brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications

OTHER License

Downloads
135.9M
Stars
7K
Committers
162
View Code on GitHub Visit Website
Ecosystems: Ruby on Rails, Ruby

Bot releases are visible (Hide)

brakeman - 1.8.2

Published by presidentbeef over 10 years ago

  • Fixed rescanning problems caused by 1.8.0 changes
  • Fix scope calls with single argument
  • Report specific model name in rendered collections
  • Handle overwritten JSON escape settings
  • Much improved test coverage
  • Add CHANGES to gemspec
brakeman - 1.8.1

Published by presidentbeef over 10 years ago

  • Recover from errors in output formatting
  • Fix false positive in redirect_to (Neil Matatall)
  • Fix problems with removal of Sexp#method_missing
  • Fix array indexing in alias processing
  • Fix old mail_to vulnerability check
  • Fix rescans when only controller action changes
  • Allow comparison of versions with unequal lengths
  • Handle super calls with blocks
  • Respect -q flag for "Rails 3 detected" message
brakeman - 1.8.0

Published by presidentbeef over 10 years ago

  • Support relative paths in reports (fsword)
  • Allow Brakeman to be run without tty (fsword)
  • Fix exit code with --compare (fsword)
  • Fix --rake option (Deepak Kumar)
  • Add high confidence warnings for to_json XSS (Neil Matatall)
  • Fix redirect_to false negative
  • Fix duplicate warnings with raw calls
  • Fix shadowing of rendered partials
  • Add "render chain" to HTML reports
  • Add check for XSS in content_tag
  • Add full backtrace for errors in debug mode
  • Treat model attributes in or expressions as immediate values
  • Switch to method access for Sexp nodes
brakeman - 1.7.1

Published by presidentbeef over 10 years ago

  • Add check for CVE-2012-3463
  • Add check for CVE-2012-3464
  • Add check for CVE-2012-3465
  • Add charset to HTML report (hooopo)
  • Report XSS in select() for Rails 2
brakeman - 1.7.0

Published by presidentbeef over 10 years ago

  • Add check for CVE-2012-3424
  • Link report types to descriptions on website
  • Report errors raised while running check
  • Improve processing of Rails 3 routes
  • Fix "empty char-class" error
  • Improve file access check
  • Avoid warning on non-ActiveModel models
  • Speed improvements by stripping down SexpProcessor
  • Fix how params[:x] ||= is handled
  • Treat user input in or expressions as immediate values
  • Fix processing of negative array indexes
  • Add line breaks to truncated table rows
brakeman - 1.6.2

Published by presidentbeef over 10 years ago

  • Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  • Avoid warning when redirecting to a model instance
  • Add request.parameters as a parameters hash
  • Raise confidence level for model attributes in redirects
  • Return non-zero exit code when missing dependencies
  • Fix before_filter :except logic
  • Only accept symbol literals as before_filter names
  • Cache before_filter lookups
  • Turn off quiet mode by default for --compare
brakeman - 1.6.1

Published by presidentbeef over 10 years ago

  • Major rewrite of CheckSQL
  • Fix rescanning of deleted templates
  • Process actions mixed into controllers
  • Handle render :template => ...
  • Check for inherited attr_accessible (Neil Matatall)
  • Fix highlighting of HTML escaped values in HTML report
  • Report line number of highlighted value, if available
brakeman - 1.6.0

Published by presidentbeef over 10 years ago

  • Remove the Ruport dependency (Neil Matatall)
  • Add more informational JSON output (Neil Matatall)
  • Add comparison to previous JSON report (Neil Matatall)
  • Add highlighting of dangerous values in HTML/text reports
  • Model#update_attribute should not raise mass assignment warning (Dave Worth)
  • Don't check find_by_* method for SQL injection
  • Fix duplicate reporting of mass assignment and SQL injection
  • Fix rescanning of deleted files
  • Properly check for rails_xss in Gemfile
brakeman - 1.5.3

Published by presidentbeef over 10 years ago

  • Add check for user input in Object#send (Neil Matatall)
  • Handle render :layout in views
  • Support output to multiple formats (Nick Green)
  • Prevent infinite loops in mutually recursive templates
  • Only check eval arguments for user input, not targets
  • Search subdirectories for models
  • Set values in request hashes and propagate to views
  • Add rake task file to gemspec (Anton Ageev)
  • Filter rescanning of templates (Neil Matatall)
  • Improve handling of modules and nesting
  • Test for zero errors in test reports
brakeman - 1.5.2

Published by presidentbeef over 10 years ago

  • Fix link_to checks for Rails 2.0 and 2.3
  • Fix rescanning of lib files (Neil Matatall)
  • Output stack trace on interrupt when debugging
  • Ignore user input in if statement conditions
  • Fix --skip-files option
  • Only warn on user input in render paths
  • Fix handling of views when using rails_xss
  • Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
brakeman - 1.5.1

