All Versions
135
Latest Version
Avg Release Cycle
47 days
Latest Release
634 days ago
Changelog History
Page 10
Changelog History
Page 10
-
v1.8.1 Changes
September 24, 2012- Recover from errors in output formatting
- Fix false positive in redirect_to (Neil Matatall)
- Fix problems with removal of
Sexp#method_missing
- Fix array indexing in alias processing
- Fix old mail_to vulnerability check
- Fix rescans when only controller action changes
- Allow comparison of versions with unequal lengths
- Handle super calls with blocks
- Respect
-q
flag for "Rails 3 detected" message
-
v1.8.0 Changes
September 05, 2012- Support relative paths in reports (fsword)
- Allow Brakeman to be run without tty (fsword)
- Fix exit code with
--compare
(fsword) - Fix
--rake
option (Deepak Kumar) - Add high confidence warnings for
to_json
XSS (Neil Matatall) - Fix
redirect_to
false negative - Fix duplicate warnings with
raw
calls - Fix shadowing of rendered partials
- Add "render chain" to HTML reports
- Add check for XSS in
content_tag
- Add full backtrace for errors in debug mode
- Treat model attributes in
or
expressions as immediate values - Switch to method access for Sexp nodes
-
v1.7.1 Changes
August 13, 2012- Add check for CVE-2012-3463
- Add check for CVE-2012-3464
- Add check for CVE-2012-3465
- Add charset to HTML report (hooopo)
- Report XSS in select() for Rails 2
-
v1.7.0 Changes
July 31, 2012- Add check for CVE-2012-3424
- Link report types to descriptions on website
- Report errors raised while running check
- Improve processing of Rails 3 routes
- Fix "empty char-class" error
- Improve file access check
- Avoid warning on non-ActiveModel models
- Speed improvements by stripping down SexpProcessor
- Fix how
params[:x] ||=
is handled - Treat user input in
or
expressions as immediate values - Fix processing of negative array indexes
- Add line breaks to truncated table rows
-
v1.6.2 Changes
June 13, 2012- Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
- Avoid warning when redirecting to a model instance
- Add
request.parameters
as a parameters hash - Raise confidence level for model attributes in redirects
- Return non-zero exit code when missing dependencies
- Fix
before_filter :except
logic - Only accept symbol literals as before_filter names
- Cache before_filter lookups
- Turn off quiet mode by default for
--compare
-
v1.6.1 Changes
May 23, 2012- Major rewrite of CheckSQL
- Fix rescanning of deleted templates
- Process actions mixed into controllers
- Handle
render :template => ...
- Check for inherited attr_accessible (Neil Matatall)
- Fix highlighting of HTML escaped values in HTML report
- Report line number of highlighted value, if available
-
v1.6.0 Changes
April 20, 2012- Remove the Ruport dependency (Neil Matatall)
- Add more informational JSON output (Neil Matatall)
- Add comparison to previous JSON report (Neil Matatall)
- Add highlighting of dangerous values in HTML/text reports
- Model#update_attribute should not raise mass assignment warning (Dave Worth)
- Don't check
find_by_*
method for SQL injection - Fix duplicate reporting of mass assignment and SQL injection
- Fix rescanning of deleted files
- Properly check for rails_xss in Gemfile
-
v1.5.3 Changes
April 10, 2012- Add check for user input in Object#send (Neil Matatall)
- Handle render :layout in views
- Support output to multiple formats (Nick Green)
- Prevent infinite loops in mutually recursive templates
- Only check eval arguments for user input, not targets
- Search subdirectories for models
- Set values in request hashes and propagate to views
- Add rake task file to gemspec (Anton Ageev)
- Filter rescanning of templates (Neil Matatall)
- Improve handling of modules and nesting
- Test for zero errors in test reports
-
v1.5.2 Changes
March 22, 2012- Fix link_to checks for Rails 2.0 and 2.3
- Fix rescanning of lib files (Neil Matatall)
- Output stack trace on interrupt when debugging
- Ignore user input in if statement conditions
- Fix --skip-files option
- Only warn on user input in render paths
- Fix handling of views when using rails_xss
- Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
-
v1.5.1 Changes
March 06, 2012- Fix detection of global mass assignment setting
- Fix partial rendering in Rails 3
- Show backtrace when interrupt received (Ruby 1.9 only)
- More debug output
- Remove duplicate method in Brakeman::Rails2XSSErubis
- Add tracking of module and class to Brakeman::BaseProcessor
- Report module when using Brakeman::FindCall