Data

Tools

Indexes

Applications

Experiments

Ruby

A summary of data about the Ruby ecosystem.

Recent Releases of https://github.com/presidentbeef/brakeman

https://github.com/presidentbeef/brakeman - 2.1.1

  • New warning code for dangerous attributes in attr_accessible
  • Do not warn on attr_accessible using roles
  • More accurate results for model attribute warnings
  • Use exit code zero with -z if all warnings ignored
  • Respect ignored warnings in rescans
  • Ignore dynamic controller names in routes
  • Fix infinite loop when run as rake task (Matthew Shanley)
  • Respect ignored warnings in tabs format reports

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 2.1.0

  • Support non-native line endings in Gemfile.lock (Paul Deardorff)
  • Support for ignoring warnings
  • Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
  • Update to ruby_parser 3.2.2
  • Add brakeman-min gemspec
  • Load gem dependencies on-demand
  • Output JSON diff to file if -o option is used
  • Add check for authenticate_or_request_with_http_basic
  • Refactor of SQL injection check code (Bart ten Brinke)
  • Fix detection of duplicate XSS warnings
  • Refactor reports into separate classes
  • Allow use of Slim 2.x (Ian Zabel)
  • Return error exit code when application path is not found
  • Add --branch-limit option, limit to 5 by default
  • Add more methods to check for command injection
  • Fix output format detection to be more strict again
  • Allow empty Brakeman configuration file

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 2.0.0

  • Add --only-files option to specify files/paths to scan (Ian Ehlert)
  • Add Marshal/CSV deserialization check
  • Combine deserialization checks into single check
  • Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
  • Avoid duplicate results for Symbol DoS check
  • Medium confidence for mass assignment to attr_protected models
  • Remove "timestamp" key from JSON reports
  • Remove deprecated config file locations
  • Relative paths are used by default in JSON reports
  • --absolute-paths replaces --relative-paths
  • Only treat classes with names containing Controller like controllers
  • Better handling of classes nested inside controllers
  • Better handling of controller classes nested in classes/modules
  • Handle -> lambdas with no arguments
  • Handle explicit block argument destructuring
  • Skip Rails config options that are real objects
  • Detect Rails 3 JSON escape config option
  • Much better tracking of warning file names
  • Fix errors when using --separate-models (Noah Davis)
  • Fix fingerprint generation to actually use the file path
  • Fix text report console output in JRuby
  • Fix false positives on Model#id
  • Fix false positives on params.to_json
  • Fix model path guesses to use "models/" instead of "controllers/"
  • Clean up SQL CVE warning messages
  • Use exceptions instead of abort in brakeman lib
  • Update to Ruby2Ruby 2.0.5

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.5

  • Add check for unsafe symbol creation
  • Do not warn on mass assignment with slice/only
  • Do not warn on session secret if in .gitignore
  • Fix scoping for blocks and block arguments
  • Fix error when modifying blocks in templates
  • Fix session secret check for Rails 4
  • Fix crash on before_filter outside controller
  • Fix Sexp hash cache invalidation
  • Respect quiet option in configuration file
  • Convert assignment to simple if expressions to or
  • More fixes for assignments inside branches
  • Pin to ruby2ruby version 2.0.3

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.4

  • Add check for CVE-2013-1854
  • Add check for CVE-2013-1855
  • Add check for CVE-2013-1856
  • Add check for CVE-2013-1857
  • Fix --compare to work with older versions
  • Add "no-referrer' to HTML report links
  • Don't warn when invoking send on user input
  • Slightly faster cloning of Sexps
  • Detect another way to add strong_parameters

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.3

  • Add render path to JSON report
  • Add warning fingerprints
  • Add check for unsafe reflection (Gabriel Quadros)
  • Add check for skipping authentication methods with blacklist
  • Add support for Slim templates
  • Remove empty tables from reports (Owen Ben Davies)
  • Handle prepend/append_before_filter
  • Performance improvements when handling branches
  • Fix processing of production.rb
  • Fix version check for Ruby 2.0
  • Expand HAML dependency to include 4.0
  • Scroll errors into view when expanding in HTML report

