Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:ruby:extensions
rubygem-brakeman
rubygem-brakeman.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rubygem-brakeman.changes of Package rubygem-brakeman
------------------------------------------------------------------- Mon Jan 29 13:48:48 UTC 2024 - Dan Čermák <dan.cermak@posteo.net> - # 6.1.1 - 2023-12-24 * Handle racc as a default gem in Ruby 3.3.0 # 6.1.0 - 2023-12-04 * Add `--timing` to add timing duration for scan steps * Fix keyword splats in filter arguments * Add check for unfiltered search with Ransack * Fix class method lookup in parent classes * Handle `class << self` * Add `PG::Connection.escape_string` as a SQL sanitization method (Joévin Soulenq) ------------------------------------------------------------------- Thu Nov 2 15:40:49 UTC 2023 - Dan Čermák <dan.cermak@posteo.net> - # 6.0.1 - 2023-07-20 * Accept strings for `load_defaults` version # 6.0.0 - 2023-05-24 * Add obsolete fingerprints to comparison report * Warn about missing CSRF protection when defaults are not loaded (Chris Kruger) * Scan directories that include the word `public` * Raise minimum Ruby version to 3.0 * Drop support for Ruby 1.8/1.9 syntax * Fix end-of-life dates for Ruby * Fix false positive with `content_tag` in newer Rails # 5.4.1 - 2023-02-21 * Fix file/line location for EOL software warnings * Revise checking for request.env to only consider request headers * Add `redirect_back` and `redirect_back_or_to` to open redirect check * Support Rails 7 redirect options * Add Rails 6.1 and 7.0 default configuration values * Prevent redirects using `url_from` being marked as unsafe (Lachlan Sylvester) * Warn about unscoped find for `find_by(id: ...)` * Support `presence`, `presence_in` and `in?` * Fix issue with `if` expressions in `when` clauses ------------------------------------------------------------------- Wed Dec 7 11:14:10 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.4.0 see installed CHANGES.md ------------------------------------------------------------------- Mon Aug 29 06:49:19 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.3.1 see installed CHANGES.md ------------------------------------------------------------------- Thu Aug 4 13:00:17 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.2.3 see installed CHANGES.md ------------------------------------------------------------------- Thu Apr 28 05:22:18 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.2.2 see installed CHANGES.md ------------------------------------------------------------------- Tue Feb 15 07:24:38 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.2.1 see installed CHANGES.md ------------------------------------------------------------------- Tue Jan 25 06:42:04 UTC 2022 - Stephan Kulow <coolo@suse.com> updated to version 5.2.0 see installed CHANGES.md ------------------------------------------------------------------- Mon Jul 26 05:49:00 UTC 2021 - Stephan Kulow <coolo@suse.com> updated to version 5.1.1 see installed CHANGES.md ------------------------------------------------------------------- Thu Jun 24 17:06:47 UTC 2021 - Stephan Kulow <coolo@suse.com> updated to version 5.0.4 see installed CHANGES.md ------------------------------------------------------------------- Wed Jan 20 12:23:57 UTC 2021 - Stephan Kulow <coolo@suse.com> updated to version 4.10.1 see installed CHANGES.md ------------------------------------------------------------------- Fri Sep 25 13:42:47 UTC 2020 - Stephan Kulow <coolo@suse.com> updated to version 4.9.1 see installed CHANGES.md ------------------------------------------------------------------- Thu May 7 20:28:09 UTC 2020 - Stephan Kulow <coolo@suse.com> - updated to version 4.8.1 see installed CHANGES.md ------------------------------------------------------------------- Mon Feb 10 14:15:00 UTC 2020 - Stephan Kulow <coolo@suse.com> - updated to version 4.7.2 see installed CHANGES.md ------------------------------------------------------------------- Fri Jul 19 08:57:06 UTC 2019 - Stephan Kulow <coolo@suse.com> - updated to version 4.5.1 see installed CHANGES.md ------------------------------------------------------------------- Fri Mar 29 05:56:46 UTC 2019 - Stephan Kulow <coolo@suse.com> - updated to version 4.5.0 see installed CHANGES.md 1.0.5 ----- - fixed [#80](https://github.com/dtao/safe_yaml/issues/80): uninitialized constant DateTime ------------------------------------------------------------------- Sat Mar 2 15:06:41 UTC 2019 - Stephan Kulow <coolo@suse.com> - updated to version 4.4.0 see installed CHANGES.md ------------------------------------------------------------------- Thu Jun 7 03:02:26 UTC 2018 - factory-auto@kulow.org - updated to version 4.3.1 see installed CHANGES.md ------------------------------------------------------------------- Wed May 16 07:55:02 UTC 2018 - factory-auto@kulow.org - updated to version 4.3.0 see installed CHANGES.md ------------------------------------------------------------------- Sat Mar 24 05:28:19 UTC 2018 - factory-auto@kulow.org - updated to version 4.2.1 see installed CHANGES.md ------------------------------------------------------------------- Fri Feb 23 05:28:32 UTC 2018 - factory-auto@kulow.org - updated to version 4.2.0 see installed CHANGES.md ------------------------------------------------------------------- Tue Jan 9 07:23:48 UTC 2018 - coolo@suse.com - updated to version 4.1.1 see installed CHANGES.md ------------------------------------------------------------------- Thu Dec 14 14:18:55 UTC 2017 - coolo@suse.com - updated to version 4.1.0 see installed CHANGES ------------------------------------------------------------------- Wed Oct 11 05:58:58 UTC 2017 - coolo@suse.com - updated to version 4.0.1 see installed CHANGES ------------------------------------------------------------------- Mon Aug 28 05:14:09 UTC 2017 - coolo@suse.com - updated to version 3.7.2 see installed CHANGES ------------------------------------------------------------------- Thu Aug 3 19:05:12 UTC 2017 - coolo@suse.com - updated to version 3.7.0 see installed CHANGES ------------------------------------------------------------------- Tue May 23 09:42:37 UTC 2017 - coolo@suse.com - updated to version 3.6.2 see installed CHANGES ------------------------------------------------------------------- Mon Mar 27 04:28:25 UTC 2017 - coolo@suse.com - updated to version 3.6.1 see installed CHANGES ------------------------------------------------------------------- Fri Mar 24 05:28:28 UTC 2017 - coolo@suse.com - updated to version 3.6.0 see installed CHANGES ------------------------------------------------------------------- Thu Feb 2 05:30:48 UTC 2017 - coolo@suse.com - updated to version 3.5.0 see installed CHANGES ------------------------------------------------------------------- Thu Nov 3 05:30:40 UTC 2016 - coolo@suse.com - updated to version 3.4.1 see installed CHANGES ------------------------------------------------------------------- Thu Sep 8 04:31:01 UTC 2016 - coolo@suse.com - updated to version 3.4.0 see installed CHANGES ------------------------------------------------------------------- Sat Aug 13 04:29:32 UTC 2016 - coolo@suse.com - updated to version 3.3.5 see installed CHANGES ------------------------------------------------------------------- Thu Jul 21 04:28:47 UTC 2016 - coolo@suse.com - updated to version 3.3.3 see installed CHANGES ------------------------------------------------------------------- Mon Jun 13 04:30:13 UTC 2016 - coolo@suse.com - updated to version 3.3.2 see installed CHANGES ------------------------------------------------------------------- Fri Jun 3 04:28:36 UTC 2016 - coolo@suse.com - updated to version 3.3.1 see installed CHANGES 3.0.7 (2016-05-22) * Add additional attributes feature to shortcuts * Freeze string literals ------------------------------------------------------------------- Fri May 6 04:28:57 UTC 2016 - coolo@suse.com - updated to version 3.3.0 see installed CHANGES ------------------------------------------------------------------- Wed Mar 2 05:29:43 UTC 2016 - coolo@suse.com - updated to version 3.2.1 see installed CHANGES # 3.2.1 * Remove `multi_json` dependency from `bin/brakeman` ------------------------------------------------------------------- Thu Feb 25 05:29:25 UTC 2016 - coolo@suse.com - updated to version 3.2.0 see installed CHANGES # 3.2.0 * Skip Symbol DoS check on Rails 5 * Only update ignore config file on changes * Sort ignore config file * Support calls using `&.` operator * Update ruby_parser dependency to 3.8.1 * Remove `fastercsv` dependency * Fix finding calls with `targets: nil` * Remove `multi-json` dependecy * Handle CoffeeScript in HAML * Avoid render warnings about params[:action]/params[:controller] * Index calls in class bodies but outside methods ------------------------------------------------------------------- Fri Jan 29 05:28:39 UTC 2016 - coolo@suse.com - updated to version 3.1.5 see installed CHANGES # 3.1.5 * Fix CodeClimate construction of --only-files (Will Fleming) * Add check for denial of service via routes (CVE-2015-7581) * Warn about RCE with `render params` (CVE-2016-0752) * Add check for `strip_tags` XSS (CVE-2015-7579) * Add check for `sanitize` XSS (CVE-2015-7578/80) * Add check for `reject_if` proc bypass (CVE-2015-7577) * Add check for mime-type denial of service (CVE-2016-0751) * Add check for basic auth timing attack (CVE-2015-7576) * Add initial Rails 5 support * Check for implict integer comparison in dynamic finders * Support directories better in --only-files and --skip-files (Patrick Toomey) * Avoid warning about `permit` in SQL * Handle guards using `detect` * Avoid warning on user input in comparisons * Handle module names with self methods * Add session manipulation documentation ------------------------------------------------------------------- Wed Dec 23 05:29:54 UTC 2015 - coolo@suse.com - updated to version 3.1.4 see installed CHANGES # 3.1.4 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis) * Ignore secrets.yml if in .gitignore * Clean up Ruby warnings (Andy Waite) * Increase test coverage for option parsing (Zander Mackie) * Work around safe_yaml error ------------------------------------------------------------------- Fri Dec 4 05:28:31 UTC 2015 - coolo@suse.com - updated to version 3.1.3 see installed CHANGES # 3.1.3 * Check for session secret in secrets.yml * Respect `exit_on_warn` in config file * Avoid warning on `without_protection: true` with hash literals * Make sure before_filter call with block is still a call * CallIndex improvements * Restore minimum Highline version (Kevin Glowacz) * Add Code Climate output format (Ashley Baldwin-Hunter/Devon Blandin/John Pignata/Michael Bernstein) * Iteratively replace values * Output nil instead of false for user_input in JSON * Depend on safe_yaml 1.0 or later * Test coverage improvements for Brakema module (Bethany Rentz) ------------------------------------------------------------------- Thu Oct 29 05:28:55 UTC 2015 - coolo@suse.com - updated to version 3.1.2 see installed CHANGES # 3.1.2 * Treat `current_user` like a model * Set user input value for inline renders * Avoid warning on inline renders with safe content types * Handle empty interpolation in HAML filters * Ignore filters that are not method names * Avoid warning about model find/find_by* in hrefs * Use SafeYAML to load configuration files * Warn on SQL query keys, not values in hashes * Allow inspection of recursive Sexps * Add line numbers to class-level warnings * Handle `private def ...` * Catch divide-by-zero in alias processing * Reduce string allocations in Warning#initialize * Sortable tables in HTML report (David Lanner) * Search for config file relative to application root ------------------------------------------------------------------- Thu Sep 24 04:28:53 UTC 2015 - coolo@suse.com - updated to version 3.1.1 see installed CHANGES # 3.1.1 * Add optional check for use of MD5 and SHA1 * Avoid warning when linking to decorated models * Add check for user input in session keys * Fix chained assignment * Treat a.try(&:b) like a.b() * Consider j/escape_javascript safe inside HAML JavaScript blocks * Better HAML processing of find_and_preserve calls * Add more Arel methods to be ignored in SQL * Fix absolute paths for Windows (Cody Frederick) * Support newer terminal-table releases * Allow searching call index methods by regex (Alex Ianus) ------------------------------------------------------------------- Tue Sep 1 04:28:35 UTC 2015 - coolo@suse.com - updated to version 3.1.0 see installed CHANGES # 3.1.0 * Add support for gems.rb/gems.locked * Update render path information in JSON reports * Remove renaming of several Sexp nodes * Convert YAML config keys to symbols (Karl Glaser) * Use railties version if rails gem is missing (Lucas Mazza) * Warn about unverified SSL mode in Net::HTTP.start * Add Model, Controller, Template, Config classes internally * Report file being parsed in debug output * Update dependencies to Ruby 1.8 incompatible versions * Treat Array.new and Hash.new as arrays/hashes * Fix handling of string concatenation with existing string * Treat html_safe like raw() * Fix low confidence XSS warning code * Avoid warning on path creation methods in link_to * Expand safe methods to match methods with targets * Avoid duplicate eval() warnings ------------------------------------------------------------------- Tue Jun 23 04:29:03 UTC 2015 - coolo@suse.com - updated to version 3.0.5 see installed CHANGES # 3.0.5 * Fix check for CVE-2015-3227 ------------------------------------------------------------------- Fri Jun 19 04:28:51 UTC 2015 - coolo@suse.com - updated to version 3.0.4 see installed CHANGES # 3.0.4 * Add check for CVE-2015-3226 (XSS via JSON keys) * Add check for CVE-2015-3227 (XML DoS) * Treat `<%==` as unescaped output * Update `ruby_parser` dependency to 3.7.0 ------------------------------------------------------------------- Fri May 1 04:28:55 UTC 2015 - coolo@suse.com - updated to version 3.0.3 see installed CHANGES # 3.0.3 * Ignore more Arel methods in SQL * Warn about protect_from_forgery without exceptions (Neil Matatall) * Handle lambdas as filters * Ignore quoted_table_name in SQL (Gabriel Sobrinho) * Warn about RCE and file access with `open` * Handle array include? guard conditionals * Do not ignore targets of `to_s` in SQL * Add Rake task to exit with error code on warnings (masarakki) ------------------------------------------------------------------- Tue Mar 10 05:29:45 UTC 2015 - coolo@suse.com - updated to version 3.0.2 ------------------------------------------------------------------- Mon Feb 9 10:04:41 UTC 2015 - coolo@suse.com - updated to version 3.0.1 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base * Properly format command interpolation (again) * Remove Slim dependency (Casey West) * Allow for controllers/models/templates in directories under `app/` (Neal Harris) * Add `--add-libs-path` for additional libraries (Patrick Toomey) * Properly process libraries (Patrick Toomey) # 3.0.0 * Add check for CVE-2014-7829 * Add check for cross site scripting via inline renders * Fix formatting of command interpolation * Local variables are no longer formatted as `(local var)` * Actually skip skipped before filters * `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip) * Fix parsing of `<%==` in ERB * Sort warnings by fingerprint in JSON report (Jeff Yip) * Handle symmetric multiple assignment * Do not branch for self attribute assignment `x = x.y` * Fix CVE for CVE-2011-2932 * Remove "fake filters" from warning fingerpints * Index calls in `lib/` files * Move Symbol DoS to optional checks * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher) * Change `--separate-models` to be the default ------------------------------------------------------------------- Mon Nov 3 09:52:51 UTC 2014 - tboerger@suse.com - Updated to 2.6.3 - 2.6.3 - Whitelist `exists` arel method from SQL injection check - Avoid warning about Symbol DoS on safe parameters as method targets - Fix stack overflow in ProcessHelper#class_name - Add optional check for unscoped find queries (Ben Toews) - Add framework for optional checks - Fix stack overflow for cycles in class ancestors (Jeff Rafter) - 2.6.2 - Add check for CVE-2014-3415 - Avoid warning about symbolizing safe parameters - Update ruby2ruby dependency to 2.1.1 - Expand app path in one place instead of all over (Jeff Rafter) - Add `--add-checks-path` option for external checks (Clint Gibler) - Fix SQL injection detection in deep nested string building - Add `-4` option to force Rails 4 mode - Check entire call for `send` - Check for .gitignore of secrets in subdirectories - Fix block statment endings in Erubis - Fix undefined variable in controller processing error (Jason Barnabe) ------------------------------------------------------------------- Mon Oct 13 05:44:45 UTC 2014 - coolo@suse.com - adapt to new rubygem packaging ------------------------------------------------------------------- Sun Oct 12 09:38:49 UTC 2014 - adrian@suse.de - adapt to new rubygem packaging style ------------------------------------------------------------------- Mon Jul 14 06:52:00 UTC 2014 - coolo@suse.com - updated to version 2.6.1 * Add check for CVE-2014-3482 and CVE-2014-3483 * Add support for keyword arguments in blocks * Remove unused warning codes (Bill Fischer) # 2.6.0 * Fix detection of `:host` setting in redirects with chained calls * Add check for CVE-2014-0130 * Add `find_by`/`find_by!` to SQLi check for Rails 4 * Parse most files upfront instead of on demand * Do not branch values for `+=` * Update to use RubyParser 3.5.0 (Patrick Toomey) * Improve default route detection in Rails 3/4 (Jeff Jarmoc) * Handle controllers and models split across files (Patrick Toomey) * Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn) * Ignore more model methods in redirects * Fix CheckRender with nested render calls ------------------------------------------------------------------- Sun May 18 09:04:38 UTC 2014 - coolo@suse.com - updated to version 2.5.0 * Add support for RailsLTS 2.3.18.7 and 2.3.18.8 * Add support for Rails 4 `before_actions` and friends * Move SQLi CVE checks to `CheckSQLCVEs` * Check for protected_attributes gem * Fix SQLi detection in chain calls in scopes * Add GitHub-flavored Markdown output format (Greg Ose) * Fix false positives when sanitize() is