# 3.0.5 * Fix check for CVE-2015-3227 # 3.0.4 * Add check for CVE-2015-3226 (XSS via JSON keys) * Add check for CVE-2015-3227 (XML DoS) * Treat `<%==` as unescaped output * Update `ruby_parser` dependency to 3.7.0 # 3.0.3 * Ignore more Arel methods in SQL * Warn about protect_from_forgery without exceptions (Neil Matatall) * Handle lambdas as filters * Ignore quoted_table_name in SQL (Gabriel Sobrinho) * Warn about RCE and file access with `open` * Handle array include? guard conditionals * Do not ignore targets of `to_s` in SQL * Add Rake task to exit with error code on warnings (masarakki) # 3.0.2 * Alias process methods called in class scope on models * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL * Fix using --compare and --add-checks-path together * Avoid warning about mass assignment with string literals * Only report original regex DoS locations * Improve render path information implementation * Report correct file for simple_format usage CVE warning * Remove URI.escape from HTML reports with GitHub repos * Update ruby_parser to ~> 3.6.2 * Remove formatting newlines in HAML template output * Ignore case value in XSS checks * Fix CSV output when there are no warnings * Handle processing of explictly shadowed block arguments # 3.0.1 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base * Properly format command interpolation (again) * Remove Slim dependency (Casey West) * Allow for controllers/models/templates in directories under `app/` (Neal Harris) * Add `--add-libs-path` for additional libraries (Patrick Toomey) * Properly process libraries (Patrick Toomey) # 3.0.0 * Add check for CVE-2014-7829 * Add check for cross site scripting via inline renders * Fix formatting of command interpolation * Local variables are no longer formatted as `(local var)` * Actually skip skipped before filters * `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip) * Fix parsing of `<%==` in ERB * Sort warnings by fingerprint in JSON report (Jeff Yip) * Handle symmetric multiple assignment * Do not branch for self attribute assignment `x = x.y` * Fix CVE for CVE-2011-2932 * Remove "fake filters" from warning fingerpints * Index calls in `lib/` files * Move Symbol DoS to optional checks * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher) * Change `--separate-models` to be the default # 2.6.3 * Whitelist `exists` arel method from SQL injection check * Avoid warning about Symbol DoS on safe parameters as method targets * Fix stack overflow in ProcessHelper#class_name * Add optional check for unscoped find queries (Ben Toews) * Add framework for optional checks * Fix stack overflow for cycles in class ancestors (Jeff Rafter) # 2.6.2 * Add check for CVE-2014-3415 * Avoid warning about symbolizing safe parameters * Update ruby2ruby dependency to 2.1.1 * Expand app path in one place instead of all over (Jeff Rafter) * Add `--add-checks-path` option for external checks (Clint Gibler) * Fix SQL injection detection in deep nested string building * Add `-4` option to force Rails 4 mode * Check entire call for `send` * Check for .gitignore of secrets in subdirectories * Fix block statment endings in Erubis * Fix undefined variable in controller processing error (Jason Barnabe) # 2.6.1 * Add check for CVE-2014-3482 and CVE-2014-3483 * Add support for keyword arguments in blocks * Remove unused warning codes (Bill Fischer) # 2.6.0 * Fix detection of `:host` setting in redirects with chained calls * Add check for CVE-2014-0130 * Add `find_by`/`find_by!` to SQLi check for Rails 4 * Parse most files upfront instead of on demand * Do not branch values for `+=` * Update to use RubyParser 3.5.0 (Patrick Toomey) * Improve default route detection in Rails 3/4 (Jeff Jarmoc) * Handle controllers and models split across files (Patrick Toomey) * Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn) * Ignore more model methods in redirects * Fix CheckRender with nested render calls # 2.5.0 * Add support for RailsLTS 2.3.18.7 and 2.3.18.8 * Add support for Rails 4 `before_actions` and friends * Move SQLi CVE checks to `CheckSQLCVEs` * Check for protected_attributes gem * Fix SQLi detection in chain calls in scopes * Add GitHub-flavored Markdown output format (Greg Ose) * Fix false positives when sanitize() is used in SQL (Jeff Yip) * Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko) * Check all arguments in Model.select for SQLi * Fix false positive when :host is specified in redirect * Handle more non-literals in routes * Add check for regex denial of service (Ben Toews) # 2.4.3 No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed. # 2.4.2 * Remove `rescue Exception` * Fix duplicate warnings about sanitize CVE * Reuse duplicate call location information * Only track original template output locations * Skip identically rendered templates * Fix HAML template processing # 2.4.1 * Add check for CVE-2014-0082 * Add check for CVE-2014-0081, replaces CVE-2013-6415 * Add check for CVE-2014-0080 # 2.4.0 * Detect Rails LTS versions * Reduce false positives for SQL injection in string building * More accurate user input marking for SQL injection warnings * Detect SQL injection in `delete_all`/`destroy_all` * Detect SQL injection raw SQL queries using `connection` * Parse exact versions from Gemfile.lock for all gems * Ignore generators * Update to RubyParser 3.4.0 * Fix false positives when SQL methods are not called on AR models (Aaron Bedra) * Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra) * No longer raise exceptions if a class name cannot be determined * Fingerprint attribute warnings individually (Case Taintor) # 2.3.1 * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround * Fix link for CVE-2013-6415 (number_to_currency) # 2.3.0 * Add check for Parameters#permit! * Add check for CVE-2013-4491 (i18n XSS) * Add check for CVE-2013-6414 (header DoS) * Add check for CVE-2013-6415 (number_to_currency) * Add check for CVE-2013-6416 (simple_format XSS) * Add check for CVE-2013-6417 (query generation) * Fix typos in reflection and translate bug messages * Collapse send/try calls * Fix Slim XSS false positives (Noah Davis) * Whitelist `Model#create` for redirects * Fix scoping issues with instance variables and blocks # 2.2.0 * Reduce command injection false positives * Use Rails version from Gemfile if it is available * Only add routes with actual names * Ignore redirects to models using friendly_id (AJ Ostrow) * Support scanning Rails engines (Geoffrey Hichborn) * Add check for detailed exceptions in production # 2.1.2 * Do not attempt to load custom Haml filters * Do not warn about `to_json` XSS in Rails 4 * Add --table-width option to set width of text reports (ssendev) * Remove fuzzy matching on dangerous attr_accessible values # 2.1.1 * New warning code for dangerous attributes in attr_accessible * Do not warn on attr_accessible using roles * More accurate results for model attribute warnings * Use exit code zero with `-z` if all warnings ignored * Respect ignored warnings in rescans * Ignore dynamic controller names in routes * Fix infinite loop when run as rake task (Matthew Shanley) * Respect ignored warnings in tabs format reports # 2.1.0 * Support non-native line endings in Gemfile.lock (Paul Deardorff) * Support for ignoring warnings * Check for dangerous model attributes defined in attr_accessible (Paul Deardorff) * Update to ruby_parser 3.2.2 * Add brakeman-min gemspec * Load gem dependencies on-demand * Output JSON diff to file if -o option is used * Add check for authenticate_or_request_with_http_basic * Refactor of SQL injection check code (Bart ten Brinke) * Fix detection of duplicate XSS warnings * Refactor reports into separate classes * Allow use of Slim 2.x (Ian Zabel) * Return error exit code when application path is not found * Add `--branch-limit` option, limit to 5 by default * Add more methods to check for command injection * Fix output format detection to be more strict again * Allow empty Brakeman configuration file # 2.0.0 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert) * Add Marshal/CSV deserialization check * Combine deserialization checks into single check * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings * Avoid duplicate results for Symbol DoS check * Medium confidence for mass assignment to attr_protected models * Remove "timestamp" key from JSON reports * Remove deprecated config file locations * Relative paths are used by default in JSON reports * `--absolute-paths` replaces `--relative-paths` * Only treat classes with names containing `Controller` like controllers * Better handling of classes nested inside controllers * Better handling of controller classes nested in classes/modules * Handle `->` lambdas with no arguments * Handle explicit block argument destructuring * Skip Rails config options that are real objects * Detect Rails 3 JSON escape config option * Much better tracking of warning file names * Fix errors when using `--separate-models` (Noah Davis) * Fix fingerprint generation to actually use the file path * Fix text report console output in JRuby * Fix false positives on `Model#id` * Fix false positives on `params.to_json` * Fix model path guesses to use "models/" instead of "controllers/" * Clean up SQL CVE warning messages * Use exceptions instead of abort in brakeman lib * Update to Ruby2Ruby 2.0.5 # 1.9.5 * Add check for unsafe symbol creation * Do not warn on mass assignment with `slice`/`only` * Do not warn on session secret if in `.gitignore` * Fix scoping for blocks and block arguments * Fix error when modifying