit-on-error and --exit-on-warn are now the default
  • Fix --exit-on-error and --exit-on-warn in config files

3.7.2 - 2017-08-16

  • Fix --ensure-latest (David Guyon)

3.7.1 - 2017-08-16

  • Handle simple guard with return at end of branch
  • Modularize bin/brakeman
  • Improve multi-value Sexp error message
  • Add more collection methods for iteration detection
  • Update ruby2ruby and ruby_parser

3.7.0 - 2017-06-30

  • Improve support for rails4/rails5 options in config file
  • Track more information about constant assignments
  • Show progress indicator in interactive mode
  • Handle simple conditional guards that use return
  • Fix false positive for redirect_to in Rails 4 (Mário Areias)
  • Avoid interpolating hashes/arrays on failed access

3.6.2 - 2017-05-19

  • Handle safe call operator in checks
  • Better handling of if expressions in HAML rendering
  • Remove --rake option
  • Properly handle template names without .html or .js
  • Set template file names during rendering for better errors
  • Limit Slim dependency to before 3.0.8
  • Catch YAML parsing errors in session settings check
  • Avoid warning about SQLi with to_s in exists?
  • Update RubyParser to 3.9.0
  • Do not honor additional check paths in config by default
  • Handle empty if expressions when finding return values
  • Fix finding return value from empty if

3.6.1 - 2017-03-24

  • Fix error when using --compare (Sean Gransee)

3.6.0 - 2017-03-23

  • Avoid recursive Concerns
  • Branch inside of case expressions
  • Print command line option errors without modification
  • Fix issue with nested interpolation inside SQL strings
  • Ignore GraphQL tags inside ERB templates
  • Add --exit-on-error (Michael Grosser)
  • Only report CVE-2015-3227 when exact version is known
  • Check targetless SQL calls outside of known models

3.5.0 - 2017-02-01

  • Allow -t None
  • Fail on invalid checks specified by -x or -t
  • Avoid warning about all, first, or last after Rails 4.0
  • Avoid warning about models in SQLi
  • Lower confidence of SQLi when maybe not on models
  • Warn about SQLi even potentially on non-models
  • Report check name in JSON and plain reports
  • Treat templates without .html as HTML anyway
  • Add --ensure-latest option (tamgrosser / Michael Grosser)
  • Add --no-summary to hide summaries in HTML/text reports
  • Handle included block in concerns
  • Process concerns before controllers

3.4.1 - 2016-11-02

  • Show action help at start of interactive ignore
  • Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo)
  • Configurable engines path (Jason Yeo)
  • Use Ruby version to turn off SymbolDoS check
  • Pull Ruby version from .ruby-version or Gemfile
  • Avoid warning about where_values_hash in SQLi
  • Fix ignoring link interpolation not at beginning of string

3.4.0 - 2016-09-08

  • Add new plain report format
  • Add option to prune ignore file with -I
  • Improved Slim template support
  • Show obsolete ignore entries in reports (Jonathan Cheatham)
  • Support creating reports in non-existent paths
  • Add --no-exit-warn

3.3.5 - 2016-08-12

  • Fix bug in reports when using --debug option

3.3.4 - 2016-08-12

  • Add generic warning for CVE-2016-6316
  • Warn about dangerous use of content_tag with CVE-2016-6316
  • Add warning for CVE-2016-6317
  • Use Minitest

3.3.3 - 2016-07-21

  • Show path when no Rails app found (Neil Matatall)
  • Index calls in view helpers
  • Process inline template renders
  • Avoid warning about hashes in link_to hrefs
  • Add documentation for authentication category
  • Ignore boolean methods in render paths
  • Reduce open redirect duplicates
  • Fix SymbolDoS error with unknown Rails version
  • Sexp#value returns nil when there is no value
  • Improve return value estimation

3.3.2 - 2016-06-10

  • Fix serious performance regression with global constant tracking

3.3.1 - 2016-06-03

  • Delay loading vendored gems and modifying load path
  • Avoid warning about SQL injection with quoted_primary_key
  • Support more safe &. operations
  • Allow multiple line regex in validates_format_of (Dmitrij Fedorenko)
  • Only consider if branches in templates
  • Avoid overwriting instance/class methods with same name (Tim Wade)
  • Add --force-scan option (Neil Matatall)
  • Improved line number accuracy in ERB templates (Patrick Toomey)

