Releases: presidentbeef/brakeman
Releases · presidentbeef/brakeman
0.9.0
- Process Rails 3 configuration files
- Check for config.active_record.whitelist_attributes = true
- Always produce a warning for without_protection => true
- Fix CSV output
0.8.4
- Option for separate attr_accessible warnings
- Option to set CSS file for HTML output
- Add file names for version-specific warnings
- Add line number for default routes in a controller
- Fix hash_insert()
- Remove use of Queue from threaded checks
0.8.3
0.8.2
- Run checks in parallel threads by default
- Fix compatibility with ruby_parser 2.3.1
0.8.1
- Add option to assume all controller methods are actions
- Recover from errors when parsing routes
0.8.0
- Add check for mass assignment using without_protection
- Add check for password in http_basic_authenticate_with
- Warn on user input in hash argument with mass assignment
- auto_link is now considered safe for Rails >= 3.0.6
- Output detected Rails version in report
- Keep track of methods called in class definition
- Add ruby_parser hack for Ruby 1.9 hash syntax
- Add a few Rails 3.1 tests
0.7.2
- Fix handling of params and cookies with nested access
- Add CVEs for checks added in 0.7.0
0.7.1
Require BaseProcessor for GemProcessor
0.7.0
- Allow local variable as a class name
- Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
- Check for default routes in Rails 3 apps
- Look in Gemfile or Gemfile.lock for Rails version
0.6.1
- Fix XSS check for cookies as parameters in output
- Don't bother calling super in CheckSessionSettings
- Add escape_once as a safe method
- Accept '\Z' or '\z' in model validations