brakeman

Signed gem, same as 2.4.2 otherwise.

• Add support for RailsLTS 2.3.18.7 and 2.3.18.8
• Add support for Rails 4 before_actions and friends
• Move SQLi CVE checks to CheckSQLCVEs
• Check for protected_attributes gem
• Fix SQLi detection in chain calls in scopes
• Add GitHub-flavored Markdown output format (Greg Ose)
• Fix false positives when sanitize() is used in SQL (Jeff Yip)
• Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
• Check all arguments in Model.select for SQLi
• Fix false positive when :host is specified in redirect
• Handle more non-literals in routes
• Add check for regex denial of service (Ben Toews)

• Add check for CVE-2014-0082
• Add check for CVE-2014-0081, replaces CVE-2013-6415
• Add check for CVE-2014-0080

• Add check for mail_to vulnerability - CVE-2011-0446
• Add check for CSRF weakness - CVE-2011-0447

• Detect Rails LTS versions
  • Reduce false positives for SQL injection in string building
  • More accurate user input marking for SQL injection warnings
  • Detect SQL injection in delete_all/destroy_all
  • Detect SQL injection raw SQL queries using connection
  • Parse exact versions from Gemfile.lock for all gems
  • Ignore generators
  • Update to RubyParser 3.4.0
  • Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
  • Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
  • No longer raise exceptions if a class name cannot be determined
  • Fingerprint attribute warnings individually (Case Taintor)

• Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
• Fix link for CVE-2013-6415 (number_to_currency)

• Add check for Parameters#permit!
• Add check for CVE-2013-4491 (i18n XSS)
• Add check for CVE-2013-6414 (header DoS)
• Add check for CVE-2013-6415 (number_to_currency)
• Add check for CVE-2013-6416 (simple_format XSS)
• Add check for CVE-2013-6417 (query generation)
• Fix typos in reflection and translate bug messages
• Collapse send/try calls
• Fix Slim XSS false positives (Noah Davis)
• Whitelist Model#create for redirects
• Fix scoping issues with instance variables and blocks

• Reduce command injection false positives
• Use Rails version from Gemfile if it is available
• Only add routes with actual names
• Ignore redirects to models using friendly_id (AJ Ostrow)
• Support scanning Rails engines (Geoffrey Hichborn)
• Add check for detailed exceptions in production

• Do not attempt to load custom Haml filters
• Do not warn about to_json XSS in Rails 4
• Add --table-width option to set width of text reports (ssendev)
• Remove fuzzy matching on dangerous attr_accessible values

• New warning code for dangerous attributes in attr_accessible
• Do not warn on attr_accessible using roles
• More accurate results for model attribute warnings
• Use exit code zero with -z if all warnings ignored
• Respect ignored warnings in rescans
• Ignore dynamic controller names in routes
• Fix infinite loop when run as rake task (Matthew Shanley)
• Respect ignored warnings in tabs format reports

• Support non-native line endings in Gemfile.lock (Paul Deardorff)
• Support for ignoring warnings
• Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
• Update to ruby_parser 3.2.2
• Add brakeman-min gemspec
• Load gem dependencies on-demand
• Output JSON diff to file if -o option is used
• Add check for authenticate_or_request_with_http_basic
• Refactor of SQL injection check code (Bart ten Brinke)
• Fix detection of duplicate XSS warnings
• Refactor reports into separate classes
• Allow use of Slim 2.x (Ian Zabel)
• Return error exit code when application path is not found
• Add --branch-limit option, limit to 5 by default
• Add more methods to check for command injection
• Fix output format detection to be more strict again
• Allow empty Brakeman configuration file