blocks in templates * Fix session secret check for Rails 4 * Fix crash on `before_filter` outside controller * Fix `Sexp` hash cache invalidation * Respect `quiet` option in configuration file * Convert assignment to simple `if` expressions to `or` * More fixes for assignments inside branches * Pin to ruby2ruby version 2.0.3 # 1.9.4 * Add check for CVE-2013-1854 * Add check for CVE-2013-1855 * Add check for CVE-2013-1856 * Add check for CVE-2013-1857 * Fix `--compare` to work with older versions * Add "no-referrer' to HTML report links * Don't warn when invoking `send` on user input * Slightly faster cloning of Sexps * Detect another way to add `strong_parameters` # 1.9.3 * Add render path to JSON report * Add warning fingerprints * Add check for unsafe reflection (Gabriel Quadros) * Add check for skipping authentication methods with blacklist * Add support for Slim templates * Remove empty tables from reports (Owen Ben Davies) * Handle `prepend/append_before_filter` * Performance improvements when handling branches * Fix processing of `production.rb` * Fix version check for Ruby 2.0 * Expand HAML dependency to include 4.0 * Scroll errors into view when expanding in HTML report # 1.9.2 * Add check for CVE-2013-0269 * Add check for CVE-2013-0276 * Add check for CVE-2013-0277 * Add check for CVE-2013-0333 * Check for more send-like methods * Check for more SQL injection locations * Check for more dangerous YAML methods * Support MultiJSON 1.2 for Rails 3.0 and 3.1 # 1.9.1 * Update to RubyParser 3.1.1 (neersighted) * Remove ActiveSupport dependency (Neil Matatall) * Do not warn on arrays passed to `link_to` (Neil Matatall) * Warn on secret tokens * Warn on more mass assignment methods * Add check for CVE-2012-5664 * Add check for CVE-2013-0155 * Add check for CVE-2013-0156 * Add check for unsafe `YAML.load` # 1.9.0 * Update to RubyParser 3 * Ignore route information by default * Support `strong_parameters` * Support newer `validates :format` call * Add scan time to reports * Add Brakeman version to reports * Fix `CheckExecute` to warn on all string interpolation * Fix false positive on `to_sql` calls * Don't mangle whitespace in JSON code formatting * Add AppTree as facade for filesystem (brynary) * Add link for translate vulnerability warning (grosser) * Rename LICENSE to MIT-LICENSE, remove from README (grosser) * Add Rakefile to run tests (grosser) * Better default config file locations (grosser) * Reduce Sexp creation * Handle empty model files * Remove "find by regex" feature from `CallIndex` # 1.8.3 * Use `multi_json` gem for better harmony * Performance improvement for call indexing * Fix issue with processing HAML files * Handle pre-release versions when processing `Gemfile.lock` * Only check first argument of `redirect_to` * Fix false positives from `Model.arel_table` accesses * Fix false positives on redirects to models decorated with Draper gem * Fix false positive on redirect to model association * Fix false positive on `YAML.load` * Fix false positive XSS on any `to_i` output * Fix error on Rails 2 name routes with no args * Fix error in rescan of mixins with symbols in method name * Do not rescan non-Ruby files in config/ # 1.8.2 * Fixed rescanning problems caused by 1.8.0 changes * Fix scope calls with single argument * Report specific model name in rendered collections * Handle overwritten JSON escape settings * Much improved test coverage * Add CHANGES to gemspec # 1.8.1 * Recover from errors in output formatting * Fix false positive in redirect_to (Neil Matatall) * Fix problems with removal of `Sexp#method_missing` * Fix array indexing in alias processing * Fix old mail_to vulnerability check * Fix rescans when only controller action changes * Allow comparison of versions with unequal lengths * Handle super calls with blocks * Respect `-q` flag for "Rails 3 detected" message # 1.8.0 * Support relative paths in reports (fsword) * Allow Brakeman to be run without tty (fsword) * Fix exit code with `--compare` (fsword) * Fix `--rake` option (Deepak Kumar) * Add high confidence warnings for `to_json` XSS (Neil Matatall) * Fix `redirect_to` false negative * Fix duplicate warnings with `raw` calls * Fix shadowing of rendered partials * Add "render chain" to HTML reports * Add check for XSS in `content_tag` * Add full backtrace for errors in debug mode * Treat model attributes in `or` expressions as immediate values * Switch to method access for Sexp nodes # 1.7.1 * Add check for CVE-2012-3463 * Add check for CVE-2012-3464 * Add check for CVE-2012-3465 * Add charset to HTML report (hooopo) * Report XSS in select() for Rails 2 # 1.7.0 * Add check for CVE-2012-3424 * Link report types to descriptions on website * Report errors raised while running check * Improve processing of Rails 3 routes * Fix "empty char-class" error * Improve file access check * Avoid warning on non-ActiveModel models * Speed improvements by stripping down SexpProcessor * Fix how `params[:x] ||=` is handled * Treat user input in `or` expressions as immediate values * Fix processing of negative array indexes * Add line breaks to truncated table rows # 1.6.2 * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth) * Avoid warning when redirecting to a model instance * Add `request.parameters` as a parameters hash * Raise confidence level for model attributes in redirects * Return non-zero exit code when missing dependencies * Fix `before_filter :except` logic * Only accept symbol literals as before_filter names * Cache before_filter lookups * Turn off quiet mode by default for `--compare` # 1.6.1 * Major rewrite of CheckSQL * Fix rescanning of deleted templates * Process actions mixed into controllers * Handle `render :template => ...` * Check for inherited attr_accessible (Neil Matatall) * Fix highlighting of HTML escaped values in HTML report * Report line number of highlighted value, if available # 1.6.0 * Remove the Ruport dependency (Neil Matatall) * Add more informational JSON output (Neil Matatall) * Add comparison to previous JSON report (Neil Matatall) * Add highlighting of dangerous values in HTML/text reports * Model#update_attribute should not raise mass assignment warning (Dave Worth) * Don't check `find_by_*` method for SQL injection * Fix duplicate reporting of mass assignment and SQL injection * Fix rescanning of deleted files * Properly check for rails_xss in Gemfile # 1.5.3 * Add check for user input in Object#send (Neil Matatall) * Handle render :layout in views * Support output to multiple formats (Nick Green) * Prevent infinite loops in mutually recursive templates * Only check eval arguments for user input, not targets * Search subdirectories for models * Set values in request hashes and propagate to views * Add rake task file to gemspec (Anton Ageev) * Filter rescanning of templates (Neil Matatall) * Improve handling of modules and nesting * Test for zero errors in test reports # 1.5.2 * Fix link_to checks for Rails 2.0 and 2.3 * Fix rescanning of lib files (Neil Matatall) * Output stack trace on interrupt when debugging * Ignore user input in if statement conditions * Fix --skip-files option * Only warn on user input in render paths * Fix handling of views when using rails_xss * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing # 1.5.1 * Fix detection of global mass assignment setting * Fix partial rendering in Rails 3 * Show backtrace when interrupt received (Ruby 1.9 only) * More debug output * Remove duplicate method in Brakeman::Rails2XSSErubis * Add tracking of module and class to Brakeman::BaseProcessor * Report module when using Brakeman::FindCall # 1.5.0 * Add version check for SafeBuffer vulnerability * Add check for select vulnerability in Rails 3 * select() is no longer considered safe in Rails 2 * Add check for skipping CSRF protection with a blacklist * Add JSON report format * Model#id should not be considered XSS * Standardize methods to check for SQL injection * Fix Rails 2 route parsing issue with nested routes # 1.4.0 * Add check for user input in link_to href parameter * Match ERB processing to rails_xss plugin when plugin used * Add Brakeman::Report#to_json, Brakeman::Warning#to_json * Warnings below minimum confidence are dropped completely * Brakeman.run always returns a Tracker # 1.3.0 * Add file paths to HTML report * Add caching of filters * Add --skip-files option * Add support for attr_protected * Add detection of request.env as user input * Descriptions of checks in -k output * Improved processing of named scopes * Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build * Better variable substitution * Table output option for rescan reports # 1.2.2 * --no-progress works again * Make CheckLinkTo a separate check * Don't fail on unknown options to resource(s) * Handle empty resource(s) blocks * Add RescanReport#existing_warnings ## 1.2.1 * Remove link_to warning for Rails 3.x or when using rails_xss * Don't warn if first argument to link_to is escaped * Detect usage of attr_accessible with no arguments * Fix error when rendering a partial from a view but not through a controller * Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug * Simplify Brakeman Rake task * Avoid modifying $VERBOSE * Add Brakeman::RescanReport#to_s * Add Brakeman::Warning#to_s ## 1.2.0 * Speed improvements for CheckExecute and CheckRender * Check named_scope() and scope() for SQL injection * Add --rake option to create rake task to run Brakeman * Add experimental support for rescanning a subset of files * Add --summary option to only output summary * Fix a problem with Rails 3 