# 1.9.1 * Update to RubyParser 3.1.1 (neersighted) * Remove ActiveSupport dependency (Neil Matatall) * Do not warn on arrays passed to `link_to` (Neil Matatall) * Warn on secret tokens * Warn on more mass assignment methods * Add check for CVE-2012-5664 * Add check for CVE-2013-0155 * Add check for CVE-2013-0156 * Add check for unsafe `YAML.load` # 1.9.0 * Update to RubyParser 3 * Ignore route information by default * Support `strong_parameters` * Support newer `validates :format` call * Add scan time to reports * Add Brakeman version to reports * Fix `CheckExecute` to warn on all string interpolation * Fix false positive on `to_sql` calls * Don't mangle whitespace in JSON code formatting * Add AppTree as facade for filesystem (brynary) * Add link for translate vulnerability warning (grosser) * Rename LICENSE to MIT-LICENSE, remove from README (grosser) * Add Rakefile to run tests (grosser) * Better default config file locations (grosser) * Reduce Sexp creation * Handle empty model files * Remove "find by regex" feature from `CallIndex` # 1.8.3 * Use `multi_json` gem for better harmony * Performance improvement for call indexing * Fix issue with processing HAML files * Handle pre-release versions when processing `Gemfile.lock` * Only check first argument of `redirect_to` * Fix false positives from `Model.arel_table` accesses * Fix false positives on redirects to models decorated with Draper gem * Fix false positive on redirect to model association * Fix false positive on `YAML.load` * Fix false positive XSS on any `to_i` output * Fix error on Rails 2 name routes with no args * Fix error in rescan of mixins with symbols in method name * Do not rescan non-Ruby files in config/ # 1.8.2 * Fixed rescanning problems caused by 1.8.0 changes * Fix scope calls with single argument * Report specific model name in rendered collections * Handle overwritten JSON escape settings * Much improved test coverage * Add CHANGES to gemspec # 1.8.1 * Recover from errors in output formatting * Fix false positive in redirect_to (Neil Matatall) * Fix problems with removal of `Sexp#method_missing` * Fix array indexing in alias processing * Fix old mail_to vulnerability check * Fix rescans when only controller action changes * Allow comparison of versions with unequal lengths * Handle super calls with blocks * Respect `-q` flag for "Rails 3 detected" message # 1.8.0 * Support relative paths in reports (fsword) * Allow Brakeman to be run without tty (fsword) * Fix exit code with `--compare` (fsword) * Fix `--rake` option (Deepak Kumar) * Add high confidence warnings for `to_json` XSS (Neil Matatall) * Fix `redirect_to` false negative * Fix duplicate warnings with `raw` calls * Fix shadowing of rendered partials * Add "render chain" to HTML reports * Add check for XSS in `content_tag` * Add full backtrace for errors in debug mode * Treat model attributes in `or` expressions as immediate values * Switch to method access for Sexp nodes # 1.7.1 * Add check for CVE-2012-3463 * Add check for CVE-2012-3464 * Add check for CVE-2012-3465 * Add charset to HTML report (hooopo) * Report XSS in select() for Rails 2 # 1.7.0 * Add check for CVE-2012-3424 * Link report types to descriptions on website * Report errors raised while running check * Improve processing of Rails 3 routes * Fix "empty char-class" error * Improve file access check * Avoid warning on non-ActiveModel models * Speed improvements by stripping down SexpProcessor * Fix how `params[:x] ||=` is handled * Treat user input in `or` expressions as immediate values * Fix processing of negative array indexes * Add line breaks to truncated table rows # 1.6.2 * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth) * Avoid warning when redirecting to a model instance * Add `request.parameters` as a parameters hash * Raise confidence level for model attributes in redirects * Return non-zero exit code when missing dependencies * Fix `before_filter :except` logic * Only accept symbol literals as before_filter names * Cache before_filter lookups * Turn off quiet mode by default for `--compare` # 1.6.1 * Major rewrite of CheckSQL * Fix rescanning of deleted templates * Process actions mixed into controllers * Handle `render :template => ...