All Versions
135
Latest Version
Avg Release Cycle
47 days
Latest Release
982 days ago
Changelog History
Page 7
Changelog History
Page 7
-
v3.0.5 Changes
June 20, 2015- 🛠 Fix check for CVE-2015-3227
-
v3.0.4 Changes
June 18, 2015- ➕ Add check for CVE-2015-3226 (XSS via JSON keys)
- ➕ Add check for CVE-2015-3227 (XML DoS)
- Treat
<%==
as unescaped output - ⚡️ Update
ruby_parser
dependency to 3.7.0
-
v3.0.3 Changes
April 20, 2015- Ignore more Arel methods in SQL
- Warn about protect_from_forgery without exceptions (Neil Matatall)
- 🖐 Handle lambdas as filters
- Ignore quoted_table_name in SQL (Gabriel Sobrinho)
- Warn about RCE and file access with
open
- 🖐 Handle array include? guard conditionals
- Do not ignore targets of
to_s
in SQL - ➕ Add Rake task to exit with error code on warnings (masarakki)
-
v3.0.2 Changes
March 09, 2015- Alias process methods called in class scope on models
- Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
- 🛠 Fix using --compare and --add-checks-path together
- ⚠ Avoid warning about mass assignment with string literals
- Only report original regex DoS locations
- 👌 Improve render path information implementation
- ⚠ Report correct file for simple_format usage CVE warning
- ✂ Remove URI.escape from HTML reports with GitHub repos
- ⚡️ Update ruby_parser to ~> 3.6.2
- ✂ Remove formatting newlines in HAML template output
- Ignore case value in XSS checks
- 🛠 Fix CSV output when there are no warnings
- 🖐 Handle processing of explicitly shadowed block arguments
-
v3.0.1 Changes
January 23, 2015- Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
- Properly format command interpolation (again)
- ✂ Remove Slim dependency (Casey West)
- 👍 Allow for controllers/models/templates in directories under
app/
(Neal Harris) - ➕ Add
--add-libs-path
for additional libraries (Patrick Toomey) - Properly process libraries (Patrick Toomey)
-
v3.0.0 Changes
January 03, 2015- ➕ Add check for CVE-2014-7829
- ➕ Add check for cross-site scripting via inline renders
- 🛠 Fix formatting of command interpolation
- Local variables are no longer formatted as
(local var)
- Actually skip skipped before filters
- ⚠
--exit-on-warn --compare
only returns error code on new warnings (Jeff Yip) - 🛠 Fix parsing of
<%==
in ERB - ⚠ Sort warnings by fingerprint in JSON report (Jeff Yip)
- 🖐 Handle symmetric multiple assignment
- Do not branch for self attribute assignment
x = x.y
- 🛠 Fix CVE for CVE-2011-2932
- ✂ Remove "fake filters" from warning fingerpints
- Index calls in
lib/
files - 🚚 Move Symbol DoS to optional checks
- 🔒 CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
- 🔄 Change
--separate-models
to be the default
-
v2.6.3 Changes
October 14, 2014- Whitelist
exists
arel method from SQL injection check - ⚠ Avoid warning about Symbol DoS on safe parameters as method targets
- 🛠 Fix stack overflow in ProcessHelper#class_name
- ➕ Add optional check for unscoped find queries (Ben Toews)
- ➕ Add framework for optional checks
- 🛠 Fix stack overflow for cycles in class ancestors (Jeff Rafter)
- Whitelist
-
v2.6.2 Changes
August 18, 2014- ➕ Add check for CVE-2014-3415
- ⚠ Avoid warning about symbolizing safe parameters
- ⚡️ Update ruby2ruby dependency to 2.1.1
- Expand app path in one place instead of all over (Jeff Rafter)
- ➕ Add
--add-checks-path
option for external checks (Clint Gibler) - 🛠 Fix SQL injection detection in deep nested string building
- ➕ Add
-4
option to force Rails 4 mode - Check entire call for
send
- Check for .gitignore of secrets in subdirectories
- 🛠 Fix block statement endings in Erubis
- 🛠 Fix undefined variable in controller processing error (Jason Barnabe)
-
v2.6.1 Changes
July 02, 2014- ➕ Add check for CVE-2014-3482 and CVE-2014-3483
- ➕ Add support for keyword arguments in blocks
- ✂ Remove unused warning codes (Bill Fischer)
-
v2.6.0 Changes
June 06, 2014- 🛠 Fix detection of
:host
setting in redirects with chained calls - ➕ Add check for CVE-2014-0130
- Add
find_by
/find_by!
to SQLi check for Rails 4 - 📜 Parse most files upfront instead of on demand
- Do not branch values for
+=
- ⚡️ Update to use RubyParser 3.5.0 (Patrick Toomey)
- 👌 Improve default route detection in Rails 3/4 (Jeff Jarmoc)
- 🖐 Handle controllers and models split across files (Patrick Toomey)
- 🛠 Fix handling of
protected_attributes
gem in Rails 4 (Geoffrey Hichborn) - Ignore more model methods in redirects
- 🛠 Fix CheckRender with nested render calls
- 🛠 Fix detection of