Skip to content

@presidentbeef presidentbeef released this Oct 29, 2019 · 5 commits to master since this release

  • Sort text report by file and line (Jacob Evelyn)
  • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
  • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
  • Check string length against limit before joining
  • Fix flaky rails4 test (Adam Kiczula)
  • Fix errors from frozen Symbol#to_s in Ruby 2.7
  • Add release dates to each version in CHANGES (TheSpartan1980)
Assets 2

@presidentbeef presidentbeef released this Oct 17, 2019 · 21 commits to master since this release

Assets 2

@presidentbeef presidentbeef released this Jul 24, 2019 · 49 commits to master since this release

Assets 2

@presidentbeef presidentbeef released this Jul 24, 2019 · 53 commits to master since this release

  • Add check for cookie serialization with Marshal (#1316)
  • Add reverse tabnabbing check (Linos Giannopoulos)
  • Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
  • Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
  • Warn people that Haml 5 is not fully supported (Jared Beck)
  • Index calls in initializers
  • Improve template output handling in conditional branches
  • Avoid assigning nil line numbers to Sexps
  • Add special warning code for custom checks
  • Add call matching by regular expression
  • Skip calls to dup (#1374)
  • Restore Warning#relative_path
  • Better handling of gems with no version declared
Assets 2

@presidentbeef presidentbeef released this May 11, 2019 · 109 commits to master since this release

  • Add initial Rails 6 support
  • Add optional check for config.force_ssl (#1181)
  • Add deserialization warning for Oj.load/object_load
  • Add SQL injection checks for destroy_by/delete_by
  • Add SQL injection checks for find_or_create_by and friends
  • Check link_to with block for href XSS (#1339)
  • Convert !! calls to boolean value (#1343)
  • Use relative paths for __FILE__
  • Represent file paths internally as Brakeman::FilePath
  • Handle empty partial names
  • Handle trailing comma in block args
  • Remove code for Ruby versions prior to 1.9
Assets 2

@presidentbeef presidentbeef released this Mar 16, 2019 · 157 commits to master since this release

  • Officially drop support for running with older Ruby versions
  • More thoroughly handle Shellwords escaping (#1323)
  • Handle non-integer version number comparisons (#1305)
  • Better handling of splat/kwsplat arguments (#1204)
  • Handle ** inside Hash literals
  • Add support for CoffeeScript in Slim templates
  • Improve support for embedded template "filters"
  • Remove Sass dependency
  • Avoid joining strings with different encodings
  • Improve "user input" reported for SQL injection
  • Stop swallowing exceptions in AliasProcessor
  • Add original exception to Tracker#errors list
  • Use FileParser in Scanner to parse files
  • Set location information in CheckContentTag
  • Update RubyParser to 3.13.0
Assets 2

@presidentbeef presidentbeef released this Jan 17, 2019 · 226 commits to master since this release

  • Add check for CVE-2018-3760
  • Add --enable option to enable optional checks
  • Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
  • Handle empty secrets.yml files (Naoki Kimura)
  • Ignore Tempfiles in FileAccess warnings (Christina Koller)
  • Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
  • Treat if not like unless (#1225)
  • Fix Rails 4 configuration handling
  • Set default encoding to UTF-8
  • Support reading gem versions from gemspecs
  • Support gem versions which are just major.minor (e.g. 3.0)
  • Correctly set rel="noreferrer" in HTML reports
  • Fix thread-safety issue in CallIndex
  • Fix trim mode for ERb templates in old Rails versions
  • Avoid nil errors when concatenating arrays
  • Add rendered template information to render paths
  • Trim some unnecessary files from bundled gems
  • Deadcode and typo fixes found via Coverity
  • Complete overhaul of warning message construction
  • Update to Slim 4.0.1 (Jake Peterson)
  • Update to RubyParser 3.12.0
  • Updated license
Assets 2

@presidentbeef presidentbeef released this Jun 7, 2018 · 326 commits to master since this release

  • Add :BRAKEMAN_SAFE_LITERAL to represent known-safe literals
  • Handle Array#map and Array#each over literal arrays (#1208 / #1224)
  • Use safe literal when accessing literal hash with unknown key (#1213)
  • Allow symbolize_keys to be called on params in SQL (Jacob Evelyn)
  • Improve handling of conditionals in shell commands (Jacob Evelyn)
  • Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
  • Ignore Object#freeze, use the target instead (#1211)
  • Ignore foreign_key calls in SQL (#1202)
  • Handle included calls outside of classes/modules (#1209)
  • Fix error when setting line number in implicit renders (#1210)
Assets 2

@presidentbeef presidentbeef released this May 11, 2018 · 359 commits to master since this release

  • Add --parser-timeout option
  • Improve timeout error messages
  • Check exec-type calls even if they are targets (#1199)
  • Index Kernel#` calls even if they are targets (#1183)
  • BaseCheck#include_interp? should return first string interpolation (#1189)
  • Ignore Process.pid in system calls
  • Warn about dangerous link_to href with sanitize() (#1187)
  • Ignore params#to_h and params#to_hash in SQL checks (#1180)
  • Convert Array#join to string interpolation (#1179)
  • Change "".freeze to just "" (#1182)
  • --color can be used to force color output (#1175)
  • Track parent calls in call index
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
  • Code Climate: omit leading dot from only_files (Todd Mazierski)
Assets 2

@presidentbeef presidentbeef released this Mar 24, 2018 · 401 commits to master since this release

Assets 2
You can’t perform that action at this time.