Published by presidentbeef over 10 years ago

  • Fix detection of global mass assignment setting
  • Fix partial rendering in Rails 3
  • Show backtrace when interrupt received (Ruby 1.9 only)
  • More debug output
  • Remove duplicate method in Brakeman::Rails2XSSErubis
  • Add tracking of module and class to Brakeman::BaseProcessor
  • Report module when using Brakeman::FindCall
brakeman - 1.5.0

Published by presidentbeef over 10 years ago

  • Add version check for SafeBuffer vulnerability
  • Add check for select vulnerability in Rails 3
  • select() is no longer considered safe in Rails 2
  • Add check for skipping CSRF protection with a blacklist
  • Add JSON report format
  • Model#id should not be considered XSS
  • Standardize methods to check for SQL injection
  • Fix Rails 2 route parsing issue with nested routes
brakeman - 1.4.0

Published by presidentbeef over 10 years ago

  • Add check for user input in link_to href parameter
  • Match ERB processing to rails_xss plugin when plugin used
  • Add Brakeman::Report#to_json, Brakeman::Warning#to_json
  • Warnings below minimum confidence are dropped completely
  • Brakeman.run always returns a Tracker
brakeman - 1.3.0

Published by presidentbeef over 10 years ago

  • Add file paths to HTML report
  • Add caching of filters
  • Add --skip-files option
  • Add support for attr_protected
  • Add detection of request.env as user input
  • Descriptions of checks in -k output
  • Improved processing of named scopes
  • Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
  • Better variable substitution
  • Table output option for rescan reports
brakeman - 1.2.2

Published by presidentbeef over 10 years ago

  • --no-progress works again
  • Make CheckLinkTo a separate check
  • Don't fail on unknown options to resource(s)
  • Handle empty resource(s) blocks
  • Add RescanReport#existing_warnings
brakeman - 1.2.1

Published by presidentbeef over 10 years ago

  • Remove link_to warning for Rails 3.x or when using rails_xss
  • Don't warn if first argument to link_to is escaped
  • Detect usage of attr_accessible with no arguments
  • Fix error when rendering a partial from a view but not through a controller
  • Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
  • Simplify Brakeman Rake task
  • Avoid modifying $VERBOSE
  • Add Brakeman::RescanReport#to_s
  • Add Brakeman::Warning#to_s
brakeman - 1.2.0

Published by presidentbeef over 10 years ago

  • Speed improvements for CheckExecute and CheckRender
  • Check named_scope() and scope() for SQL injection
  • Add --rake option to create rake task to run Brakeman
  • Add experimental support for rescanning a subset of files
  • Add --summary option to only output summary
  • Fix a problem with Rails 3 routes
brakeman - 1.1.0

Published by presidentbeef over 10 years ago

  • Relax required versions for dependencies
  • Performance improvements for source processing
  • Better progress reporting
  • Handle basic operators like << + - * /
  • Rescue more errors to prevent complete crashes
  • Compatibility with newer Haml versions
  • Fix some warnings
brakeman - 1.0.0

Published by presidentbeef over 10 years ago

  • Better handling of assignments inside ifs
  • Check more expressions for SQL injection
  • Use latest ruby_parser for better 1.9 syntax support
  • Brakeman can now be used as a library
  • Faster call search
  • Add option to return error code if warnings are found (tw-ngreen)
  • Allow truncated messages to be expanded in HTML
  • Fix summary when using warning thresholds
  • Better support for Rails 3 routes
  • Reduce SQL injection duplicate warnings
  • Lower confidence on mass assignment with no user input
  • Ignore mass assignment using all literal arguments
  • Keep expanded context in view with HTML output
brakeman - 0.9.2

Published by presidentbeef over 10 years ago

  • Fix Rails 3 configuration parsing
  • Add t() helper to check for translate XSS bug
Package Rankings
Top 3.78% on Proxy.golang.org
Top 0.39% on Rubygems.org
Badges
Extracted from project README
Brakeman Logo Build Status Test Coverage
Related Projects
rails_7_base_api

Rails 7 Base API

22 May 2024 0
boring_generators

Boring generators aims to make your development faster by delegating boring setups to us.

31 Aug 2020 255
danger-brakeman_scanner

A Danger plugin for running Ruby files through Brakeman.

26 Mar 2020 5
data_checks

Regression testing for data

21 Apr 2022 65
kazan

Kazan creates rails project and setups predefined gems and tools. Env settings, Spec tools, Datab...

09 Oct 2016 26
rails_api_base

API boilerplate project for Ruby on Rails 7

10 Oct 2016 483
rspec-tracer

RSpec Tracer is a specs dependency analyzer, flaky tests detector, tests accelerator, and coverag...

06 Aug 2021 147
boyutluseyler

Yet another 3D model repository

04 Feb 2019 3
pronto-brakeman

Pronto runner for Brakeman, security vulnerability scanner for RoR

07 Oct 2013 18
tollowy-api

🧙🔮 ƒolloʍʎ | Another one Followy backend

02 Feb 2022 5