CHANGES

# Unreleased

* Avoid warning about Symbol DoS on safe parameters as method targets
* Fix stack overflow in ProcessHelper#class_name
* Add optional check for unscoped find queries (Ben Toews)
* Add framework for optional checks
* Fix stack overflow for cycles in class ancestors (JR Richardson)

# 2.6.2 

* Add check for CVE-2014-3415
* Avoid warning about symbolizing safe parameters
* Update ruby2ruby dependency to 2.1.1
* Expand app path in one place instead of all over (Jeff Rafter)
* Add `--add-checks-path` option for external checks (Clint Gibler)
* Fix SQL injection detection in deep nested string building
* Add `-4` option to force Rails 4 mode
* Check entire call for `send`
* Check for .gitignore of secrets in subdirectories
* Fix block statment endings in Erubis
* Fix undefined variable in controller processing error (Jason Barnabe) 

# 2.6.1

* Add check for CVE-2014-3482 and CVE-2014-3483
* Add support for keyword arguments in blocks
* Remove unused warning codes (Bill Fischer)

# 2.6.0

* Fix detection of `:host` setting in redirects with chained calls
* Add check for CVE-2014-0130
* Add `find_by`/`find_by!` to SQLi check for Rails 4
* Parse most files upfront instead of on demand
* Do not branch values for `+=`
* Update to use RubyParser 3.5.0 (Patrick Toomey)
* Improve default route detection in Rails 3/4 (Jeff Jarmoc)
* Handle controllers and models split across files (Patrick Toomey)
* Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn)
* Ignore more model methods in redirects
* Fix CheckRender with nested render calls

# 2.5.0

 * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
 * Add support for Rails 4 `before_actions` and friends
 * Move SQLi CVE checks to `CheckSQLCVEs`
 * Check for protected_attributes gem
 * Fix SQLi detection in chain calls in scopes
 * Add GitHub-flavored Markdown output format (Greg Ose)
 * Fix false positives when sanitize() is used in SQL (Jeff Yip)
 * Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
 * Check all arguments in Model.select for SQLi
 * Fix false positive when :host is specified in redirect
 * Handle more non-literals in routes
 * Add check for regex denial of service (Ben Toews) 

# 2.4.3

 No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.

# 2.4.2

 * Remove `rescue Exception`
 * Fix duplicate warnings about sanitize CVE
 * Reuse duplicate call location information
 * Only track original template output locations
 * Skip identically rendered templates
 * Fix HAML template processing

# 2.4.1

 * Add check for CVE-2014-0082
 * Add check for CVE-2014-0081, replaces CVE-2013-6415
 * Add check for CVE-2014-0080

# 2.4.0 

 * Detect Rails LTS versions
 * Reduce false positives for SQL injection in string building
 * More accurate user input marking for SQL injection warnings
 * Detect SQL injection in `delete_all`/`destroy_all`
 * Detect SQL injection raw SQL queries using `connection`
 * Parse exact versions from Gemfile.lock for all gems
 * Ignore generators
 * Update to RubyParser 3.4.0
 * Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
 * Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
 * No longer raise exceptions if a class name cannot be determined
 * Fingerprint attribute warnings individually (Case Taintor)

# 2.3.1

 * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
 * Fix link for CVE-2013-6415 (number_to_currency)

# 2.3.0

 * Add check for Parameters#permit!
 * Add check for CVE-2013-4491 (i18n XSS)
 * Add check for CVE-2013-6414 (header DoS)
 * Add check for CVE-2013-6415 (number_to_currency)
 * Add check for CVE-2013-6416 (simple_format XSS)
 * Add check for CVE-2013-6417 (query generation) 
 * Fix typos in reflection and translate bug messages
 * Collapse send/try calls 
 * Fix Slim XSS false positives (Noah Davis)
 * Whitelist `Model#create` for redirects
 * Fix scoping issues with instance variables and blocks

# 2.2.0 

 * Reduce command injection false positives
 * Use Rails version from Gemfile if it is available
 * Only add routes with actual names
 * Ignore redirects to models using friendly_id (AJ Ostrow) 
 * Support scanning Rails engines (Geoffrey Hichborn)
 * Add check for detailed exceptions in production

# 2.1.2

 * Do not attempt to load custom Haml filters
 * Do not warn about `to_json` XSS in Rails 4
 * Add --table-width option to set width of text reports (ssendev)
 * Remove fuzzy matching on dangerous attr_accessible values