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.2

  • Add check for CVE-2013-0269
  • Add check for CVE-2013-0276
  • Add check for CVE-2013-0277
  • Add check for CVE-2013-0333
  • Check for more send-like methods
  • Check for more SQL injection locations
  • Check for more dangerous YAML methods
  • Support MultiJSON 1.2 for Rails 3.0 and 3.1

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.1

  • Update to RubyParser 3.1.1 (neersighted)
  • Remove ActiveSupport dependency (Neil Matatall)
  • Do not warn on arrays passed to link_to (Neil Matatall)
  • Warn on secret tokens
  • Warn on more mass assignment methods
  • Add check for CVE-2012-5664
  • Add check for CVE-2013-0155
  • Add check for CVE-2013-0156
  • Add check for unsafe YAML.load

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.9.0

  • Update to RubyParser 3
  • Ignore route information by default
  • Support strong_parameters
  • Support newer validates :format call
  • Add scan time to reports
  • Add Brakeman version to reports
  • Fix CheckExecute to warn on all string interpolation
  • Fix false positive on to_sql calls
  • Don't mangle whitespace in JSON code formatting
  • Add AppTree as facade for filesystem (brynary)
  • Add link for translate vulnerability warning (grosser)
  • Rename LICENSE to MIT-LICENSE, remove from README (grosser)
  • Add Rakefile to run tests (grosser)
  • Better default config file locations (grosser)
  • Reduce Sexp creation
  • Handle empty model files
  • Remove "find by regex" feature from CallIndex

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.8.3

  • Use multi_json gem for better harmony
  • Performance improvement for call indexing
  • Fix issue with processing HAML files
  • Handle pre-release versions when processing Gemfile.lock
  • Only check first argument of redirect_to
  • Fix false positives from Model.arel_table accesses
  • Fix false positives on redirects to models decorated with Draper gem
  • Fix false positive on redirect to model association
  • Fix false positive on YAML.load
  • Fix false positive XSS on any to_i output
  • Fix error on Rails 2 name routes with no args
  • Fix error in rescan of mixins with symbols in method name
  • Do not rescan non-Ruby files in config/

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.8.2

  • Fixed rescanning problems caused by 1.8.0 changes
  • Fix scope calls with single argument
  • Report specific model name in rendered collections
  • Handle overwritten JSON escape settings
  • Much improved test coverage
  • Add CHANGES to gemspec

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.8.1

  • Recover from errors in output formatting
  • Fix false positive in redirect_to (Neil Matatall)
  • Fix problems with removal of Sexp#method_missing
  • Fix array indexing in alias processing
  • Fix old mail_to vulnerability check
  • Fix rescans when only controller action changes
  • Allow comparison of versions with unequal lengths
  • Handle super calls with blocks
  • Respect -q flag for "Rails 3 detected" message

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.8.0

  • Support relative paths in reports (fsword)
  • Allow Brakeman to be run without tty (fsword)
  • Fix exit code with --compare (fsword)
  • Fix --rake option (Deepak Kumar)
  • Add high confidence warnings for to_json XSS (Neil Matatall)
  • Fix redirect_to false negative
  • Fix duplicate warnings with raw calls
  • Fix shadowing of rendered partials
  • Add "render chain" to HTML reports
  • Add check for XSS in content_tag
  • Add full backtrace for errors in debug mode
  • Treat model attributes in or expressions as immediate values
  • Switch to method access for Sexp nodes

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.7.1

  • Add check for CVE-2012-3463
  • Add check for CVE-2012-3464
  • Add check for CVE-2012-3465
  • Add charset to HTML report (hooopo)
  • Report XSS in select() for Rails 2

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.7.0

  • Add check for CVE-2012-3424
  • Link report types to descriptions on website
  • Report errors raised while running check
  • Improve processing of Rails 3 routes
  • Fix "empty char-class" error
  • Improve file access check
  • Avoid warning on non-ActiveModel models
  • Speed improvements by stripping down SexpProcessor
  • Fix how params[:x] ||= is handled
  • Treat user input in or expressions as immediate values
  • Fix processing of negative array indexes
  • Add line breaks to truncated table rows

