brakeman

Add warning for translator helper XSS vulnerability

• Process Rails 3 configuration files
• Check for config.active_record.whitelist_attributes = true
• Always produce a warning for without_protection => true
• Fix CSV output

• Option for separate attr_accessible warnings
• Option to set CSS file for HTML output
• Add file names for version-specific warnings
• Add line number for default routes in a controller
• Fix hash_insert()
• Remove use of Queue from threaded checks

• Run checks in parallel threads by default
  • Fix compatibility with ruby_parser 2.3.1

• Add option to assume all controller methods are actions
• Recover from errors when parsing routes

• Respect -w flag in .tabs format (tw-ngreen)
• Escape HTML output of error messages
• Add --skip-libs option

• Add check for mass assignment using without_protection
• Add check for password in http_basic_authenticate_with
• Warn on user input in hash argument with mass assignment
• auto_link is now considered safe for Rails >= 3.0.6
• Output detected Rails version in report
• Keep track of methods called in class definition
• Add ruby_parser hack for Ruby 1.9 hash syntax
• Add a few Rails 3.1 tests

• Fix handling of params and cookies with nested access
• Add CVEs for checks added in 0.7.0

Require BaseProcessor for GemProcessor

• Allow local variable as a class name
• Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
• Check for default routes in Rails 3 apps
• Look in Gemfile or Gemfile.lock for Rails version

• Fix XSS check for cookies as parameters in output
• Don't bother calling super in CheckSessionSettings
• Add escape_once as a safe method
• Accept '\Z' or '\z' in model validations

• Tests are in place and fully functional
• Hide errors by default in HTML output
• Warn if routes.rb cannot be found
• Narrow methods assumed to be file access
• Increase confidence for methods known to not escape output
• Fixes to output processing for Erubis
• Fixes for Rails 3 XSS checks
• Fixes to line numbers with Erubis
• Fixes to escaped output scanning
• Update CSRF CVE-2011-0447 message to be less assertive

• Output report file name when finished
• Add initial tests for Rails 2.x
• Fix ERB line numbers when using Ruby 1.9

Fix issue with 'has_one' => in routes

• Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
• Allow empty blocks in Rails 3 routes
• Check initializer for session settings
• Add line numbers to session setting warnings
• Add --checks option to list checks

Fix reported line numbers when using new Erubis parser (mostly affects Rails 3 apps).

• Handle Rails XSS protection properly
• More detection options for rails_xss
• Add --escape-html option

• Autodetect Rails 3 applications
• Turn on auto-escaping for Rails 3 apps
• Check Model.create() for mass assignment

• Always output a line number in tabbed output format
• Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin

• Fix version_between? when no Rails version is specified