routes ## 1.1.0 * Relax required versions for dependencies * Performance improvements for source processing * Better progress reporting * Handle basic operators like << + - * / * Rescue more errors to prevent complete crashes * Compatibility with newer Haml versions * Fix some warnings ## 1.0.0 * Better handling of assignments inside ifs * Check more expressions for SQL injection * Use latest ruby_parser for better 1.9 syntax support * Better behavior for Brakeman as a library ## 1.0.0rc1 * Brakeman can now be used as a library * Faster call search * Add option to return error code if warnings are found (tw-ngreen) * Allow truncated messages to be expanded in HTML * Fix summary when using warning thresholds * Better support for Rails 3 routes * Reduce SQL injection duplicate warnings * Lower confidence on mass assignment with no user input * Ignore mass assignment using all literal arguments * Keep expanded context in view with HTML output ## 0.9.2 * Fix Rails 3 configuration parsing * Add t() helper to check for translate XSS bug ## 0.9.1 * Add warning for translator helper XSS vulnerability ## 0.9.0 * Process Rails 3 configuration files * Fix CSV output * Check for config.active_record.whitelist_attributes = true * Always produce a warning for without_protection => true ## 0.8.4 * Option for separate attr_accessible warnings * Option to set CSS file for HTML output * Add file names for version-specific warnings * Add line number for default routes in a controller * Fix hash_insert() * Remove use of Queue from threaded checks ## 0.8.3 * Respect -w flag in .tabs format (tw-ngreen) * Escape HTML output of error messages * Add --skip-libs option ## 0.8.2 * Run checks in parallel threads by default * Fix compatibility with ruby_parser 2.3.1 ## 0.8.1 * Add option to assume all controller methods are actions * Recover from errors when parsing routes ## 0.8.0 * Add check for mass assignment using without_protection * Add check for password in http_basic_authenticate_with * Warn on user input in hash argument with mass assignment * auto_link is now considered safe for Rails >= 3.0.6 * Output detected Rails version in report * Keep track of methods called in class definition * Add ruby_parser hack for Ruby 1.9 hash syntax * Add a few Rails 3.1 tests ## 0.7.2 * Fix handling of params and cookies with nested access * Add CVEs for checks added in 0.7.0 ## 0.7.1 * Require BaseProcessor for GemProcessor ## 0.7.0 * Allow local variable as a class name * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10 * Check for default routes in Rails 3 apps * Look in Gemfile or Gemfile.lock for Rails version ## 0.6.1 * Fix XSS check for cookies as parameters in output * Don't bother calling super in CheckSessionSettings * Add escape_once as a safe method * Accept '\Z' or '\z' in model validations ## 0.6.0 * Tests are in place and fully functional * Hide errors by default in HTML output * Warn if routes.rb cannot be found * Narrow methods assumed to be file access * Increase confidence for methods known to not escape output * Fixes to output processing for Erubis * Fixes for Rails 3 XSS checks * Fixes to line numbers with Erubis * Fixes to escaped output scanning * Update CSRF CVE-2011-0447 message to be less assertive ## 0.5.2 * Output report file name when finished * Add initial tests for Rails 2.x * Fix ERB line numbers when using Ruby 1.9 ## 0.5.1 * Fix issue with 'has_one' => in routes ## 0.5.0 * Add support for routes like get 'x/y', :to => 'ctrlr#whatever' * Allow empty blocks in Rails 3 routes * Check initializer for session settings * Add line numbers to session setting warnings * Add --checks option to list checks ## 0.4.1 * Fix reported line numbers when using new Erubis parser (Mostly affects Rails 3 apps) ## 0.4.0 * Handle Rails XSS protection properly * More detection options for rails_xss * Add --escape-html option ## 0.3.2 * Autodetect Rails 3 applications * Turn on auto-escaping for Rails 3 apps * Check Model.create() for mass assignment ## 0.3.1 * Always output a line number in tabbed output format * Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin ## 0.3.0 * Check for SQL injection in calls using constantize() * Check for SQL injection in calls to count_by_sql() ## 0.2.2 * Fix version_between? when no Rails version is specified ## 0.2.1 * Add code snippet to tab output messages ## 0.2.0 * Add check for mail_to vulnerability - CVE-2011-0446 * Add check for CSRF weakness - CVE-2011-0447 ## 0.1.1 * Be more permissive with ActiveSupport version ## 0.1.0 * Check link_to for XSS (because arguments are not escaped) * Process layouts better (although not perfectly yet) * Load custom Haml filters if they are in lib/ * Tab separated output via .tabs output extension * Switch to normal versioning scheme