# 2.1.1

 * New warning code for dangerous attributes in attr_accessible
 * Do not warn on attr_accessible using roles
 * More accurate results for model attribute warnings
 * Use exit code zero with `-z` if all warnings ignored
 * Respect ignored warnings in rescans
 * Ignore dynamic controller names in routes
 * Fix infinite loop when run as rake task (Matthew Shanley)
 * Respect ignored warnings in tabs format reports

# 2.1.0

 * Support non-native line endings in Gemfile.lock (Paul Deardorff)
 * Support for ignoring warnings
 * Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
 * Update to ruby_parser 3.2.2
 * Add brakeman-min gemspec
 * Load gem dependencies on-demand 
 * Output JSON diff to file if -o option is used 
 * Add check for authenticate_or_request_with_http_basic
 * Refactor of SQL injection check code (Bart ten Brinke)
 * Fix detection of duplicate XSS warnings
 * Refactor reports into separate classes 
 * Allow use of Slim 2.x (Ian Zabel) 
 * Return error exit code when application path is not found
 * Add `--branch-limit` option, limit to 5 by default
 * Add more methods to check for command injection
 * Fix output format detection to be more strict again
 * Allow empty Brakeman configuration file

# 2.0.0
  
 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
 * Add Marshal/CSV deserialization check
 * Combine deserialization checks into single check
 * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
 * Avoid duplicate results for Symbol DoS check
 * Medium confidence for mass assignment to attr_protected models
 * Remove "timestamp" key from JSON reports
 * Remove deprecated config file locations
 * Relative paths are used by default in JSON reports
 * `--absolute-paths` replaces `--relative-paths`
 * Only treat classes with names containing `Controller` like controllers
 * Better handling of classes nested inside controllers
 * Better handling of controller classes nested in classes/modules
 * Handle `->` lambdas with no arguments
 * Handle explicit block argument destructuring
 * Skip Rails config options that are real objects
 * Detect Rails 3 JSON escape config option
 * Much better tracking of warning file names
 * Fix errors when using `--separate-models` (Noah Davis)
 * Fix fingerprint generation to actually use the file path
 * Fix text report console output in JRuby
 * Fix false positives on `Model#id`
 * Fix false positives on `params.to_json`
 * Fix model path guesses to use "models/" instead of "controllers/"
 * Clean up SQL CVE warning messages
 * Use exceptions instead of abort in brakeman lib
 * Update to Ruby2Ruby 2.0.5

# 1.9.5

 * Add check for unsafe symbol creation
 * Do not warn on mass assignment with `slice`/`only`
 * Do not warn on session secret if in `.gitignore`
 * Fix scoping for blocks and block arguments
 * Fix error when modifying blocks in templates
 * Fix session secret check for Rails 4
 * Fix crash on `before_filter` outside controller
 * Fix `Sexp` hash cache invalidation
 * Respect `quiet` option in configuration file
 * Convert assignment to simple `if` expressions to `or`
 * More fixes for assignments inside branches
 * Pin to ruby2ruby version 2.0.3

# 1.9.4
 
 * Add check for CVE-2013-1854
 * Add check for CVE-2013-1855
 * Add check for CVE-2013-1856
 * Add check for CVE-2013-1857
 * Fix `--compare` to work with older versions
 * Add "no-referrer' to HTML report links
 * Don't warn when invoking `send` on user input
 * Slightly faster cloning of Sexps
 * Detect another way to add `strong_parameters`

# 1.9.3
 
 * Add render path to JSON report
 * Add warning fingerprints
 * Add check for unsafe reflection (Gabriel Quadros)
 * Add check for skipping authentication methods with blacklist
 * Add support for Slim templates
 * Remove empty tables from reports (Owen Ben Davies)
 * Handle `prepend/append_before_filter`
 * Performance improvements when handling branches
 * Fix processing of `production.rb`
 * Fix version check for Ruby 2.0
 * Expand HAML dependency to include 4.0
 * Scroll errors into view when expanding in HTML report

# 1.9.2

 * Add check for CVE-2013-0269
 * Add check for CVE-2013-0276
 * Add check for CVE-2013-0277
 * Add check for CVE-2013-0333
 * Check for more send-like methods
 * Check for more SQL injection locations
 * Check for more dangerous YAML methods
 * Support MultiJSON 1.2 for Rails 3.0 and 3.1

