brakeman
A static analysis security vulnerability scanner for Ruby on Rails applications
OTHER License
Ecosystems:
Ruby on Rails,
Ruby
Bot releases are visible (Hide)
brakeman
- 3.3.0
Published by presidentbeef over 8 years ago
- Bundle all dependencies in gem
- Return exit code
4if no Rails application is detected (#869) - Add optional check for secrets in source code (#201)
- Track constants globally
- Skip if branches with
Rails.env.test?(#862) - Skip processing obviously false if branches (more broadly)
- Handle HAML
find_and_preservewith a block (#837) - Process
Array#first - Allow non-Hash arguments in
protect_from_forgery(Jason Yeo) - Avoid warning about
uhelper (Chad Dollins) - Avoid warning about mass assignment and SQL injection with
params.slice(#866) - Avoid warning about
sliceinredirect_toandlink_to(#832) - Avoid warning on
popenwith array (#851) - [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
- [Code Climate engine] Remove nil entries from
include_paths(Gordon Diggs) - [Code Climate engine] Report end lines for issues (Gordon Diggs)
brakeman
- 3.2.0
Published by presidentbeef over 8 years ago
- Support calls using
&.operator (#796) - Handle CoffeeScript in HAML (#813)
- Avoid render warnings about
params[:action]/params[:controller](#812) - Only update ignore config file on changes (#824)
- Sort ignore config file
- Index calls in class bodies but outside methods (#814)
- Skip Symbol DoS check on Rails 5
- Fix finding calls with
targets: nil - Remove
fastercsvdependency - Remove
multi-jsondependency
brakeman
- 3.2.1
Published by presidentbeef over 8 years ago
- Remove multi_json from bin/brakeman
brakeman
- 3.1.5
Published by presidentbeef over 8 years ago
- Support directories better in
--only-filesand--skip-files(Patrick Toomey) - Fix CodeClimate construction of
--only-files(Will Fleming) - Avoid warning about
permitin SQL (669) - Handle guards using
detect(376) - Handle module names with self methods (#785)
- Add session manipulation documentation (#791)
- Check for implicit integer comparison in dynamic finders
- Avoid warning on user input in comparisons
- Add check for denial of service via routes (CVE-2015-7581)
- Warn about RCE with
render params(CVE-2016-0752) - Add check for
strip_tagsXSS (CVE-2015-7579) - Add check for
sanitizeXSS (CVE-2015-7578/80) - Add check for
reject_ifproc bypass (CVE-2015-7577) - Add check for mime-type denial of service (CVE-2016-0751)
- Add check for basic auth timing attack (CVE-2015-7576)
- Add initial Rails 5 support
brakeman
- 3.1.4
Published by presidentbeef over 8 years ago
- Emit Brakeman's native fingerprints for Code Climate engine (Noah Davis)
- Ignore
secrets.ymlif in .gitignore (#777) - Work around
safe_yamlerror (#778) - Increase test coverage for option parsing (Zander Mackie)
- Clean up Ruby warnings (Andy Waite)
brakeman
- 3.1.3
Published by presidentbeef almost 9 years ago
- Add Code Climate output format (Ashley Baldwin-Hunter / Devon Blandin / John Pignata / Michael Bernstein)
- Restore minimum Highline version (Kevin Glowacz)
- Depend on safe_yaml 1.0 or later (#753)
- Check for session secret in secrets.yml (#760)
- Avoid warning on
without_protection: truewith hash literal (#769) - Respect
exit_on_warnin config file (#771) - Avoid outputting false for
user_inputin JSON - Iteratively replace variables
- CallIndex improvements
- Improved tests for the Brakeman module (Bethany Rentz)
- Make sure a
before_filterwith block is a call (#763)
brakeman
- 3.1.2
Published by presidentbeef almost 9 years ago
- Sortable tables in HTML report (David Lanner)
- Add line numbers to class-level warnings
- Warn on SQL query keys, not values in hashes (#738)
- Set user input value for inline renders
- Avoid warning on inline renders with safe content types
- Treat
current_userlike a model (#744) - Avoid warning about model
find/find_by*in hrefs - Handle
private def ... - Handle empty interpolation in HAML filters (#732)
- Catch divide-by-zero in alias processing (#729)
- Ignore filters that are not method names
- Search for config file relative to application root
- Use SafeYAML to load configuration files
- Allow inspection of recursive Sexps
- Reduce string allocations in
Warning#initialize
- Update dependencies to Ruby 1.8 incompatible versions
- Update render path information in JSON reports
- Remove renaming of several
Sexpnodes - Treat
html_safelikeraw - Use railties version if rails gem is missing (Lucas Mazza)
- Warn about unverified SSL mode in
Net::HTTP.start - Expand XSS safe methods
- Avoid warning on path creation methods in
link_to - Add support for
gems.rb/gems.locked(#705) - Fix low confidence XSS warning code
- Avoid duplicate
evalwarnings - Convert YAML config keys to symbols (Karl Glaser)
brakeman
- 3.1.1
Published by presidentbeef about 9 years ago
- Add check for user input in session keys
- Add optional check for use of MD5 and SHA1
- Fix absolute paths for Windows (Cody Frederick)
- Allow searching call index methods by regex (Alex Ianus)
- Consider
