Releases: presidentbeef/brakeman
Releases · presidentbeef/brakeman
1.7.1
- Add check for CVE-2012-3463
- Add check for CVE-2012-3464
- Add check for CVE-2012-3465
- Add charset to HTML report (hooopo)
- Report XSS in select() for Rails 2
1.7.0
- Add check for CVE-2012-3424
- Link report types to descriptions on website
- Report errors raised while running check
- Improve processing of Rails 3 routes
- Fix "empty char-class" error
- Improve file access check
- Avoid warning on non-ActiveModel models
- Speed improvements by stripping down SexpProcessor
- Fix how
params[:x] ||=
is handled - Treat user input in
or
expressions as immediate values - Fix processing of negative array indexes
- Add line breaks to truncated table rows
1.6.2
- Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
- Avoid warning when redirecting to a model instance
- Add
request.parameters
as a parameters hash - Raise confidence level for model attributes in redirects
- Return non-zero exit code when missing dependencies
- Fix
before_filter :except
logic - Only accept symbol literals as before_filter names
- Cache before_filter lookups
- Turn off quiet mode by default for
--compare
1.6.1
- Major rewrite of CheckSQL
- Fix rescanning of deleted templates
- Process actions mixed into controllers
- Handle
render :template => ...
- Check for inherited attr_accessible (Neil Matatall)
- Fix highlighting of HTML escaped values in HTML report
- Report line number of highlighted value, if available
1.6.0
- Remove the Ruport dependency (Neil Matatall)
- Add more informational JSON output (Neil Matatall)
- Add comparison to previous JSON report (Neil Matatall)
- Add highlighting of dangerous values in HTML/text reports
- Model#update_attribute should not raise mass assignment warning (Dave Worth)
- Don't check
find_by_*
method for SQL injection - Fix duplicate reporting of mass assignment and SQL injection
- Fix rescanning of deleted files
- Properly check for rails_xss in Gemfile
1.5.3
- Add check for user input in Object#send (Neil Matatall)
- Handle render :layout in views
- Support output to multiple formats (Nick Green)
- Prevent infinite loops in mutually recursive templates
- Only check eval arguments for user input, not targets
- Search subdirectories for models
- Set values in request hashes and propagate to views
- Add rake task file to gemspec (Anton Ageev)
- Filter rescanning of templates (Neil Matatall)
- Improve handling of modules and nesting
- Test for zero errors in test reports
1.5.2
- Fix link_to checks for Rails 2.0 and 2.3
- Fix rescanning of lib files (Neil Matatall)
- Output stack trace on interrupt when debugging
- Ignore user input in if statement conditions
- Fix --skip-files option
- Only warn on user input in render paths
- Fix handling of views when using rails_xss
- Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
1.5.1
- Fix detection of global mass assignment setting
- Fix partial rendering in Rails 3
- Show backtrace when interrupt received (Ruby 1.9 only)
- More debug output
- Remove duplicate method in Brakeman::Rails2XSSErubis
- Add tracking of module and class to Brakeman::BaseProcessor
- Report module when using Brakeman::FindCall
1.5.0
- Add version check for SafeBuffer vulnerability
- Add check for select vulnerability in Rails 3
- select() is no longer considered safe in Rails 2
- Add check for skipping CSRF protection with a blacklist
- Add JSON report format
- Model#id should not be considered XSS
- Standardize methods to check for SQL injection
- Fix Rails 2 route parsing issue with nested routes
1.4.0
- Add check for user input in link_to href parameter
- Match ERB processing to rails_xss plugin when plugin used
- Add Brakeman::Report#to_json, Brakeman::Warning#to_json
- Warnings below minimum confidence are dropped completely
- Brakeman.run always returns a Tracker