3.3.0 - 2016-05-05

  • Skip processing obviously false if branches (more broadly)
  • Skip if branches with Rails.env.test?
  • Return exit code 4 if no Rails application is detected
  • Avoid warning about mass assignment with params.slice
  • Avoid warning about u helper (Chad Dollins)
  • Add optional check for secrets in source code
  • Process Array#first
  • Allow non-Hash arguments in protect_from_forgery (Jason Yeo)
  • Avoid warning on popen with array
  • Bundle all dependencies in gem
  • Track constants globally
  • Handle HAML find_and_preserve with a block
  • [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
  • [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
  • [Code Climate engine] Report end lines for issues (Gordon Diggs)

3.2.1 - 2016-02-25

  • Remove multi_json dependency from bin/brakeman

3.2.0 - 2016-02-25

  • Skip Symbol DoS check on Rails 5
  • Only update ignore config file on changes
  • Sort ignore config file
  • Support calls using &. operator
  • Update ruby_parser dependency to 3.8.1
  • Remove fastercsv dependency
  • Fix finding calls with targets: nil
  • Remove multi_json dependency
  • Handle CoffeeScript in HAML
  • Avoid render warnings about params[:action]/params[:controller]
  • Index calls in class bodies but outside methods

3.1.5 - 2016-01-28

  • Fix CodeClimate construction of --only-files (Will Fleming)
  • Add check for denial of service via routes (CVE-2015-7581)
  • Warn about RCE with render params (CVE-2016-0752)
  • Add check for strip_tags XSS (CVE-2015-7579)
  • Add check for sanitize XSS (CVE-2015-7578/80)
  • Add check for reject_if proc bypass (CVE-2015-7577)
  • Add check for mime-type denial of service (CVE-2016-0751)
  • Add check for basic auth timing attack (CVE-2015-7576)
  • Add initial Rails 5 support
  • Check for implicit integer comparison in dynamic finders
  • Support directories better in --only-files and --skip-files (Patrick Toomey)
  • Avoid warning about permit in SQL
  • Handle guards using detect
  • Avoid warning on user input in comparisons
  • Handle module names with self methods
  • Add session manipulation documentation

3.1.4 - 2015-12-22

  • Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
  • Ignore secrets.yml if in .gitignore
  • Clean up Ruby warnings (Andy Waite)
  • Increase test coverage for option parsing (Zander Mackie)
  • Work around safe_yaml error

3.1.3 - 2015-12-03

  • Check for session secret in secrets.yml
  • Respect exit_on_warn in config file
  • Avoid warning on without_protection: true with hash literals
  • Make sure before_filter call with block is still a call
  • CallIndex improvements
  • Restore minimum Highline version (Kevin Glowacz)
  • Add Code Climate output format (Ashley Baldwin-Hunter/Devon Blandin/John Pignata/Michael Bernstein)
  • Iteratively replace values
  • Output nil instead of false for user_input in JSON
  • Depend on safe_yaml 1.0 or later
  • Test coverage improvements for Brakema module (Bethany Rentz)

3.1.2 - 2015-10-28

  • Treat current_user like a model
  • Set user input value for inline renders
  • Avoid warning on inline renders with safe content types
  • Handle empty interpolation in HAML filters
  • Ignore filters that are not method names
  • Avoid warning about model find/find_by* in hrefs
  • Use SafeYAML to load configuration files
  • Warn on SQL query keys, not values in hashes
  • Allow inspection of recursive Sexps
  • Add line numbers to class-level warnings
  • Handle private def ...
  • Catch divide-by-zero in alias processing
  • Reduce string allocations in Warning#initialize
  • Sortable tables in HTML report (David Lanner)
  • Search for config file relative to application root

3.1.1 - 2015-09-23

  • Add optional check for use of MD5 and SHA1
  • Avoid warning when linking to decorated models
  • Add check for user input in session keys
  • Fix chained assignment
  • Treat a.try(&:b) like a.b()
  • Consider j/escape_javascript safe inside HAML JavaScript blocks
  • Better HAML processing of find_and_preserve calls
  • Add more Arel methods to be ignored in SQL
  • Fix absolute paths for Windows (Cody Frederick)
  • Support newer terminal-table releases
  • Allow searching call index methods by regex (Alex Ianus)