used in SQL (Jeff Yip) * Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko) * Check all arguments in Model.select for SQLi * Fix false positive when :host is specified in redirect * Handle more non-literals in routes * Add check for regex denial of service (Ben Toews) ------------------------------------------------------------------- Sun Mar 23 06:56:32 UTC 2014 - coolo@suse.com - updated to version 2.4.3 * Remove `rescue Exception` * Fix duplicate warnings about sanitize CVE * Reuse duplicate call location information * Only track original template output locations * Skip identically rendered templates * Fix HAML template processing ------------------------------------------------------------------- Sat Feb 22 06:25:42 UTC 2014 - coolo@suse.com - updated to version 2.4.1 * Add check for CVE-2014-0082 * Add check for CVE-2014-0081, replaces CVE-2013-6415 * Add check for CVE-2014-0080 * Detect Rails LTS versions * Reduce false positives for SQL injection in string building * More accurate user input marking for SQL injection warnings * Detect SQL injection in `delete_all`/`destroy_all` * Detect SQL injection raw SQL queries using `connection` * Parse exact versions from Gemfile.lock for all gems * Ignore generators * Update to RubyParser 3.4.0 * Fix false positives when SQL methods are not called on AR models (Aaron Bedra) * Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra) * No longer raise exceptions if a class name cannot be determined * Fingerprint attribute warnings individually (Case Taintor) ------------------------------------------------------------------- Mon Dec 16 06:28:05 UTC 2013 - coolo@suse.com - updated to version 2.3.1 * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround * Fix link for CVE-2013-6415 (number_to_currency) ------------------------------------------------------------------- Fri Dec 13 06:02:18 UTC 2013 - coolo@suse.com - updated to version 2.3.0 * Add check for Parameters#permit! * Add check for CVE-2013-4491 (i18n XSS) * Add check for CVE-2013-6414 (header DoS) * Add check for CVE-2013-6415 (number_to_currency) * Add check for CVE-2013-6416 (simple_format XSS) * Add check for CVE-2013-6417 (query generation) * Fix typos in reflection and translate bug messages * Collapse send/try calls * Fix Slim XSS false positives (Noah Davis) * Whitelist `Model#create` for redirects * Fix scoping issues with instance variables and blocks ------------------------------------------------------------------- Thu Oct 31 05:54:40 UTC 2013 - coolo@suse.com - updated to version 2.2.0 * Reduce command injection false positives * Use Rails version from Gemfile if it is available * Only add routes with actual names * Ignore redirects to models using friendly_id (AJ Ostrow) * Support scanning Rails engines (Geoffrey Hichborn) * Add check for detailed exceptions in production ------------------------------------------------------------------- Mon Sep 23 14:53:05 UTC 2013 - coolo@suse.com - updated to version 2.1.2 * Do not attempt to load custom Haml filters * Do not warn about `to_json` XSS in Rails 4 * Add --table-width option to set width of text reports (ssendev) * Remove fuzzy matching on dangerous attr_accessible values ------------------------------------------------------------------- Mon Aug 26 05:05:51 UTC 2013 - coolo@suse.com - updated to version 2.1.1 * New warning code for dangerous attributes in attr_accessible * Do not warn on attr_accessible using roles * More accurate results for model attribute warnings * Use exit code zero with `-z` if all warnings ignored * Respect ignored warnings in rescans * Ignore dynamic controller names in routes * Fix infinite loop when run as rake task (Matthew Shanley) * Respect ignored warnings in tabs format reports ------------------------------------------------------------------- Wed Jul 31 05:45:54 UTC 2013 - coolo@suse.com - updated to version 2.1.0 * Support non-native line endings in Gemfile.lock (Paul Deardorff) * Support for ignoring warnings * Check for dangerous model attributes defined in attr_accessible (Paul Deardorff) * Update to ruby_parser 3.2.2 * Add brakeman-min gemspec * Load gem dependencies on-demand * Output JSON diff to file if -o option is used * Add check for authenticate_or_request_with_http_basic * Refactor of SQL injection check code (Bart ten Brinke) * Fix detection of duplicate XSS warnings * Refactor reports into separate classes * Allow use of Slim 2.x (Ian Zabel) * Return error exit code when application path is not found * Add `--branch-limit` option, limit to 5 by default * Add more methods to check for command injection * Fix output format detection to be more strict again * Allow empty Brakeman configuration file # 2.0.0 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert) * Add Marshal/CSV deserialization check * Combine deserialization checks into single check * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings * Avoid duplicate results for Symbol DoS check * Medium confidence for mass assignment to attr_protected models * Remove "timestamp" key from JSON reports * Remove deprecated config file locations * Relative paths are used by default in JSON reports * `--absolute-paths` replaces `--relative-paths` * Only treat classes with names containing `Controller` like controllers * Better handling of classes nested inside controllers * Better handling of controller classes nested in classes/modules * Handle `->` lambdas with no arguments * Handle explicit block argument destructuring * Skip Rails config options that are real objects * Detect Rails 3 JSON escape config option * Much better tracking of warning file names * Fix errors when using `--separate-models` (Noah Davis) * Fix fingerprint generation to actually use the file path * Fix text report console output in JRuby * Fix false positives on `Model#id` * Fix false positives on `params.to_json` * Fix model path guesses to use "models/" instead of "controllers/" * Clean up SQL CVE warning messages * Use exceptions instead of abort in brakeman lib * Update to Ruby2Ruby 2.0.5 ------------------------------------------------------------------- Fri Apr 12 07:32:23 UTC 2013 - coolo@suse.com - updated to version 1.9.5 * Add check for unsafe symbol creation * Do not warn on mass assignment with `slice`/`only` * Do not warn on session secret if in `.gitignore` * Fix scoping for blocks and block arguments * Fix error when modifying blocks in templates * Fix session secret check for Rails 4 * Fix crash on `before_filter` outside controller * Fix `Sexp` hash cache invalidation * Respect `quiet` option in configuration file * Convert assignment to simple `if` expressions to `or` * More fixes for assignments inside branches * Pin to ruby2ruby version 2.0.3 ------------------------------------------------------------------- Tue Mar 19 10:37:57 UTC 2013 - coolo@suse.com - updated to version 1.9.4 * Add check for CVE-2013-1854 * Add check for CVE-2013-1855 * Add check for CVE-2013-1856 * Add check for CVE-2013-1857 * Fix `--compare` to work with older versions * Add "no-referrer' to HTML report links * Don't warn when invoking `send` on user input * Slightly faster cloning of Sexps * Detect another way to add `strong_parameters` ------------------------------------------------------------------- Sun Mar 3 08:07:06 UTC 2013 - coolo@suse.com - updated to version 1.9.3 * Add render path to JSON report * Add warning fingerprints * Add check for unsafe reflection (Gabriel Quadros) * Add check for skipping authentication methods with blacklist * Add support for Slim templates * Remove empty tables from reports (Owen Ben Davies) * Handle `prepend/append_before_filter` * Performance improvements when handling branches * Fix processing of `production.rb` * Fix version check for Ruby 2.0 * Expand HAML dependency to include 4.0 * Scroll errors into view when expanding in HTML report * Add check for CVE-2013-0269 * Add check for CVE-2013-0276 * Add check for CVE-2013-0277 * Add check for CVE-2013-0333 * Check for more send-like methods * Check for more SQL injection locations * Check for more dangerous YAML methods * Support MultiJSON 1.2 for Rails 3.0 and 3.1 ------------------------------------------------------------------- Wed Jan 23 06:50:10 UTC 2013 - coolo@suse.com - updated to version 1.9.1 * Update to RubyParser 3.1.1 (neersighted) * Remove ActiveSupport dependency (Neil Matatall) * Do not warn on arrays passed to `link_to` (Neil Matatall) * Warn on secret tokens * Warn on more mass assignment methods * Add check for CVE-2012-5664 * Add check for CVE-2013-0155 * Add check for CVE-2013-0156 * Add check for unsafe `YAML.load` ------------------------------------------------------------------- Wed Dec 26 07:31:30 UTC 2012 - coolo@suse.com - updated to version 1.9.0 * Update to RubyParser 3 * Ignore route information by default * Support `strong_parameters` * Support newer `validates :format` call * Add scan time to reports * Add Brakeman version to reports * Fix `CheckExecute` to warn on all string interpolation * Fix false positive on `to_sql` calls * Don't mangle whitespace in JSON code formatting * Add AppTree as facade for filesystem (brynary) * Add link for translate vulnerability warning (grosser) * Rename LICENSE to MIT-LICENSE, remove from README (grosser) * Add Rakefile to run tests (grosser) * Better default config file locations (grosser) * Reduce Sexp creation * Handle empty model files * Remove "find by regex" feature from `CallIndex` ------------------------------------------------------------------- Wed Nov 14 05:55:23 UTC 2012 - coolo@suse.com - updated to version 1.8.3 * Use `multi_json` gem for better harmony * Performance improvement for call indexing * Fix issue with processing HAML files * Handle pre-release versions when processing `Gemfile.lock` * Only check first argument of `redirect_to` * Fix false positives from `Model.arel_table` accesses * Fix false positives on redirects to models decorated with Draper gem * Fix false positive on redirect to model association * Fix false positive on `YAML.load` * Fix false positive XSS on any `to_i` output * Fix error on Rails 2 name routes with no args * Fix error in rescan of mixins with symbols in method name * Do not rescan non-Ruby files in config/ ------------------------------------------------------------------- Fri Oct 26 15:55:55 UTC 2012 - coolo@suse.com - updated to version 1.8.2 * Fixed rescanning problems caused by 1.8.0 changes * Fix scope calls with single argument * Report specific model name in rendered collections * Handle overwritten JSON escape settings * Much improved test coverage * Add CHANGES to gemspec ------------------------------------------------------------------- Tue Sep 25 09:54:08 UTC 2012 - coolo@suse.com - updated to version 1.8.1 * Recover from errors in output formatting * Fix false positive in redirect_to (Neil Matatall) * Fix problems with removal of `Sexp#method_missing` * Fix array indexing in alias processing * Fix old mail_to vulnerability check * Fix rescans when only controller action changes * Allow comparison of versions with unequal lengths * Handle super calls with blocks * Respect `-q` flag for "Rails 3 detected" message ------------------------------------------------------------------- Thu Sep 6 05:30:21 UTC 2012 - coolo@suse.com - updated to version 1.8.0 * Support relative paths in reports (fsword) * Allow Brakeman to be run without tty (fsword) * Fix exit code with --compare (fsword) * Fix --rake option (Deepak Kumar) * Add high confidence warnings for to_json XSS (Neil Matatall) * Fix redirect_to false negative * Fix duplicate warnings with raw calls * Fix shadowing of rendered partials * Add “render chain” to HTML reports * Add check for XSS in content_tag * Add full backtrace for errors in debug mode * Treat model attributes in or expressions as immediate values * Switch to method access for Sexp nodes ------------------------------------------------------------------- Sun Aug 26 05:31:15 UTC 2012 - coolo@suse.com - updated to version 1.7.1 ------------------------------------------------------------------- Wed Aug 1 09:52:29 UTC 2012 - coolo@suse.com - updated to version 1.7.0 ------------------------------------------------------------------- Sat Jul 28 06:02:53 UTC 2012 - coolo@suse.com - update to latest gem2rpm ------------------------------------------------------------------- Fri Jun 22 04:57:08 UTC 2012 - coolo@suse.com - update to 1.6.2 Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth) Avoid warning when redirecting to a model instance Raise confidence level for model attributes in redirects Add request.parameters as a parameters hash Return non-zero exit code when missing dependencies Fix before_filter :except logic Only accept symbol literals as before_filter names Cache before_filter lookups Turn off quiet mode by default for --compare ------------------------------------------------------------------- Wed Apr 25 12:29:36 UTC 2012 - coolo@suse.com - update to 1.6.0 Remove the Ruport dependency (Neil Matatall) Add more informational JSON output (Neil Matatall) Add comparison to previous JSON report (Neil Matatall) Add highlighting of dangerous values in HTML/text reports Model#update_attribute should not raise mass assignment warning (Dave Worth) Don’t check find_by_* method for SQL injection Fix duplicate reporting of mass assignment and SQL injection Fix rescanning of deleted files Properly check for rails_xss in Gemfile ------------------------------------------------------------------- Wed Apr 11 12:01:46 UTC 2012 - coolo@suse.com - update to 1.5.3 Multiple output files can be specified ------------------------------------------------------------------- Mon Apr 9 18:44:45 UTC 2012 - coolo@suse.com - initial package
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor