All Versions
135
Latest Version
Avg Release Cycle
47 days
Latest Release
982 days ago

Changelog History
Page 7

  • v3.0.5 Changes

    June 20, 2015
    • 🛠 Fix check for CVE-2015-3227
  • v3.0.4 Changes

    June 18, 2015
    • ➕ Add check for CVE-2015-3226 (XSS via JSON keys)
    • ➕ Add check for CVE-2015-3227 (XML DoS)
    • Treat <%== as unescaped output
    • ⚡️ Update ruby_parser dependency to 3.7.0
  • v3.0.3 Changes

    April 20, 2015
    • Ignore more Arel methods in SQL
    • Warn about protect_from_forgery without exceptions (Neil Matatall)
    • 🖐 Handle lambdas as filters
    • Ignore quoted_table_name in SQL (Gabriel Sobrinho)
    • Warn about RCE and file access with open
    • 🖐 Handle array include? guard conditionals
    • Do not ignore targets of to_s in SQL
    • ➕ Add Rake task to exit with error code on warnings (masarakki)
  • v3.0.2 Changes

    March 09, 2015
    • Alias process methods called in class scope on models
    • Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
    • 🛠 Fix using --compare and --add-checks-path together
    • ⚠ Avoid warning about mass assignment with string literals
    • Only report original regex DoS locations
    • 👌 Improve render path information implementation
    • ⚠ Report correct file for simple_format usage CVE warning
    • ✂ Remove URI.escape from HTML reports with GitHub repos
    • ⚡️ Update ruby_parser to ~> 3.6.2
    • ✂ Remove formatting newlines in HAML template output
    • Ignore case value in XSS checks
    • 🛠 Fix CSV output when there are no warnings
    • 🖐 Handle processing of explicitly shadowed block arguments
  • v3.0.1 Changes

    January 23, 2015
    • Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
    • Properly format command interpolation (again)
    • ✂ Remove Slim dependency (Casey West)
    • 👍 Allow for controllers/models/templates in directories under app/ (Neal Harris)
    • ➕ Add --add-libs-path for additional libraries (Patrick Toomey)
    • Properly process libraries (Patrick Toomey)
  • v3.0.0 Changes

    January 03, 2015
    • ➕ Add check for CVE-2014-7829
    • ➕ Add check for cross-site scripting via inline renders
    • 🛠 Fix formatting of command interpolation
    • Local variables are no longer formatted as (local var)
    • Actually skip skipped before filters
    • --exit-on-warn --compare only returns error code on new warnings (Jeff Yip)
    • 🛠 Fix parsing of <%== in ERB
    • ⚠ Sort warnings by fingerprint in JSON report (Jeff Yip)
    • 🖐 Handle symmetric multiple assignment
    • Do not branch for self attribute assignment x = x.y
    • 🛠 Fix CVE for CVE-2011-2932
    • ✂ Remove "fake filters" from warning fingerpints
    • Index calls in lib/ files
    • 🚚 Move Symbol DoS to optional checks
    • 🔒 CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
    • 🔄 Change --separate-models to be the default
  • v2.6.3 Changes

    October 14, 2014
    • Whitelist exists arel method from SQL injection check
    • ⚠ Avoid warning about Symbol DoS on safe parameters as method targets
    • 🛠 Fix stack overflow in ProcessHelper#class_name
    • ➕ Add optional check for unscoped find queries (Ben Toews)
    • ➕ Add framework for optional checks
    • 🛠 Fix stack overflow for cycles in class ancestors (Jeff Rafter)
  • v2.6.2 Changes

    August 18, 2014
    • ➕ Add check for CVE-2014-3415
    • ⚠ Avoid warning about symbolizing safe parameters
    • ⚡️ Update ruby2ruby dependency to 2.1.1
    • Expand app path in one place instead of all over (Jeff Rafter)
    • ➕ Add --add-checks-path option for external checks (Clint Gibler)
    • 🛠 Fix SQL injection detection in deep nested string building
    • ➕ Add -4 option to force Rails 4 mode
    • Check entire call for send
    • Check for .gitignore of secrets in subdirectories
    • 🛠 Fix block statement endings in Erubis
    • 🛠 Fix undefined variable in controller processing error (Jason Barnabe)
  • v2.6.1 Changes

    July 02, 2014
    • ➕ Add check for CVE-2014-3482 and CVE-2014-3483
    • ➕ Add support for keyword arguments in blocks
    • ✂ Remove unused warning codes (Bill Fischer)
  • v2.6.0 Changes

    June 06, 2014
    • 🛠 Fix detection of :host setting in redirects with chained calls
    • ➕ Add check for CVE-2014-0130
    • Add find_by/find_by! to SQLi check for Rails 4
    • 📜 Parse most files upfront instead of on demand
    • Do not branch values for +=
    • ⚡️ Update to use RubyParser 3.5.0 (Patrick Toomey)
    • 👌 Improve default route detection in Rails 3/4 (Jeff Jarmoc)
    • 🖐 Handle controllers and models split across files (Patrick Toomey)
    • 🛠 Fix handling of protected_attributes gem in Rails 4 (Geoffrey Hichborn)
    • Ignore more model methods in redirects
    • 🛠 Fix CheckRender with nested render calls