3.1.0 - 2015-08-31

  • Add support for gems.rb/gems.locked
  • Update render path information in JSON reports
  • Remove renaming of several Sexp nodes
  • Convert YAML config keys to symbols (Karl Glaser)
  • Use railties version if rails gem is missing (Lucas Mazza)
  • Warn about unverified SSL mode in Net::HTTP.start
  • Add Model, Controller, Template, Config classes internally
  • Report file being parsed in debug output
  • Update dependencies to Ruby 1.8 incompatible versions
  • Treat and as arrays/hashes
  • Fix handling of string concatenation with existing string
  • Treat html_safe like raw()
  • Fix low confidence XSS warning code
  • Avoid warning on path creation methods in link_to
  • Expand safe methods to match methods with targets
  • Avoid duplicate eval() warnings

3.0.5 - 2015-06-20

  • Fix check for CVE-2015-3227

3.0.4 - 2015-06-18

  • Add check for CVE-2015-3226 (XSS via JSON keys)
  • Add check for CVE-2015-3227 (XML DoS)
  • Treat <%== as unescaped output
  • Update ruby_parser dependency to 3.7.0

3.0.3 - 2015-04-20

  • Ignore more Arel methods in SQL
  • Warn about protect_from_forgery without exceptions (Neil Matatall)
  • Handle lambdas as filters
  • Ignore quoted_table_name in SQL (Gabriel Sobrinho)
  • Warn about RCE and file access with open
  • Handle array include? guard conditionals
  • Do not ignore targets of to_s in SQL
  • Add Rake task to exit with error code on warnings (masarakki)

3.0.2 - 2015-03-09

  • Alias process methods called in class scope on models
  • Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
  • Fix using --compare and --add-checks-path together
  • Avoid warning about mass assignment with string literals
  • Only report original regex DoS locations
  • Improve render path information implementation
  • Report correct file for simple_format usage CVE warning
  • Remove URI.escape from HTML reports with GitHub repos
  • Update ruby_parser to ~> 3.6.2
  • Remove formatting newlines in HAML template output
  • Ignore case value in XSS checks
  • Fix CSV output when there are no warnings
  • Handle processing of explicitly shadowed block arguments

3.0.1 - 2015-01-23

  • Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
  • Properly format command interpolation (again)
  • Remove Slim dependency (Casey West)
  • Allow for controllers/models/templates in directories under app/ (Neal Harris)
  • Add --add-libs-path for additional libraries (Patrick Toomey)
  • Properly process libraries (Patrick Toomey)

3.0.0 - 2015-01-03

  • Add check for CVE-2014-7829
  • Add check for cross-site scripting via inline renders
  • Fix formatting of command interpolation
  • Local variables are no longer formatted as (local var)
  • Actually skip skipped before filters
  • --exit-on-warn --compare only returns error code on new warnings (Jeff Yip)
  • Fix parsing of <%== in ERB
  • Sort warnings by fingerprint in JSON report (Jeff Yip)
  • Handle symmetric multiple assignment
  • Do not branch for self attribute assignment x = x.y
  • Fix CVE for CVE-2011-2932
  • Remove "fake filters" from warning fingerpints
  • Index calls in lib/ files
  • Move Symbol DoS to optional checks
  • CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
  • Change --separate-models to be the default

2.6.3 - 2014-10-14

  • Whitelist exists arel method from SQL injection check
  • Avoid warning about Symbol DoS on safe parameters as method targets
  • Fix stack overflow in ProcessHelper#class_name
  • Add optional check for unscoped find queries (Ben Toews)
  • Add framework for optional checks
  • Fix stack overflow for cycles in class ancestors (Jeff Rafter)

2.6.2 - 2014-08-18

  • Add check for CVE-2014-3415
  • Avoid warning about symbolizing safe parameters
  • Update ruby2ruby dependency to 2.1.1
  • Expand app path in one place instead of all over (Jeff Rafter)
  • Add --add-checks-path option for external checks (Clint Gibler)
  • Fix SQL injection detection in deep nested string building
  • Add -4 option to force Rails 4 mode
  • Check entire call for send
  • Check for .gitignore of secrets in subdirectories
  • Fix block statement endings in Erubis
  • Fix undefined variable in controller processing error (Jason Barnabe)

2.6.1 - 2014-07-02

  • Add check for CVE-2014-3482 and CVE-2014-3483
  • Add support for keyword arguments in blocks
  • Remove unused warning codes (Bill Fischer)