j/escape_javascriptsafe inside Haml JavaScript blocks (#708) - Better Haml processing of
find_and_preservecalls - Fix chained assignment
- Treat
a.try(&:b)likea.b() - Add more Arel methods to be ignored in SQL (#711)
- Avoid warning when linking to decorated models (#683)
- Support newer terminal-table releases (#709)
brakeman
- 3.0.5
Published by presidentbeef over 9 years ago
- Fix check for CVE-2015-3227
brakeman
- 3.0.3
Published by presidentbeef over 9 years ago
- Warn about
protect_from_forgerywithout exceptions (Neil Matatall) - Add Rake task to exit with error code on warnings (masarakki)
- Ignore
quoted_table_namein SQL (Gabriel Sobhrinho) - Ignore more Arel methods in SQL (#604)
- Warn about RCE and file access with
open - Handle
Array#include?guard conditionals (#604) - Handle lambdas as filters
- Do not ignore targets of
to_sin SQL (#638)
brakeman
- 3.0.2
Published by presidentbeef over 9 years ago
- Fix HTML reports with GitHub repos (#624)
- Handle processing of explictly shadowed block arguments (#612)
- Fix CSV output when there are no warnings (#615)
- Update
ruby_parserto ~> 3.6.2 - Treat
primary_key,table_name_prefix,table_name_suffixas safe in SQL - Fix using
--compareand--add-checks-pathtogether - Alias process methods called in class scope on models
- Avoid warning about mass assignment with string literals
- Only report original regex DoS locations
- Report correct file for
simple_formatusage CVE warning - Ignore case value in XSS checks
- Formatting newlines removed from HAML templates
- Improved render path information tracking
brakeman
- 3.0.1
Published by presidentbeef over 9 years ago
- Remove Slim dependency (Casey West)
- Properly process libraries (Patrick Toomey)
- Add
--add-libs-pathfor additional libraries (Patrick Toomey) - Allow for controllers/models/templates in directories under
app/(Neal Harris) - Avoid
protect_from_forgerywarning unlessApplicationControllerinherits fromActionController::Base(#573) - Properly format command interpolation (again)
brakeman
- 3.0.0
Published by presidentbeef almost 10 years ago
-
--exit-on-warn --compareonly returns error code on new warnings (Jeff Yip) - Sort warnings by fingerprint in JSON report (Jeff Yip)
- CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
- Change
--separate-modelsto be the default - Local variables are no longer formatted as
(local var) - Actually skip skipped before filters
- Remove "fake filters" from warning fingerpints
- Index calls in
lib/files - Handle symmetric multiple assignment
- Do not branch for self attribute assignment
x = x.y(#552) - Move Symbol DoS to optional checks
- Add check for cross site scripting via inline renders
- Add check for CVE-2014-7829
- Fix parsing of
<%==in ERB - Fix output format of command interpolation
- Fix CVE for CVE-2011-2932
brakeman
- 2.6.3
Published by presidentbeef about 10 years ago
- Whitelist
existsarel method from SQL injection check - Avoid warning about Symbol DoS on safe parameters as method targets
- Fix stack overflow in ProcessHelper#class_name
- Add optional check for unscoped find queries (Ben Toews)
- Add framework for optional checks
- Fix stack overflow for cycles in class ancestors (Jeff Rafter)
brakeman
- 2.6.2
Published by presidentbeef about 10 years ago
- Add check for CVE-2014-3514
- Add
--add-checks-pathoption for external checks (Clint Gibler) - Add
-4option to force Rails 4 mode - Fix SQL injection detection in deep nested string building
- Check entire call for
send(#523) - Check for .gitignore of secrets in subdirectories (#519)
- Avoid warning about symbolizing safe parameters (#536)
- Fix block statment endings in Erubis (#518)
- Update ruby2ruby dependency to 2.1.1
- Expand app path in one place instead of all over (Jeff Rafter)
- Fix undefined variable in controller processing error (Jason Barnabe)
brakeman
- 2.6.1
Published by presidentbeef about 10 years ago
- Add check for CVE-2014-3482 and CVE-2014-3483
- Add support for keyword arguments in blocks (#511)
- Remove unused warning codes (Bill Fischer)
brakeman
- 2.6.0
Published by presidentbeef over 10 years ago
- Fix detection of
:hostsetting in redirects with chained calls - Add check for CVE-2014-0130
- Add
find_by/find_by!to SQLi check for Rails 4 - Parse most files upfront instead of on demand
- Do not branch values for
+= - Update to use RubyParser 3.5.0 (Patrick Toomey)
- Improve default route detection in Rails 3/4 (Jeff Jarmoc)
- Handle controllers and models split across files (Patrick Toomey)
- Fix handling of
protected_attributesgem in Rails 4 (Geoffrey Hichborn) - Ignore more model methods in redirects
- Fix CheckRender with nested render calls
brakeman
- 2.4.2
Published by presidentbeef over 10 years ago
- Remove
rescue Exception - Fix duplicate warnings about sanitize CVE
- Reuse duplicate call location information
- Only track original template output locations
- Skip identically rendered templates
- Fix HAML template processing
Package Rankings
Top 3.78% on Proxy.golang.org
Top 0.39% on Rubygems.org
Badges
Extracted from project README
