Releases: presidentbeef/brakeman
Releases · presidentbeef/brakeman
4.3.0
- Add
--parser-timeout
option - Improve timeout error messages
- Check exec-type calls even if they are targets (#1199)
- Index Kernel#` calls even if they are targets (#1183)
BaseCheck#include_interp?
should return first string interpolation (#1189)- Ignore
Process.pid
in system calls - Warn about dangerous
link_to
href withsanitize()
(#1187) - Ignore
params#to_h
andparams#to_hash
in SQL checks (#1180) - Convert
Array#join
to string interpolation (#1179) - Change
"".freeze
to just""
(#1182) --color
can be used to force color output (#1175)- Track parent calls in call index
- Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
- Code Climate: omit leading dot from
only_files
(Todd Mazierski)
4.2.1
- Add warning for CVE-2018-3741
- Add warning for CVE-2018-8048
- Scan
app/jobs/
directory - Handle
template_exists?
in controllers (#1124)
4.2.0
- Handle ERb use of
String#<<
method for Ruby 2.5 (Pocke) - Exclude template folders in
lib/
(kru0096) - Warn about SQL injection with
not
- Avoid warning about symbol DoS on
Model#attributes
(#1096) - Avoid warning about open redirects with model methods ending with
_path
(#1117) - Avoid warning about command injection with
Shellwords.escape
(#1159) - Use ivars from
initialize
in libraries - Fix multiple assignment of globals (#1155)
Sexp#body=
can accept:rlist
fromSexp#body_list
- Update RubyParser to 3.11.0
4.1.1
- Remove check for use of
permit
with*_id
keys - Avoid duplicate warnings about permitted attributes
4.1.0
- Add check for dangerous keys in
permit
- Add optional check for divide by zero
- Remove errors about divide by zero
- Warn about dynamic values in
Arel.sql
- Show better location for Sass errors (Andrew Bromwich)
- Avoid warning about file access for temp files (#1110)
- Avoid CSRF warning in Rails 5.2 default config (#1132)
- Better processing of
op_asgn1
(e.g.x[:y] += 1
) (#1103) - Handle nested destructuring/multiple assignment
- Do not warn on
params.permit
with safe values (#1000) - Use HTTPS for warning links
- Try to guess options for
less
pager (#1118) - Do not page if results fit on screen
- Leave results on screen after paging
- Fix upgrade version for CVE-2016-6316
- Fix
include_paths
for Code Climate engine (Will Fleming) - Support
app_path
configuration for Code Climate engine (Noah Davis) - Refactor Code Climate engine options parsing (Noah Davis)
4.0.1
- Disable pager when
CI
environment variable is set - Fix output when pager fails
4.0.0
--exit-on-warn
is now the default (#852)--exit-on-error
is now the default (#1083)- "Plain" report output is now the default
- Add simple pager for reports output to terminal
- Remove low confidence mass assignment warnings
- Reduce warnings about XSS in
link_to
- Treat
request.cookies
likecookies
(#1090) - Treat
fail
/raise
like early returns (#754) - Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
- Remove reliance on
CONFIDENCE
constant in checks - Fix
--exit-on-error
and--exit-on-warn
in config files
3.7.2
- Fix
--ensure-latest
(David Guyon)
3.7.1
3.7.0
- Avoid interpolating hashes/arrays on failed access (#921)
- Fix false positive for
redirect_to
in Rails 4 (Mário Areias) - Show progress indicator in interactive mode (#1012)
- Handle simple conditional guards that use
return
(#1057) - Improve support for
rails4
/rails5
options in config file (#1059) - Updated RubyParser to master