2.6.0 - 2014-06-06

  • Fix detection of :host setting in redirects with chained calls
  • Add check for CVE-2014-0130
  • Add find_by/find_by! to SQLi check for Rails 4
  • Parse most files upfront instead of on demand
  • Do not branch values for +=
  • Update to use RubyParser 3.5.0 (Patrick Toomey)
  • Improve default route detection in Rails 3/4 (Jeff Jarmoc)
  • Handle controllers and models split across files (Patrick Toomey)
  • Fix handling of protected_attributes gem in Rails 4 (Geoffrey Hichborn)
  • Ignore more model methods in redirects
  • Fix CheckRender with nested render calls

2.5.0 - 2014-04-30

  • Add support for RailsLTS and
  • Add support for Rails 4 before_actions and friends
  • Move SQLi CVE checks to CheckSQLCVEs
  • Check for protected_attributes gem
  • Fix SQLi detection in chain calls in scopes
  • Add GitHub-flavored Markdown output format (Greg Ose)
  • Fix false positives when sanitize() is used in SQL (Jeff Yip)
  • Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
  • Check all arguments in for SQLi
  • Fix false positive when :host is specified in redirect
  • Handle more non-literals in routes
  • Add check for regex denial of service (Ben Toews)

2.4.3 - 2014-03-23

No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.

2.4.2 - 2014-03-21

  • Remove rescue Exception
  • Fix duplicate warnings about sanitize CVE
  • Reuse duplicate call location information
  • Only track original template output locations
  • Skip identically rendered templates
  • Fix HAML template processing

2.4.1 - 2014-02-19

  • Add check for CVE-2014-0082
  • Add check for CVE-2014-0081, replaces CVE-2013-6415
  • Add check for CVE-2014-0080

2.4.0 - 2014-02-05

  • Detect Rails LTS versions
  • Reduce false positives for SQL injection in string building
  • More accurate user input marking for SQL injection warnings
  • Detect SQL injection in delete_all/destroy_all
  • Detect SQL injection raw SQL queries using connection
  • Parse exact versions from Gemfile.lock for all gems
  • Ignore generators
  • Update to RubyParser 3.4.0
  • Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
  • Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
  • No longer raise exceptions if a class name cannot be determined
  • Fingerprint attribute warnings individually (Case Taintor)

2.3.1 - 2013-12-13

  • Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  • Fix link for CVE-2013-6415 (number_to_currency)

2.3.0 - 2013-12-12

  • Add check for Parameters#permit!
  • Add check for CVE-2013-4491 (i18n XSS)
  • Add check for CVE-2013-6414 (header DoS)
  • Add check for CVE-2013-6415 (number_to_currency)
  • Add check for CVE-2013-6416 (simple_format XSS)
  • Add check for CVE-2013-6417 (query generation)
  • Fix typos in reflection and translate bug messages
  • Collapse send/try calls
  • Fix Slim XSS false positives (Noah Davis)
  • Whitelist Model#create for redirects
  • Fix scoping issues with instance variables and blocks

2.2.0 - 2013-10-28

  • Reduce command injection false positives
  • Use Rails version from Gemfile if it is available
  • Only add routes with actual names
  • Ignore redirects to models using friendly_id (AJ Ostrow)
  • Support scanning Rails engines (Geoffrey Hichborn)
  • Add check for detailed exceptions in production

2.1.2 - 2013-09-18

  • Do not attempt to load custom Haml filters
  • Do not warn about to_json XSS in Rails 4
  • Add --table-width option to set width of text reports (ssendev)
  • Remove fuzzy matching on dangerous attr_accessible values

2.1.1 - 2013-08-21

  • New warning code for dangerous attributes in attr_accessible
  • Do not warn on attr_accessible using roles
  • More accurate results for model attribute warnings
  • Use exit code zero with -z if all warnings ignored
  • Respect ignored warnings in rescans
  • Ignore dynamic controller names in routes
  • Fix infinite loop when run as rake task (Matthew Shanley)
  • Respect ignored warnings in tabs format reports

2.1.0 - 2013-07-17

  • Support non-native line endings in Gemfile.lock (Paul Deardorff)
  • Support for ignoring warnings
  • Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
  • Update to ruby_parser 3.2.2
  • Add brakeman-min gemspec
  • Load gem dependencies on-demand
  • Output JSON diff to file if -o option is used
  • Add check for authenticate_or_request_with_http_basic
  • Refactor of SQL injection check code (Bart ten Brinke)
  • Fix detection of duplicate XSS warnings
  • Refactor reports into separate classes
  • Allow use of Slim 2.x (Ian Zabel)
  • Return error exit code when application path is not found
  • Add --branch-limit option, limit to 5 by default
  • Add more methods to check for command injection
  • Fix output format detection to be more strict again
  • Allow empty Brakeman configuration file

2.0.0 - 2013-05-20

  • Add --only-files option to specify files/paths to scan (Ian Ehlert)
  • Add Marshal/CSV deserialization check
  • Combine deserialization checks into single check
  • Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
  • Avoid duplicate results for Symbol DoS check
  • Medium confidence for mass assignment to attr_protected models
  • Remove "timestamp" key from JSON reports
  • Remove deprecated config file locations
  • Relative paths are used by default in JSON reports
  • --absolute-paths replaces --relative-paths
  • Only treat classes with names containing Controller like controllers
  • Better handling of classes nested inside controllers
  • Better handling of controller classes nested in classes/modules
  • Handle -> lambdas with no arguments
  • Handle explicit block argument destructuring
  • Skip Rails config options that are real objects
  • Detect Rails 3 JSON escape config option
  • Much better tracking of warning file names
  • Fix errors when using --separate-models (Noah Davis)
  • Fix fingerprint generation to actually use the file path
  • Fix text report console output in JRuby
  • Fix false positives on Model#id
  • Fix false positives on params.to_json
  • Fix model path guesses to use "models/" instead of "controllers/"
  • Clean up SQL CVE warning messages
  • Use exceptions instead of abort in brakeman lib
  • Update to Ruby2Ruby 2.0.5

1.9.5 - 2013-04-05

  • Add check for unsafe symbol creation
  • Do not warn on mass assignment with slice/only
  • Do not warn on session secret if in .gitignore
  • Fix scoping for blocks and block arguments
  • Fix error when modifying blocks in templates
  • Fix session secret check for Rails 4
  • Fix crash on before_filter outside controller
  • Fix Sexp hash cache invalidation
  • Respect quiet option in configuration file
  • Convert assignment to simple if expressions to or
  • More fixes for assignments inside branches
  • Pin to ruby2ruby version 2.0.3

1.9.4 - 2013-03-19

  • Add check for CVE-2013-1854
  • Add check for CVE-2013-1855
  • Add check for CVE-2013-1856
  • Add check for CVE-2013-1857
  • Fix --compare to work with older versions
  • Add "no-referrer' to HTML report links
  • Don't warn when invoking send on user input
  • Slightly faster cloning of Sexps
  • Detect another way to add strong_parameters

1.9.3 - 2013-03-01

  • Add render path to JSON report
  • Add warning fingerprints
  • Add check for unsafe reflection (Gabriel Quadros)
  • Add check for skipping authentication methods with blacklist
  • Add support for Slim templates
  • Remove empty tables from reports (Owen Ben Davies)
  • Handle prepend/append_before_filter
  • Performance improvements when handling branches
  • Fix processing of production.rb
  • Fix version check for Ruby 2.0
  • Expand HAML dependency to include 4.0
  • Scroll errors into view when expanding in HTML report

1.9.2 - 2013-02-14

  • Add check for CVE-2013-0269
  • Add check for CVE-2013-0276
  • Add check for CVE-2013-0277
  • Add check for CVE-2013-0333
  • Check for more send-like methods
  • Check for more SQL injection locations
  • Check for more dangerous YAML methods
  • Support MultiJSON 1.2 for Rails 3.0 and 3.1

1.9.1 - 2013-01-19

  • Update to RubyParser 3.1.1 (neersighted)
  • Remove ActiveSupport dependency (Neil Matatall)
  • Do not warn on arrays passed to link_to (Neil Matatall)
  • Warn on secret tokens
  • Warn on more mass assignment methods
  • Add check for CVE-2012-5664
  • Add check for CVE-2013-0155
  • Add check for CVE-2013-0156
  • Add check for unsafe YAML.load

1.9.0 - 2012-12-25

  • Update to RubyParser 3
  • Ignore route information by default
  • Support strong_parameters
  • Support newer validates :format call
  • Add scan time to reports
  • Add Brakeman version to reports
  • Fix CheckExecute to warn on all string interpolation
  • Fix false positive on to_sql calls
  • Don't mangle whitespace in JSON code formatting
  • Add AppTree as facade for filesystem (brynary)
  • Add link for translate vulnerability warning (grosser)
  • Rename LICENSE to MIT-LICENSE, remove from README (grosser)
  • Add Rakefile to run tests (grosser)
  • Better default config file locations (grosser)
  • Reduce Sexp creation
  • Handle empty model files
  • Remove "find by regex" feature from CallIndex

1.8.3 - 2012-11-13

  • Use multi_json gem for better harmony
  • Performance improvement for call indexing
  • Fix issue with processing HAML files
  • Handle pre-release versions when processing Gemfile.lock
  • Only check first argument of redirect_to
  • Fix false positives from Model.arel_table accesses
  • Fix false positives on redirects to models decorated with Draper gem
  • Fix false positive on redirect to model association
  • Fix false positive on YAML.load
  • Fix false positive XSS on any to_i output
  • Fix error on Rails 2 name routes with no args
  • Fix error in rescan of mixins with symbols in method name
  • Do not rescan non-Ruby files in config/

1.8.2 - 2012-10-17

  • Fixed rescanning problems caused by 1.8.0 changes
  • Fix scope calls with single argument
  • Report specific model name in rendered collections
  • Handle overwritten JSON escape settings
  • Much improved test coverage
  • Add CHANGES to gemspec

1.8.1 - 2012-09-24

  • Recover from errors in output formatting
  • Fix false positive in redirect_to (Neil Matatall)
  • Fix problems with removal of Sexp#method_missing
  • Fix array indexing in alias processing
  • Fix old mail_to vulnerability check
  • Fix rescans when only controller action changes
  • Allow comparison of versions with unequal lengths
  • Handle super calls with blocks
  • Respect -q flag for "Rails 3 detected" message

1.8.0 - 2012-09-05

  • Support relative paths in reports (fsword)
  • Allow Brakeman to be run without tty (fsword)
  • Fix exit code with --compare (fsword)
  • Fix --rake option (Deepak Kumar)
  • Add high confidence warnings for to_json XSS (Neil Matatall)
  • Fix redirect_to false negative
  • Fix duplicate warnings with raw calls
  • Fix shadowing of rendered partials
  • Add "render chain" to HTML reports
  • Add check for XSS in content_tag
  • Add full backtrace for errors in debug mode
  • Treat model attributes in or expressions as immediate values
  • Switch to method access for Sexp nodes

1.7.1 - 2012-08-13

  • Add check for CVE-2012-3463
  • Add check for CVE-2012-3464
  • Add check for CVE-2012-3465
  • Add charset to HTML report (hooopo)
  • Report XSS in select() for Rails 2

1.7.0 - 2012-07-31

  • Add check for CVE-2012-3424
  • Link report types to descriptions on website
  • Report errors raised while running check
  • Improve processing of Rails 3 routes
  • Fix "empty char-class" error
  • Improve file access check
  • Avoid warning on non-ActiveModel models
  • Speed improvements by stripping down SexpProcessor
  • Fix how params[:x] ||= is handled
  • Treat user input in or expressions as immediate values
  • Fix processing of negative array indexes
  • Add line breaks to truncated table rows

1.6.2 - 2012-06-13

  • Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  • Avoid warning when redirecting to a model instance
  • Add request.parameters as a parameters hash
  • Raise confidence level for model attributes in redirects
  • Return non-zero exit code when missing dependencies
  • Fix before_filter :except logic
  • Only accept symbol literals as before_filter names
  • Cache before_filter lookups
  • Turn off quiet mode by default for --compare

1.6.1 - 2012-05-23

  • Major rewrite of CheckSQL
  • Fix rescanning of deleted templates
  • Process actions mixed into controllers
  • Handle render :template => ...
  • Check for inherited attr_accessible (Neil Matatall)
  • Fix highlighting of HTML escaped values in HTML report
  • Report line number of highlighted value, if available

1.6.0 - 2012-04-20

  • Remove the Ruport dependency (Neil Matatall)
  • Add more informational JSON output (Neil Matatall)
  • Add comparison to previous JSON report (Neil Matatall)
  • Add highlighting of dangerous values in HTML/text reports
  • Model#update_attribute should not raise mass assignment warning (Dave Worth)
  • Don't check find_by_* method for SQL injection
  • Fix duplicate reporting of mass assignment and SQL injection
  • Fix rescanning of deleted files
  • Properly check for rails_xss in Gemfile

