All Versions
Latest Version
Avg Release Cycle
47 days
Latest Release
712 days ago

Changelog History
Page 7

  • v3.0.5 Changes

    June 20, 2015
    • ๐Ÿ›  Fix check for CVE-2015-3227
  • v3.0.4 Changes

    June 18, 2015
    • โž• Add check for CVE-2015-3226 (XSS via JSON keys)
    • โž• Add check for CVE-2015-3227 (XML DoS)
    • Treat <%== as unescaped output
    • โšก๏ธ Update ruby_parser dependency to 3.7.0
  • v3.0.3 Changes

    April 20, 2015
    • Ignore more Arel methods in SQL
    • Warn about protect_from_forgery without exceptions (Neil Matatall)
    • ๐Ÿ– Handle lambdas as filters
    • Ignore quoted_table_name in SQL (Gabriel Sobrinho)
    • Warn about RCE and file access with open
    • ๐Ÿ– Handle array include? guard conditionals
    • Do not ignore targets of to_s in SQL
    • โž• Add Rake task to exit with error code on warnings (masarakki)
  • v3.0.2 Changes

    March 09, 2015
    • Alias process methods called in class scope on models
    • Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
    • ๐Ÿ›  Fix using --compare and --add-checks-path together
    • โš  Avoid warning about mass assignment with string literals
    • Only report original regex DoS locations
    • ๐Ÿ‘Œ Improve render path information implementation
    • โš  Report correct file for simple_format usage CVE warning
    • โœ‚ Remove URI.escape from HTML reports with GitHub repos
    • โšก๏ธ Update ruby_parser to ~> 3.6.2
    • โœ‚ Remove formatting newlines in HAML template output
    • Ignore case value in XSS checks
    • ๐Ÿ›  Fix CSV output when there are no warnings
    • ๐Ÿ– Handle processing of explicitly shadowed block arguments
  • v3.0.1 Changes

    January 23, 2015
    • Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
    • Properly format command interpolation (again)
    • โœ‚ Remove Slim dependency (Casey West)
    • ๐Ÿ‘ Allow for controllers/models/templates in directories under app/ (Neal Harris)
    • โž• Add --add-libs-path for additional libraries (Patrick Toomey)
    • Properly process libraries (Patrick Toomey)
  • v3.0.0 Changes

    January 03, 2015
    • โž• Add check for CVE-2014-7829
    • โž• Add check for cross-site scripting via inline renders
    • ๐Ÿ›  Fix formatting of command interpolation
    • Local variables are no longer formatted as (local var)
    • Actually skip skipped before filters
    • โš  --exit-on-warn --compare only returns error code on new warnings (Jeff Yip)
    • ๐Ÿ›  Fix parsing of <%== in ERB
    • โš  Sort warnings by fingerprint in JSON report (Jeff Yip)
    • ๐Ÿ– Handle symmetric multiple assignment
    • Do not branch for self attribute assignment x = x.y
    • ๐Ÿ›  Fix CVE for CVE-2011-2932
    • โœ‚ Remove "fake filters" from warning fingerpints
    • Index calls in lib/ files
    • ๐Ÿšš Move Symbol DoS to optional checks
    • ๐Ÿ”’ CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
    • ๐Ÿ”„ Change --separate-models to be the default
  • v2.6.3 Changes

    October 14, 2014
    • Whitelist exists arel method from SQL injection check
    • โš  Avoid warning about Symbol DoS on safe parameters as method targets
    • ๐Ÿ›  Fix stack overflow in ProcessHelper#class_name
    • โž• Add optional check for unscoped find queries (Ben Toews)
    • โž• Add framework for optional checks
    • ๐Ÿ›  Fix stack overflow for cycles in class ancestors (Jeff Rafter)
  • v2.6.2 Changes

    August 18, 2014
    • โž• Add check for CVE-2014-3415
    • โš  Avoid warning about symbolizing safe parameters
    • โšก๏ธ Update ruby2ruby dependency to 2.1.1
    • Expand app path in one place instead of all over (Jeff Rafter)
    • โž• Add --add-checks-path option for external checks (Clint Gibler)
    • ๐Ÿ›  Fix SQL injection detection in deep nested string building
    • โž• Add -4 option to force Rails 4 mode
    • Check entire call for send
    • Check for .gitignore of secrets in subdirectories
    • ๐Ÿ›  Fix block statement endings in Erubis
    • ๐Ÿ›  Fix undefined variable in controller processing error (Jason Barnabe)
  • v2.6.1 Changes

    July 02, 2014
    • โž• Add check for CVE-2014-3482 and CVE-2014-3483
    • โž• Add support for keyword arguments in blocks
    • โœ‚ Remove unused warning codes (Bill Fischer)
  • v2.6.0 Changes

    June 06, 2014
    • ๐Ÿ›  Fix detection of :host setting in redirects with chained calls
    • โž• Add check for CVE-2014-0130
    • Add find_by/find_by! to SQLi check for Rails 4
    • ๐Ÿ“œ Parse most files upfront instead of on demand
    • Do not branch values for +=
    • โšก๏ธ Update to use RubyParser 3.5.0 (Patrick Toomey)
    • ๐Ÿ‘Œ Improve default route detection in Rails 3/4 (Jeff Jarmoc)
    • ๐Ÿ– Handle controllers and models split across files (Patrick Toomey)
    • ๐Ÿ›  Fix handling of protected_attributes gem in Rails 4 (Geoffrey Hichborn)
    • Ignore more model methods in redirects
    • ๐Ÿ›  Fix CheckRender with nested render calls