Skip to content

Releases: presidentbeef/brakeman

4.3.0

11 May 18:15
Compare
Choose a tag to compare
  • Add --parser-timeout option
  • Improve timeout error messages
  • Check exec-type calls even if they are targets (#1199)
  • Index Kernel#` calls even if they are targets (#1183)
  • BaseCheck#include_interp? should return first string interpolation (#1189)
  • Ignore Process.pid in system calls
  • Warn about dangerous link_to href with sanitize() (#1187)
  • Ignore params#to_h and params#to_hash in SQL checks (#1180)
  • Convert Array#join to string interpolation (#1179)
  • Change "".freeze to just "" (#1182)
  • --color can be used to force color output (#1175)
  • Track parent calls in call index
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
  • Code Climate: omit leading dot from only_files (Todd Mazierski)

4.2.1

24 Mar 00:56
Compare
Choose a tag to compare

4.2.0

21 Feb 22:54
Compare
Choose a tag to compare
  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
  • Exclude template folders in lib/ (kru0096)
  • Warn about SQL injection with not
  • Avoid warning about symbol DoS on Model#attributes (#1096)
  • Avoid warning about open redirects with model methods ending with _path(#1117)
  • Avoid warning about command injection with Shellwords.escape (#1159)
  • Use ivars from initialize in libraries
  • Fix multiple assignment of globals (#1155)
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0

4.1.1

19 Dec 06:57
Compare
Choose a tag to compare
  • Remove check for use of permit with *_id keys
  • Avoid duplicate warnings about permitted attributes

4.1.0

16 Dec 17:37
Compare
Choose a tag to compare
  • Add check for dangerous keys in permit
  • Add optional check for divide by zero
  • Remove errors about divide by zero
  • Warn about dynamic values in Arel.sql
  • Show better location for Sass errors (Andrew Bromwich)
  • Avoid warning about file access for temp files (#1110)
  • Avoid CSRF warning in Rails 5.2 default config (#1132)
  • Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
  • Handle nested destructuring/multiple assignment
  • Do not warn on params.permit with safe values (#1000)
  • Use HTTPS for warning links
  • Try to guess options for less pager (#1118)
  • Do not page if results fit on screen
  • Leave results on screen after paging
  • Fix upgrade version for CVE-2016-6316
  • Fix include_paths for Code Climate engine (Will Fleming)
  • Support app_path configuration for Code Climate engine (Noah Davis)
  • Refactor Code Climate engine options parsing (Noah Davis)

4.0.1

25 Sep 11:16
Compare
Choose a tag to compare
  • Disable pager when CI environment variable is set
  • Fix output when pager fails

4.0.0

25 Sep 05:14
Compare
Choose a tag to compare
  • --exit-on-warn is now the default (#852)
  • --exit-on-error is now the default (#1083)
  • "Plain" report output is now the default
  • Add simple pager for reports output to terminal
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • Treat request.cookies like cookies (#1090)
  • Treat fail/raise like early returns (#754)
  • Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
  • Remove reliance on CONFIDENCE constant in checks
  • Fix --exit-on-error and --exit-on-warn in config files

3.7.2

02 Sep 02:35
Compare
Choose a tag to compare

3.7.1

14 Aug 04:17
Compare
Choose a tag to compare
  • Handle simple guard with return at end of branch (#1073)
  • Add more collection methods for iteration detection
  • Modularize bin/brakeman
  • Improve multi-value Sexp error message
  • Update ruby2ruby and ruby_parser dependencies

3.7.0

30 Jun 15:17
Compare
Choose a tag to compare
  • Avoid interpolating hashes/arrays on failed access (#921)
  • Fix false positive for redirect_to in Rails 4 (Mário Areias)
  • Show progress indicator in interactive mode (#1012)
  • Handle simple conditional guards that use return (#1057)
  • Improve support for rails4/rails5 options in config file (#1059)
  • Updated RubyParser to master