1.5.3 - 2012-04-10

  • Add check for user input in Object#send (Neil Matatall)
  • Handle render :layout in views
  • Support output to multiple formats (Nick Green)
  • Prevent infinite loops in mutually recursive templates
  • Only check eval arguments for user input, not targets
  • Search subdirectories for models
  • Set values in request hashes and propagate to views
  • Add rake task file to gemspec (Anton Ageev)
  • Filter rescanning of templates (Neil Matatall)
  • Improve handling of modules and nesting
  • Test for zero errors in test reports

1.5.2 - 2012-03-22

  • Fix link_to checks for Rails 2.0 and 2.3
  • Fix rescanning of lib files (Neil Matatall)
  • Output stack trace on interrupt when debugging
  • Ignore user input in if statement conditions
  • Fix --skip-files option
  • Only warn on user input in render paths
  • Fix handling of views when using rails_xss
  • Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing

1.5.1- 2012-03-06

  • Fix detection of global mass assignment setting
  • Fix partial rendering in Rails 3
  • Show backtrace when interrupt received (Ruby 1.9 only)
  • More debug output
  • Remove duplicate method in Brakeman::Rails2XSSErubis
  • Add tracking of module and class to Brakeman::BaseProcessor
  • Report module when using Brakeman::FindCall

1.5.0 - 2012-03-02

  • Add version check for SafeBuffer vulnerability
  • Add check for select vulnerability in Rails 3
  • select() is no longer considered safe in Rails 2
  • Add check for skipping CSRF protection with a blacklist
  • Add JSON report format
  • Model#id should not be considered XSS
  • Standardize methods to check for SQL injection
  • Fix Rails 2 route parsing issue with nested routes

1.4.0 - 2012-02-24

  • Add check for user input in link_to href parameter
  • Match ERB processing to rails_xss plugin when plugin used
  • Add Brakeman::Report#to_json, Brakeman::Warning#to_json
  • Warnings below minimum confidence are dropped completely
  • always returns a Tracker

1.3.0 - 2012-02-09

  • Add file paths to HTML report
  • Add caching of filters
  • Add --skip-files option
  • Add support for attr_protected
  • Add detection of request.env as user input
  • Descriptions of checks in -k output
  • Improved processing of named scopes
  • Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
  • Better variable substitution
  • Table output option for rescan reports

1.2.2 - 2012-01-26

  • --no-progress works again
  • Make CheckLinkTo a separate check
  • Don't fail on unknown options to resource(s)
  • Handle empty resource(s) blocks
  • Add RescanReport#existing_warnings

1.2.1 - 2012-01-20

  • Remove link_to warning for Rails 3.x or when using rails_xss
  • Don't warn if first argument to link_to is escaped
  • Detect usage of attr_accessible with no arguments
  • Fix error when rendering a partial from a view but not through a controller
  • Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
  • Simplify Brakeman Rake task
  • Avoid modifying $VERBOSE
  • Add Brakeman::RescanReport#to_s
  • Add Brakeman::Warning#to_s

1.2.0 - 2012-01-14

  • Speed improvements for CheckExecute and CheckRender
  • Check named_scope() and scope() for SQL injection
  • Add --rake option to create rake task to run Brakeman
  • Add experimental support for rescanning a subset of files
  • Add --summary option to only output summary
  • Fix a problem with Rails 3 routes

1.1.0 - 2011-12-22

  • Relax required versions for dependencies
  • Performance improvements for source processing
  • Better progress reporting
  • Handle basic operators like << + - * /
  • Rescue more errors to prevent complete crashes
  • Compatibility with newer Haml versions
  • Fix some warnings

1.0.0 - 2011-12-08

  • Better handling of assignments inside ifs
  • Check more expressions for SQL injection
  • Use latest ruby_parser for better 1.9 syntax support
  • Better behavior for Brakeman as a library

1.0.0rc1 - 2011-12-06

  • Brakeman can now be used as a library
  • Faster call search
  • Add option to return error code if warnings are found (tw-ngreen)
  • Allow truncated messages to be expanded in HTML
  • Fix summary when using warning thresholds
  • Better support for Rails 3 routes
  • Reduce SQL injection duplicate warnings
  • Lower confidence on mass assignment with no user input
  • Ignore mass assignment using all literal arguments
  • Keep expanded context in view with HTML output