• Add --only-files option to specify files/paths to scan (Ian Ehlert)
• Add Marshal/CSV deserialization check
• Combine deserialization checks into single check
• Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
• Avoid duplicate results for Symbol DoS check
• Medium confidence for mass assignment to attr_protected models
• Remove "timestamp" key from JSON reports
• Remove deprecated config file locations
• Relative paths are used by default in JSON reports
• --absolute-paths replaces --relative-paths
• Only treat classes with names containing Controller like controllers
• Better handling of classes nested inside controllers
• Better handling of controller classes nested in classes/modules
• Handle -> lambdas with no arguments
• Handle explicit block argument destructuring
• Skip Rails config options that are real objects
• Detect Rails 3 JSON escape config option
• Much better tracking of warning file names
• Fix errors when using --separate-models (Noah Davis)
• Fix fingerprint generation to actually use the file path
• Fix text report console output in JRuby
• Fix false positives on Model#id
• Fix false positives on params.to_json
• Fix model path guesses to use "models/" instead of "controllers/"
• Clean up SQL CVE warning messages
• Use exceptions instead of abort in brakeman lib
• Update to Ruby2Ruby 2.0.5

• Add check for unsafe symbol creation
• Do not warn on mass assignment with slice/only
• Do not warn on session secret if in .gitignore
• Fix scoping for blocks and block arguments
• Fix error when modifying blocks in templates
• Fix session secret check for Rails 4
• Fix crash on before_filter outside controller
• Fix Sexp hash cache invalidation
• Respect quiet option in configuration file
• Convert assignment to simple if expressions to or
• More fixes for assignments inside branches
• Pin to ruby2ruby version 2.0.3

• Add check for CVE-2013-1854
• Add check for CVE-2013-1855
• Add check for CVE-2013-1856
• Add check for CVE-2013-1857
• Fix --compare to work with older versions
• Add "no-referrer' to HTML report links
• Don't warn when invoking send on user input
• Slightly faster cloning of Sexps
• Detect another way to add strong_parameters

• Add render path to JSON report
• Add warning fingerprints
• Add check for unsafe reflection (Gabriel Quadros)
• Add check for skipping authentication methods with blacklist
• Add support for Slim templates
• Remove empty tables from reports (Owen Ben Davies)
• Handle prepend/append_before_filter
• Performance improvements when handling branches
• Fix processing of production.rb
• Fix version check for Ruby 2.0
• Expand HAML dependency to include 4.0
• Scroll errors into view when expanding in HTML report

• Add check for CVE-2013-0269
• Add check for CVE-2013-0276
• Add check for CVE-2013-0277
• Add check for CVE-2013-0333
• Check for more send-like methods
• Check for more SQL injection locations
• Check for more dangerous YAML methods
• Support MultiJSON 1.2 for Rails 3.0 and 3.1

• Update to RubyParser 3.1.1 (neersighted)
• Remove ActiveSupport dependency (Neil Matatall)
• Do not warn on arrays passed to link_to (Neil Matatall)
• Warn on secret tokens
• Warn on more mass assignment methods
• Add check for CVE-2012-5664
• Add check for CVE-2013-0155
• Add check for CVE-2013-0156
• Add check for unsafe YAML.load

• Update to RubyParser 3
• Ignore route information by default
• Support strong_parameters
• Support newer validates :format call
• Add scan time to reports
• Add Brakeman version to reports
• Fix CheckExecute to warn on all string interpolation
• Fix false positive on to_sql calls
• Don't mangle whitespace in JSON code formatting
• Add AppTree as facade for filesystem (brynary)
• Add link for translate vulnerability warning (grosser)
• Rename LICENSE to MIT-LICENSE, remove from README (grosser)
• Add Rakefile to run tests (grosser)
• Better default config file locations (grosser)
• Reduce Sexp creation
• Handle empty model files
• Remove "find by regex" feature from CallIndex

• Use multi_json gem for better harmony
• Performance improvement for call indexing
• Fix issue with processing HAML files
• Handle pre-release versions when processing Gemfile.lock
• Only check first argument of redirect_to
• Fix false positives from Model.arel_table accesses
• Fix false positives on redirects to models decorated with Draper gem
• Fix false positive on redirect to model association
• Fix false positive on YAML.load
• Fix false positive XSS on any to_i output
• Fix error on Rails 2 name routes with no args
• Fix error in rescan of mixins with symbols in method name
• Do not rescan non-Ruby files in config/