# 1.9.1

 * Update to RubyParser 3.1.1 (neersighted)
 * Remove ActiveSupport dependency (Neil Matatall)
 * Do not warn on arrays passed to `link_to` (Neil Matatall)
 * Warn on secret tokens
 * Warn on more mass assignment methods
 * Add check for CVE-2012-5664
 * Add check for CVE-2013-0155
 * Add check for CVE-2013-0156
 * Add check for unsafe `YAML.load`

# 1.9.0

 * Update to RubyParser 3
 * Ignore route information by default
 * Support `strong_parameters`
 * Support newer `validates :format` call
 * Add scan time to reports
 * Add Brakeman version to reports
 * Fix `CheckExecute` to warn on all string interpolation
 * Fix false positive on `to_sql` calls
 * Don't mangle whitespace in JSON code formatting
 * Add AppTree as facade for filesystem (brynary)
 * Add link for translate vulnerability warning (grosser)
 * Rename LICENSE to MIT-LICENSE, remove from README (grosser)
 * Add Rakefile to run tests (grosser)
 * Better default config file locations (grosser)
 * Reduce Sexp creation
 * Handle empty model files
 * Remove "find by regex" feature from `CallIndex`

# 1.8.3

 * Use `multi_json` gem for better harmony
 * Performance improvement for call indexing
 * Fix issue with processing HAML files
 * Handle pre-release versions when processing `Gemfile.lock`
 * Only check first argument of `redirect_to`
 * Fix false positives from `Model.arel_table` accesses
 * Fix false positives on redirects to models decorated with Draper gem
 * Fix false positive on redirect to model association
 * Fix false positive on `YAML.load`
 * Fix false positive XSS on any `to_i` output
 * Fix error on Rails 2 name routes with no args
 * Fix error in rescan of mixins with symbols in method name
 * Do not rescan non-Ruby files in config/

# 1.8.2

 * Fixed rescanning problems caused by 1.8.0 changes
 * Fix scope calls with single argument
 * Report specific model name in rendered collections
 * Handle overwritten JSON escape settings
 * Much improved test coverage
 * Add CHANGES to gemspec

# 1.8.1

 * Recover from errors in output formatting
 * Fix false positive in redirect_to (Neil Matatall)
 * Fix problems with removal of `Sexp#method_missing`
 * Fix array indexing in alias processing
 * Fix old mail_to vulnerability check
 * Fix rescans when only controller action changes
 * Allow comparison of versions with unequal lengths
 * Handle super calls with blocks
 * Respect `-q` flag for "Rails 3 detected" message

# 1.8.0

 * Support relative paths in reports (fsword)
 * Allow Brakeman to be run without tty (fsword)
 * Fix exit code with `--compare` (fsword)
 * Fix `--rake` option (Deepak Kumar)
 * Add high confidence warnings for `to_json` XSS (Neil Matatall)
 * Fix `redirect_to` false negative
 * Fix duplicate warnings with `raw` calls
 * Fix shadowing of rendered partials
 * Add "render chain" to HTML reports
 * Add check for XSS in `content_tag`
 * Add full backtrace for errors in debug mode
 * Treat model attributes in `or` expressions as immediate values
 * Switch to method access for Sexp nodes

# 1.7.1

 * Add check for CVE-2012-3463
 * Add check for CVE-2012-3464
 * Add check for CVE-2012-3465
 * Add charset to HTML report (hooopo)
 * Report XSS in select() for Rails 2

# 1.7.0

 * Add check for CVE-2012-3424
 * Link report types to descriptions on website
 * Report errors raised while running check
 * Improve processing of Rails 3 routes
 * Fix "empty char-class" error
 * Improve file access check
 * Avoid warning on non-ActiveModel models
 * Speed improvements by stripping down SexpProcessor
 * Fix how `params[:x] ||=` is handled
 * Treat user input in `or` expressions as immediate values
 * Fix processing of negative array indexes
 * Add line breaks to truncated table rows

# 1.6.2

 * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
 * Avoid warning when redirecting to a model instance
 * Add `request.parameters` as a parameters hash
 * Raise confidence level for model attributes in redirects
 * Return non-zero exit code when missing dependencies
 * Fix `before_filter :except` logic
 * Only accept symbol literals as before_filter names
 * Cache before_filter lookups
 * Turn off quiet mode by default for `--compare`

# 1.6.1

 * Major rewrite of CheckSQL
 * Fix rescanning of deleted templates
 * Process actions mixed into controllers
 * Handle `render :template => ...`
 * Check for inherited attr_accessible (Neil Matatall)
 * Fix highlighting of HTML escaped values in HTML report
 * Report line number of highlighted value, if available

