All Versions
Latest Version
Avg Release Cycle
47 days
Latest Release
120 days ago

Changelog History
Page 10

  • v1.8.1 Changes

    September 24, 2012
    • Recover from errors in output formatting
    • Fix false positive in redirect_to (Neil Matatall)
    • Fix problems with removal of Sexp#method_missing
    • Fix array indexing in alias processing
    • Fix old mail_to vulnerability check
    • Fix rescans when only controller action changes
    • Allow comparison of versions with unequal lengths
    • Handle super calls with blocks
    • Respect -q flag for "Rails 3 detected" message
  • v1.8.0 Changes

    September 05, 2012
    • Support relative paths in reports (fsword)
    • Allow Brakeman to be run without tty (fsword)
    • Fix exit code with --compare (fsword)
    • Fix --rake option (Deepak Kumar)
    • Add high confidence warnings for to_json XSS (Neil Matatall)
    • Fix redirect_to false negative
    • Fix duplicate warnings with raw calls
    • Fix shadowing of rendered partials
    • Add "render chain" to HTML reports
    • Add check for XSS in content_tag
    • Add full backtrace for errors in debug mode
    • Treat model attributes in or expressions as immediate values
    • Switch to method access for Sexp nodes
  • v1.7.1 Changes

    August 13, 2012
    • Add check for CVE-2012-3463
    • Add check for CVE-2012-3464
    • Add check for CVE-2012-3465
    • Add charset to HTML report (hooopo)
    • Report XSS in select() for Rails 2
  • v1.7.0 Changes

    July 31, 2012
    • Add check for CVE-2012-3424
    • Link report types to descriptions on website
    • Report errors raised while running check
    • Improve processing of Rails 3 routes
    • Fix "empty char-class" error
    • Improve file access check
    • Avoid warning on non-ActiveModel models
    • Speed improvements by stripping down SexpProcessor
    • Fix how params[:x] ||= is handled
    • Treat user input in or expressions as immediate values
    • Fix processing of negative array indexes
    • Add line breaks to truncated table rows
  • v1.6.2 Changes

    June 13, 2012
    • Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
    • Avoid warning when redirecting to a model instance
    • Add request.parameters as a parameters hash
    • Raise confidence level for model attributes in redirects
    • Return non-zero exit code when missing dependencies
    • Fix before_filter :except logic
    • Only accept symbol literals as before_filter names
    • Cache before_filter lookups
    • Turn off quiet mode by default for --compare
  • v1.6.1 Changes

    May 23, 2012
    • Major rewrite of CheckSQL
    • Fix rescanning of deleted templates
    • Process actions mixed into controllers
    • Handle render :template => ...
    • Check for inherited attr_accessible (Neil Matatall)
    • Fix highlighting of HTML escaped values in HTML report
    • Report line number of highlighted value, if available
  • v1.6.0 Changes

    April 20, 2012
    • Remove the Ruport dependency (Neil Matatall)
    • Add more informational JSON output (Neil Matatall)
    • Add comparison to previous JSON report (Neil Matatall)
    • Add highlighting of dangerous values in HTML/text reports
    • Model#update_attribute should not raise mass assignment warning (Dave Worth)
    • Don't check find_by_* method for SQL injection
    • Fix duplicate reporting of mass assignment and SQL injection
    • Fix rescanning of deleted files
    • Properly check for rails_xss in Gemfile
  • v1.5.3 Changes

    April 10, 2012
    • Add check for user input in Object#send (Neil Matatall)
    • Handle render :layout in views
    • Support output to multiple formats (Nick Green)
    • Prevent infinite loops in mutually recursive templates
    • Only check eval arguments for user input, not targets
    • Search subdirectories for models
    • Set values in request hashes and propagate to views
    • Add rake task file to gemspec (Anton Ageev)
    • Filter rescanning of templates (Neil Matatall)
    • Improve handling of modules and nesting
    • Test for zero errors in test reports
  • v1.5.2 Changes

    March 22, 2012
    • Fix link_to checks for Rails 2.0 and 2.3
    • Fix rescanning of lib files (Neil Matatall)
    • Output stack trace on interrupt when debugging
    • Ignore user input in if statement conditions
    • Fix --skip-files option
    • Only warn on user input in render paths
    • Fix handling of views when using rails_xss
    • Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
  • v1.5.1 Changes

    March 06, 2012
    • Fix detection of global mass assignment setting
    • Fix partial rendering in Rails 3
    • Show backtrace when interrupt received (Ruby 1.9 only)
    • More debug output
    • Remove duplicate method in Brakeman::Rails2XSSErubis
    • Add tracking of module and class to Brakeman::BaseProcessor
    • Report module when using Brakeman::FindCall