All Versions
Latest Version
Avg Release Cycle
54 days
Latest Release
98 days ago

Changelog History
Page 9

  • v1.9.0 Changes

    December 25, 2012
    • Update to RubyParser 3
    • Ignore route information by default
    • Support strong_parameters
    • Support newer validates :format call
    • Add scan time to reports
    • Add Brakeman version to reports
    • Fix CheckExecute to warn on all string interpolation
    • Fix false positive on to_sql calls
    • Don't mangle whitespace in JSON code formatting
    • Add AppTree as facade for filesystem (brynary)
    • Add link for translate vulnerability warning (grosser)
    • Rename LICENSE to MIT-LICENSE, remove from README (grosser)
    • Add Rakefile to run tests (grosser)
    • Better default config file locations (grosser)
    • Reduce Sexp creation
    • Handle empty model files
    • Remove "find by regex" feature from CallIndex
  • v1.8.3 Changes

    November 13, 2012
    • Use multi_json gem for better harmony
    • Performance improvement for call indexing
    • Fix issue with processing HAML files
    • Handle pre-release versions when processing Gemfile.lock
    • Only check first argument of redirect_to
    • Fix false positives from Model.arel_table accesses
    • Fix false positives on redirects to models decorated with Draper gem
    • Fix false positive on redirect to model association
    • Fix false positive on YAML.load
    • Fix false positive XSS on any to_i output
    • Fix error on Rails 2 name routes with no args
    • Fix error in rescan of mixins with symbols in method name
    • Do not rescan non-Ruby files in config/
  • v1.8.2 Changes

    October 17, 2012
    • Fixed rescanning problems caused by 1.8.0 changes
    • Fix scope calls with single argument
    • Report specific model name in rendered collections
    • Handle overwritten JSON escape settings
    • Much improved test coverage
    • Add CHANGES to gemspec
  • v1.8.1 Changes

    September 24, 2012
    • Recover from errors in output formatting
    • Fix false positive in redirect_to (Neil Matatall)
    • Fix problems with removal of Sexp#method_missing
    • Fix array indexing in alias processing
    • Fix old mail_to vulnerability check
    • Fix rescans when only controller action changes
    • Allow comparison of versions with unequal lengths
    • Handle super calls with blocks
    • Respect -q flag for "Rails 3 detected" message
  • v1.8.0 Changes

    September 05, 2012
    • Support relative paths in reports (fsword)
    • Allow Brakeman to be run without tty (fsword)
    • Fix exit code with --compare (fsword)
    • Fix --rake option (Deepak Kumar)
    • Add high confidence warnings for to_json XSS (Neil Matatall)
    • Fix redirect_to false negative
    • Fix duplicate warnings with raw calls
    • Fix shadowing of rendered partials
    • Add "render chain" to HTML reports
    • Add check for XSS in content_tag
    • Add full backtrace for errors in debug mode
    • Treat model attributes in or expressions as immediate values
    • Switch to method access for Sexp nodes
  • v1.7.1 Changes

    August 13, 2012
    • Add check for CVE-2012-3463
    • Add check for CVE-2012-3464
    • Add check for CVE-2012-3465
    • Add charset to HTML report (hooopo)
    • Report XSS in select() for Rails 2
  • v1.7.0 Changes

    July 31, 2012
    • Add check for CVE-2012-3424
    • Link report types to descriptions on website
    • Report errors raised while running check
    • Improve processing of Rails 3 routes
    • Fix "empty char-class" error
    • Improve file access check
    • Avoid warning on non-ActiveModel models
    • Speed improvements by stripping down SexpProcessor
    • Fix how params[:x] ||= is handled
    • Treat user input in or expressions as immediate values
    • Fix processing of negative array indexes
    • Add line breaks to truncated table rows
  • v1.6.2 Changes

    June 13, 2012
    • Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
    • Avoid warning when redirecting to a model instance
    • Add request.parameters as a parameters hash
    • Raise confidence level for model attributes in redirects
    • Return non-zero exit code when missing dependencies
    • Fix before_filter :except logic
    • Only accept symbol literals as before_filter names
    • Cache before_filter lookups
    • Turn off quiet mode by default for --compare
  • v1.6.1 Changes

    May 23, 2012
    • Major rewrite of CheckSQL
    • Fix rescanning of deleted templates
    • Process actions mixed into controllers
    • Handle render :template => ...
    • Check for inherited attr_accessible (Neil Matatall)
    • Fix highlighting of HTML escaped values in HTML report
    • Report line number of highlighted value, if available
  • v1.6.0 Changes

    April 20, 2012
    • Remove the Ruport dependency (Neil Matatall)
    • Add more informational JSON output (Neil Matatall)
    • Add comparison to previous JSON report (Neil Matatall)
    • Add highlighting of dangerous values in HTML/text reports
    • Model#update_attribute should not raise mass assignment warning (Dave Worth)
    • Don't check find_by_* method for SQL injection
    • Fix duplicate reporting of mass assignment and SQL injection
    • Fix rescanning of deleted files
    • Properly check for rails_xss in Gemfile