# 1.6.0

 * Remove the Ruport dependency (Neil Matatall)
 * Add more informational JSON output (Neil Matatall)
 * Add comparison to previous JSON report (Neil Matatall)
 * Add highlighting of dangerous values in HTML/text reports
 * Model#update_attribute should not raise mass assignment warning (Dave Worth)
 * Don't check `find_by_*` method for SQL injection
 * Fix duplicate reporting of mass assignment and SQL injection
 * Fix rescanning of deleted files 
 * Properly check for rails_xss in Gemfile

# 1.5.3

 * Add check for user input in Object#send (Neil Matatall)
 * Handle render :layout in views
 * Support output to multiple formats (Nick Green)
 * Prevent infinite loops in mutually recursive templates
 * Only check eval arguments for user input, not targets
 * Search subdirectories for models
 * Set values in request hashes and propagate to views
 * Add rake task file to gemspec (Anton Ageev)
 * Filter rescanning of templates (Neil Matatall)
 * Improve handling of modules and nesting
 * Test for zero errors in test reports

# 1.5.2

 * Fix link_to checks for Rails 2.0 and 2.3
 * Fix rescanning of lib files (Neil Matatall)
 * Output stack trace on interrupt when debugging
 * Ignore user input in if statement conditions
 * Fix --skip-files option
 * Only warn on user input in render paths
 * Fix handling of views when using rails_xss
 * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing

# 1.5.1

 * Fix detection of global mass assignment setting
 * Fix partial rendering in Rails 3
 * Show backtrace when interrupt received (Ruby 1.9 only)
 * More debug output
 * Remove duplicate method in Brakeman::Rails2XSSErubis
 * Add tracking of module and class to Brakeman::BaseProcessor
 * Report module when using Brakeman::FindCall

# 1.5.0

 * Add version check for SafeBuffer vulnerability
 * Add check for select vulnerability in Rails 3
 * select() is no longer considered safe in Rails 2
 * Add check for skipping CSRF protection with a blacklist
 * Add JSON report format
 * Model#id should not be considered XSS
 * Standardize methods to check for SQL injection
 * Fix Rails 2 route parsing issue with nested routes

# 1.4.0

 * Add check for user input in link_to href parameter
 * Match ERB processing to rails_xss plugin when plugin used
 * Add Brakeman::Report#to_json, Brakeman::Warning#to_json
 * Warnings below minimum confidence are dropped completely
 * Brakeman.run always returns a Tracker

# 1.3.0

 * Add file paths to HTML report
 * Add caching of filters
 * Add --skip-files option
 * Add support for attr_protected
 * Add detection of request.env as user input
 * Descriptions of checks in -k output
 * Improved processing of named scopes
 * Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
 * Better variable substitution
 * Table output option for rescan reports

# 1.2.2

 * --no-progress works again
 * Make CheckLinkTo a separate check
 * Don't fail on unknown options to resource(s)
 * Handle empty resource(s) blocks
 * Add RescanReport#existing_warnings

## 1.2.1

 * Remove link_to warning for Rails 3.x or when using rails_xss
 * Don't warn if first argument to link_to is escaped
 * Detect usage of attr_accessible with no arguments
 * Fix error when rendering a partial from a view but not through a controller
 * Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
 * Simplify Brakeman Rake task
 * Avoid modifying $VERBOSE
 * Add Brakeman::RescanReport#to_s
 * Add Brakeman::Warning#to_s

## 1.2.0

 * Speed improvements for CheckExecute and CheckRender
 * Check named_scope() and scope() for SQL injection
 * Add --rake option to create rake task to run Brakeman
 * Add experimental support for rescanning a subset of files
 * Add --summary option to only output summary
 * Fix a problem with Rails 3 routes

## 1.1.0

 * Relax required versions for dependencies
 * Performance improvements for source processing
 * Better progress reporting
 * Handle basic operators like << + - * /
 * Rescue more errors to prevent complete crashes
 * Compatibility with newer Haml versions
 * Fix some warnings

## 1.0.0

 * Better handling of assignments inside ifs
 * Check more expressions for SQL injection
 * Use latest ruby_parser for better 1.9 syntax support
 * Better behavior for Brakeman as a library