` * Check for inherited attr_accessible (Neil Matatall) * Fix highlighting of HTML escaped values in HTML report * Report line number of highlighted value, if available # 1.6.0 * Remove the Ruport dependency (Neil Matatall) * Add more informational JSON output (Neil Matatall) * Add comparison to previous JSON report (Neil Matatall) * Add highlighting of dangerous values in HTML/text reports * Model#update_attribute should not raise mass assignment warning (Dave Worth) * Don't check `find_by_*` method for SQL injection * Fix duplicate reporting of mass assignment and SQL injection * Fix rescanning of deleted files * Properly check for rails_xss in Gemfile # 1.5.3 * Add check for user input in Object#send (Neil Matatall) * Handle render :layout in views * Support output to multiple formats (Nick Green) * Prevent infinite loops in mutually recursive templates * Only check eval arguments for user input, not targets * Search subdirectories for models * Set values in request hashes and propagate to views * Add rake task file to gemspec (Anton Ageev) * Filter rescanning of templates (Neil Matatall) * Improve handling of modules and nesting * Test for zero errors in test reports # 1.5.2 * Fix link_to checks for Rails 2.0 and 2.3 * Fix rescanning of lib files (Neil Matatall) * Output stack trace on interrupt when debugging * Ignore user input in if statement conditions * Fix --skip-files option * Only warn on user input in render paths * Fix handling of views when using rails_xss * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing # 1.5.1 * Fix detection of global mass assignment setting * Fix partial rendering in Rails 3 * Show backtrace when interrupt received (Ruby 1.9 only) * More debug output * Remove duplicate method in Brakeman::Rails2XSSErubis * Add tracking of module and class to Brakeman::BaseProcessor * Report module when using Brakeman::FindCall # 1.5.0 * Add version check for SafeBuffer vulnerability * Add check for select vulnerability in Rails 3 * select() is no longer considered safe in Rails 2 * Add check for skipping CSRF protection with a blacklist * Add JSON report format * Model#id should not be considered XSS * Standardize methods to check for SQL injection * Fix Rails 2 route parsing issue with nested routes # 1.4.0 * Add check for user input in link_to href parameter * Match ERB processing to rails_xss plugin when plugin used * Add Brakeman::Report#to_json, Brakeman::Warning#to_json * Warnings below minimum confidence are dropped completely * Brakeman.run always returns a Tracker # 1.3.0 * Add file paths to HTML report * Add caching of filters * Add --skip-files option * Add support for attr_protected * Add detection of request.env as user input * Descriptions of checks in -k output * Improved processing of named scopes * Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build * Better variable substitution * Table output option for rescan reports # 1.2.2 * --no-progress works again * Make CheckLinkTo a separate check * Don't fail on unknown options to resource(s) * Handle empty resource(s) blocks * Add RescanReport#existing_warnings ## 1.2.1 * Remove link_to warning for Rails 3.x or when using rails_xss * Don't warn if first argument to link_to is escaped * Detect usage of attr_accessible with no arguments * Fix error when rendering a partial from a view but not through a controller * Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug * Simplify Brakeman Rake task * Avoid modifying $VERBOSE * Add Brakeman::RescanReport#to_s * Add Brakeman::Warning#to_s ## 1.2.0 * Speed improvements for CheckExecute and CheckRender * Check named_scope() and scope() for SQL injection * Add --rake option to create rake task to run Brakeman * Add experimental support for rescanning a subset of files * Add --summary option to only output summary * Fix a problem with Rails 3 routes ## 1.1.0 * Relax required versions for dependencies * Performance improvements for source processing * Better progress reporting * Handle basic operators like << + - * / * Rescue more errors to prevent complete crashes * Compatibility with newer Haml versions * Fix some warnings ## 1.0.0 * Better handling of assignments inside ifs * Check more expressions for SQL injection * Use latest ruby_parser for better 1.9 syntax support * Better behavior for Brakeman as a library ## 1.0.0rc1 * Brakeman can now be used as a library * Faster call search * Add option to return error code if warnings are found (tw-ngreen) * Allow truncated messages to be expanded in HTML * Fix summary when using warning thresholds * Better support for Rails 3 routes * Reduce SQL injection duplicate warnings * Lower confidence on mass assignment with no user input * Ignore mass assignment using all literal arguments * Keep expanded context in view with HTML output ## 0.9.2 * Fix Rails 3 configuration parsing * Add t() helper to check for translate XSS bug ## 0.9.1 * Add warning for translator helper XSS vulnerability ## 0.9.0 * Process Rails 3 configuration files * Fix CSV output * Check for config.active_record.whitelist_attributes = true * Always produce a warning for without_protection => true ## 0.8.4 * Option for separate attr_accessible warnings * Option to set CSS file for HTML output * Add file names for version-specific warnings * Add line number for default routes in a controller * Fix hash_insert() * Remove use of Queue from threaded checks ## 0.8.3 * Respect -w flag in .tabs format (tw-ngreen) * Escape HTML output of error messages * Add --skip-libs option ## 0.8.2 * Run checks in parallel threads by default * Fix compatibility with ruby_parser 2.3.1 ## 0.8.1 * Add option to assume all controller methods are actions * Recover from errors when parsing routes ## 0.8.0 * Add check for mass assignment using without_protection * Add check for password in http_basic_authenticate_with * Warn on user input in hash argument with mass assignment * auto_link is now considered safe for Rails >= 3.0.6 * Output detected Rails version in report * Keep track of methods called in class definition * Add ruby_parser hack for Ruby 1.9 hash syntax * Add a few Rails 3.1 tests ## 0.7.2 * Fix handling of params and cookies with nested access * Add CVEs for checks added in 0.7.0 ## 0.7.1 * Require BaseProcessor for GemProcessor ## 0.7.0 * Allow local variable as a class name * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10 * Check for default routes in Rails 3 apps * Look in Gemfile or Gemfile.lock for Rails version ## 0.6.1 * Fix XSS check for cookies as parameters in output * Don't bother calling super in CheckSessionSettings * Add escape_once as a safe method * Accept '\Z' or '\z' in model validations ## 0.6.0 * Tests are in place and fully functional * Hide errors by default in HTML output * Warn if routes.rb cannot be found * Narrow methods assumed to be file access * Increase confidence for methods known to not escape output * Fixes to output processing for Erubis * Fixes for Rails 3 XSS checks * Fixes to line numbers with Erubis * Fixes to escaped output scanning * Update CSRF CVE-2011-0447 message to be less assertive ## 0.5.2 * Output report file name when finished * Add initial tests for Rails 2.x * Fix ERB line numbers when using Ruby 1.9 ## 0.5.1 * Fix issue with 'has_one' => in routes ## 0.5.0 * Add support for routes like get 'x/y', :to => 'ctrlr#whatever' * Allow empty blocks in Rails 3 routes * Check initializer for session settings * Add line numbers to session setting warnings * Add --checks option to list checks ## 0.4.1 * Fix reported line numbers when using new Erubis parser (Mostly affects Rails 3 apps) ## 0.4.0 * Handle Rails XSS protection properly * More detection options for rails_xss * Add --escape-html option ## 0.3.2 * Autodetect Rails 3 applications * Turn on auto-escaping for Rails 3 apps * Check Model.create() for mass assignment ## 0.3.1 * Always output a line number in tabbed output format * Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin ## 0.3.0 * Check for SQL injection in calls using constantize() * Check for SQL injection in calls to count_by_sql() ## 0.2.2 * Fix version_between? when no Rails version is specified ## 0.2.1 * Add code snippet to tab output messages ## 0.2.0 * Add check for mail_to vulnerability - CVE-2011-0446 * Add check for CSRF weakness - CVE-2011-0447 ## 0.1.1 * Be more permissive with ActiveSupport version ## 0.1.0 * Check link_to for XSS (because arguments are not escaped) * Process layouts better (although not perfectly yet) * Load custom Haml filters if they are in lib/ * Tab separated output via .tabs output extension * Switch to normal versioning scheme