brakeman | Ruby on Rails Ecosystem Directory

Bot releases are hidden (Show)

brakeman - 5.0.0

Published by presidentbeef over 3 years ago

Scan (almost) all Ruby files in project
Revamp CSV report to a CSV list of warnings
Add Sonarqube report format (Adam England)
Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
Add check for potential HTTP verb confusion (#1432)
Add --[no-]skip-vendor option
Ignore uuid as a safe attribute
Ignore Tempfile#path in shell commands
Ignore development environment
Collapse __send__ calls
Set Rails configuration defaults based on load_defaults version
Update Ruby requirement to version 2.4.0
Suggest using --force if no Rails application is detected

brakeman - 4.10.1

Published by presidentbeef almost 4 years ago

Declare REXML as a dependency (Ruby 3.0 compatibility)
Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
Prevent render loops when template names are absolute paths (#1536)
Ensure RubyParser is passed file path as a String (#1534)
Support new Haml 5.2.0 escaping method (#1517)

brakeman - 5.0.0.pre1

Published by presidentbeef almost 4 years ago

Add check for (more) unsafe method reflection
Suggest using --force if no Rails application is detected
Add Sonarqube report format (Adam England)
Add check for potential HTTP verb confusion
Add --[no-]skip-vendor option
Scan (almost) all Ruby files in project
Add support for Haml 5.2.0

brakeman - 4.10.0

Published by presidentbeef about 4 years ago

Add SARIF report format (Steve Winton)

brakeman - 4.9.1

Published by presidentbeef about 4 years ago

Use version from active_record for non-Rails apps (Ulysse Buonomo)
Check chomped strings for SQL injection (#1509)
Always set line number for joined arrays (#1499)
Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)
Bundle latest ruby_parser (4.15.0)

brakeman - 4.9.0

Published by presidentbeef about 4 years ago

Add --ensure-ignore-notes (Eli Block)
Add check for user input in ERB.new (Matt Hickman)
Add check for CVE-2020-8166 (Jamie Finnigan)
Always scan environment.rb
Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
Do not warn about mass assignment with params.permit!.slice
Ignore params.permit! in path helpers
Treat Dir.glob as safe source of values in guards
Remove whitelist/blacklist language, add clarifications
Add "full call" information to call index results
Updated Slim dependency (Jeremiah Church)

brakeman - 4.8.1

Published by presidentbeef over 4 years ago

Warn about global(!) mass assignment
Check SQL query strings using String#strip or String.squish (#1459)
Handle non-symbol keys in locals hash for render (#1465)
Index calls in render arguments (#1459)

brakeman - 4.8.2

Published by presidentbeef over 4 years ago

Add --text-fields option
Add check for CVE-2020-8159
Add check for escaping HTML entities in JSON configuration option
Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

brakeman - 4.8.0

Published by presidentbeef over 4 years ago

Add JUnit XML report format (Naoki Kimurai)
Sort ignore files by fingerprint and line (Ngan Pham)
Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
User-friendly message when ignore config file has invalid JSON (D. Hicks)
Freeze call index results, fix thread-safety issue
Properly render confidence in Markdown report (#1446)
Report old warnings as fixed if zero warnings reported
Initialize Rails version with nil (Carsten Wirth)
Fix output test when using newer Minitest

brakeman - 4.7.2

Published by presidentbeef almost 5 years ago

Add request.params as query parameters (#1398)
Handle more permit! cases (#1426)
Remove version guard for named_scope vs. scope
Find SQL injection in String#strip_heredoc target (#1433)
Ensure file name is set when processing models
Bundle ruby_parser version 3.14.1 (#1429)

brakeman - 4.7.1

Published by presidentbeef almost 5 years ago

Sort text report by file and line (Jacob Evelyn)
Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
Check string length against limit before joining
Fix flaky rails4 test (Adam Kiczula)
Fix errors from frozen Symbol#to_s in Ruby 2.7
Add release dates to each version in CHANGES (TheSpartan1980)

brakeman - 4.7.0

Published by presidentbeef about 5 years ago

Update Haml support to Haml 5.x (#1044)
Catch shell injection from -c shell commands (Jacob Evelyn)
Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
Fix version_between? (Andrey Glushkov)
Ignore interpolation in %W[] (#1399)
Ignore form_for for XSS check

brakeman - 4.6.1

Published by presidentbeef about 5 years ago

Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

brakeman - 4.6.0

Published by presidentbeef about 5 years ago

Add check for cookie serialization with Marshal (#1316)
Add reverse tabnabbing check (Linos Giannopoulos)
Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
Warn people that Haml 5 is not fully supported (Jared Beck)
Index calls in initializers
Improve template output handling in conditional branches
Avoid assigning nil line numbers to Sexps
Add special warning code for custom checks
Add call matching by regular expression
Skip calls to dup (#1374)
Restore Warning#relative_path
Better handling of gems with no version declared

brakeman - 4.5.1

Published by presidentbeef over 5 years ago

Add initial Rails 6 support
Add optional check for config.force_ssl (#1181)
Add deserialization warning for Oj.load/object_load
Add SQL injection checks for destroy_by/delete_by
Add SQL injection checks for find_or_create_by and friends
Check link_to with block for href XSS (#1339)
Convert !! calls to boolean value (#1343)
Use relative paths for __FILE__
Represent file paths internally as Brakeman::FilePath
Handle empty partial names
Handle trailing comma in block args
Remove code for Ruby versions prior to 1.9

brakeman - 4.5.0

Published by presidentbeef over 5 years ago

Officially drop support for running with older Ruby versions
More thoroughly handle Shellwords escaping (#1323)
Handle non-integer version number comparisons (#1305)
Better handling of splat/kwsplat arguments (#1204)
Handle ** inside Hash literals
Add support for CoffeeScript in Slim templates
Improve support for embedded template "filters"
Remove Sass dependency
Avoid joining strings with different encodings
Improve "user input" reported for SQL injection
Stop swallowing exceptions in AliasProcessor
Add original exception to Tracker#errors list
Use FileParser in Scanner to parse files
Set location information in CheckContentTag
Update RubyParser to 3.13.0

brakeman - 4.4.0

Published by presidentbeef almost 6 years ago

Add check for CVE-2018-3760
Add --enable option to enable optional checks
Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
Handle empty secrets.yml files (Naoki Kimura)
Ignore Tempfiles in FileAccess warnings (Christina Koller)
Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
Treat if not like unless (#1225)
Fix Rails 4 configuration handling
Set default encoding to UTF-8
Support reading gem versions from gemspecs
Support gem versions which are just major.minor (e.g. 3.0)
Correctly set rel="noreferrer" in HTML reports
Fix thread-safety issue in CallIndex
Fix trim mode for ERb templates in old Rails versions
Avoid nil errors when concatenating arrays
Add rendered template information to render paths
Trim some unnecessary files from bundled gems
Deadcode and typo fixes found via Coverity
Complete overhaul of warning message construction
Update to Slim 4.0.1 (Jake Peterson)
Update to RubyParser 3.12.0
Updated license