## 1.0.0rc1

 * Brakeman can now be used as a library
 * Faster call search
 * Add option to return error code if warnings are found (tw-ngreen)
 * Allow truncated messages to be expanded in HTML
 * Fix summary when using warning thresholds
 * Better support for Rails 3 routes
 * Reduce SQL injection duplicate warnings
 * Lower confidence on mass assignment with no user input
 * Ignore mass assignment using all literal arguments
 * Keep expanded context in view with HTML output

## 0.9.2

 * Fix Rails 3 configuration parsing
 * Add t() helper to check for translate XSS bug

## 0.9.1

 * Add warning for translator helper XSS vulnerability

## 0.9.0

 * Process Rails 3 configuration files
 * Fix CSV output
 * Check for config.active_record.whitelist_attributes = true
 * Always produce a warning for without_protection => true

## 0.8.4

 * Option for separate attr_accessible warnings
 * Option to set CSS file for HTML output
 * Add file names for version-specific warnings
 * Add line number for default routes in a controller
 * Fix hash_insert()
 * Remove use of Queue from threaded checks

## 0.8.3
 
 * Respect -w flag in .tabs format (tw-ngreen)
 * Escape HTML output of error messages
 * Add --skip-libs option

## 0.8.2

 * Run checks in parallel threads by default
 * Fix compatibility with ruby_parser 2.3.1

## 0.8.1

 * Add option to assume all controller methods are actions
 * Recover from errors when parsing routes

## 0.8.0

 * Add check for mass assignment using without_protection
 * Add check for password in http_basic_authenticate_with
 * Warn on user input in hash argument with mass assignment
 * auto_link is now considered safe for Rails >= 3.0.6
 * Output detected Rails version in report
 * Keep track of methods called in class definition
 * Add ruby_parser hack for Ruby 1.9 hash syntax
 * Add a few Rails 3.1 tests

## 0.7.2

 * Fix handling of params and cookies with nested access
 * Add CVEs for checks added in 0.7.0

## 0.7.1

 * Require BaseProcessor for GemProcessor

## 0.7.0

 * Allow local variable as a class name
 * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
 * Check for default routes in Rails 3 apps
 * Look in Gemfile or Gemfile.lock for Rails version

## 0.6.1

 * Fix XSS check for cookies as parameters in output
 * Don't bother calling super in CheckSessionSettings
 * Add escape_once as a safe method
 * Accept '\Z' or '\z' in model validations

## 0.6.0

 * Tests are in place and fully functional
 * Hide errors by default in HTML output
 * Warn if routes.rb cannot be found
 * Narrow methods assumed to be file access
 * Increase confidence for methods known to not escape output
 * Fixes to output processing for Erubis
 * Fixes for Rails 3 XSS checks
 * Fixes to line numbers with Erubis
 * Fixes to escaped output scanning
 * Update CSRF CVE-2011-0447 message to be less assertive

## 0.5.2

 * Output report file name when finished
 * Add initial tests for Rails 2.x
 * Fix ERB line numbers when using Ruby 1.9

## 0.5.1

 * Fix issue with 'has_one' => in routes

## 0.5.0

  * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
  * Allow empty blocks in Rails 3 routes
  * Check initializer for session settings
  * Add line numbers to session setting warnings
  * Add --checks option to list checks

## 0.4.1
  
  * Fix reported line numbers when using new Erubis parser
    (Mostly affects Rails 3 apps)

## 0.4.0

  * Handle Rails XSS protection properly
  * More detection options for rails_xss
  * Add --escape-html option 

## 0.3.2  

  * Autodetect Rails 3 applications
  * Turn on auto-escaping for Rails 3 apps
  * Check Model.create() for mass assignment

## 0.3.1

  * Always output a line number in tabbed output format
  * Restrict characters in category name in tabbed output format to
    word characters and spaces, for Hudson/Jenkins plugin

## 0.3.0

  * Check for SQL injection in calls using constantize()
  * Check for SQL injection in calls to count_by_sql()

## 0.2.2

  * Fix version_between? when no Rails version is specified

## 0.2.1

  * Add code snippet to tab output messages

## 0.2.0

  * Add check for mail_to vulnerability - CVE-2011-0446
  * Add check for CSRF weakness - CVE-2011-0447

## 0.1.1

  * Be more permissive with ActiveSupport version

## 0.1.0

  * Check link_to for XSS (because arguments are not escaped)
  * Process layouts better (although not perfectly yet)
  * Load custom Haml filters if they are in lib/
  * Tab separated output via .tabs output extension
  * Switch to normal versioning scheme