0.9.2 - 2011-11-22

  • Fix Rails 3 configuration parsing
  • Add t() helper to check for translate XSS bug

0.9.1 - 2011-11-18

  • Add warning for translator helper XSS vulnerability

0.9.0 - 2011-11-17

  • Process Rails 3 configuration files
  • Fix CSV output
  • Check for config.active_record.whitelist_attributes = true
  • Always produce a warning for without_protection => true

0.8.4 - 2011-11-04

  • Option for separate attr_accessible warnings
  • Option to set CSS file for HTML output
  • Add file names for version-specific warnings
  • Add line number for default routes in a controller
  • Fix hash_insert()
  • Remove use of Queue from threaded checks

0.8.3 - 2011-10-25

  • Respect -w flag in .tabs format (tw-ngreen)
  • Escape HTML output of error messages
  • Add --skip-libs option

0.8.2 - 2011-10-01

  • Run checks in parallel threads by default
  • Fix compatibility with ruby_parser 2.3.1

0.8.1 - 2011-09-28

  • Add option to assume all controller methods are actions
  • Recover from errors when parsing routes

0.8.0 - 2011-09-15

  • Add check for mass assignment using without_protection
  • Add check for password in http_basic_authenticate_with
  • Warn on user input in hash argument with mass assignment
  • auto_link is now considered safe for Rails >= 3.0.6
  • Output detected Rails version in report
  • Keep track of methods called in class definition
  • Add ruby_parser hack for Ruby 1.9 hash syntax
  • Add a few Rails 3.1 tests

0.7.2 - 2011-08-27

  • Fix handling of params and cookies with nested access
  • Add CVEs for checks added in 0.7.0

0.7.1 - 2011-08-18

  • Require BaseProcessor for GemProcessor

0.7.0 - 2011-08-17

  • Allow local variable as a class name
  • Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  • Check for default routes in Rails 3 apps
  • Look in Gemfile or Gemfile.lock for Rails version

0.6.1 - 2011-07-29

  • Fix XSS check for cookies as parameters in output
  • Don't bother calling super in CheckSessionSettings
  • Add escape_once as a safe method
  • Accept '\Z' or '\z' in model validations

0.6.0 - 2011-07-20

  • Tests are in place and fully functional
  • Hide errors by default in HTML output
  • Warn if routes.rb cannot be found
  • Narrow methods assumed to be file access
  • Increase confidence for methods known to not escape output
  • Fixes to output processing for Erubis
  • Fixes for Rails 3 XSS checks
  • Fixes to line numbers with Erubis
  • Fixes to escaped output scanning
  • Update CSRF CVE-2011-0447 message to be less assertive

0.5.2 - 2011-06-29

  • Output report file name when finished
  • Add initial tests for Rails 2.x
  • Fix ERB line numbers when using Ruby 1.9

0.5.1 - 2011-06-17

  • Fix issue with 'has_one' => in routes

0.5.0 - 2011-06-08

  • Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
  • Allow empty blocks in Rails 3 routes
  • Check initializer for session settings
  • Add line numbers to session setting warnings
  • Add --checks option to list checks

0.4.1 - 2011-05-23

  • Fix reported line numbers when using new Erubis parser (Mostly affects Rails 3 apps)

0.4.0 - 2011-05-19

  • Handle Rails XSS protection properly
  • More detection options for rails_xss
  • Add --escape-html option

0.3.2 - 2011-05-12

  • Autodetect Rails 3 applications
  • Turn on auto-escaping for Rails 3 apps
  • Check Model.create() for mass assignment

0.3.1 - 2011-05-03

  • Always output a line number in tabbed output format
  • Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin

0.3.0 - 2011-03-21

  • Check for SQL injection in calls using constantize()
  • Check for SQL injection in calls to count_by_sql()

0.2.2 - 2011-02-22

  • Fix version_between? when no Rails version is specified

0.2.1 - 2011-02-18

  • Add code snippet to tab output messages

0.2.0 - 2011-02-16

  • Add check for mail_to vulnerability - CVE-2011-0446
  • Add check for CSRF weakness - CVE-2011-0447

0.1.1 - 2011-01-25

  • Be more permissive with ActiveSupport version

0.1.0 - 2011-01-18

  • Check link_to for XSS (because arguments are not escaped)
  • Process layouts better (although not perfectly yet)
  • Load custom Haml filters if they are in lib/
  • Tab separated output via .tabs output extension
  • Switch to normal versioning scheme