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.6.2

  • Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  • Avoid warning when redirecting to a model instance
  • Add request.parameters as a parameters hash
  • Raise confidence level for model attributes in redirects
  • Return non-zero exit code when missing dependencies
  • Fix before_filter :except logic
  • Only accept symbol literals as before_filter names
  • Cache before_filter lookups
  • Turn off quiet mode by default for --compare

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.6.1

  • Major rewrite of CheckSQL
  • Fix rescanning of deleted templates
  • Process actions mixed into controllers
  • Handle render :template => ...
  • Check for inherited attr_accessible (Neil Matatall)
  • Fix highlighting of HTML escaped values in HTML report
  • Report line number of highlighted value, if available

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.6.0

  • Remove the Ruport dependency (Neil Matatall)
  • Add more informational JSON output (Neil Matatall)
  • Add comparison to previous JSON report (Neil Matatall)
  • Add highlighting of dangerous values in HTML/text reports
  • Model#update_attribute should not raise mass assignment warning (Dave Worth)
  • Don't check find_by_* method for SQL injection
  • Fix duplicate reporting of mass assignment and SQL injection
  • Fix rescanning of deleted files
  • Properly check for rails_xss in Gemfile

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.5.3

  • Add check for user input in Object#send (Neil Matatall)
  • Handle render :layout in views
  • Support output to multiple formats (Nick Green)
  • Prevent infinite loops in mutually recursive templates
  • Only check eval arguments for user input, not targets
  • Search subdirectories for models
  • Set values in request hashes and propagate to views
  • Add rake task file to gemspec (Anton Ageev)
  • Filter rescanning of templates (Neil Matatall)
  • Improve handling of modules and nesting
  • Test for zero errors in test reports

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.5.2

  • Fix link_to checks for Rails 2.0 and 2.3
  • Fix rescanning of lib files (Neil Matatall)
  • Output stack trace on interrupt when debugging
  • Ignore user input in if statement conditions
  • Fix --skip-files option
  • Only warn on user input in render paths
  • Fix handling of views when using rails_xss
  • Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.5.1

  • Fix detection of global mass assignment setting
  • Fix partial rendering in Rails 3
  • Show backtrace when interrupt received (Ruby 1.9 only)
  • More debug output
  • Remove duplicate method in Brakeman::Rails2XSSErubis
  • Add tracking of module and class to Brakeman::BaseProcessor
  • Report module when using Brakeman::FindCall

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.5.0

  • Add version check for SafeBuffer vulnerability
  • Add check for select vulnerability in Rails 3
  • select() is no longer considered safe in Rails 2
  • Add check for skipping CSRF protection with a blacklist
  • Add JSON report format
  • Model#id should not be considered XSS
  • Standardize methods to check for SQL injection
  • Fix Rails 2 route parsing issue with nested routes

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.4.0

  • Add check for user input in link_to href parameter
  • Match ERB processing to rails_xss plugin when plugin used
  • Add Brakeman::Report#to_json, Brakeman::Warning#to_json
  • Warnings below minimum confidence are dropped completely
  • Brakeman.run always returns a Tracker

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.3.0

  • Add file paths to HTML report
  • Add caching of filters
  • Add --skip-files option
  • Add support for attr_protected
  • Add detection of request.env as user input
  • Descriptions of checks in -k output
  • Improved processing of named scopes
  • Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
  • Better variable substitution
  • Table output option for rescan reports

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.2.2

  • --no-progress works again
  • Make CheckLinkTo a separate check
  • Don't fail on unknown options to resource(s)
  • Handle empty resource(s) blocks
  • Add RescanReport#existing_warnings

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.2.1

  • Remove link_to warning for Rails 3.x or when using rails_xss
  • Don't warn if first argument to link_to is escaped
  • Detect usage of attr_accessible with no arguments
  • Fix error when rendering a partial from a view but not through a controller
  • Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
  • Simplify Brakeman Rake task
  • Avoid modifying $VERBOSE
  • Add Brakeman::RescanReport#to_s
  • Add Brakeman::Warning#to_s

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.2.0

  • Speed improvements for CheckExecute and CheckRender
  • Check named_scope() and scope() for SQL injection
  • Add --rake option to create rake task to run Brakeman
  • Add experimental support for rescanning a subset of files
  • Add --summary option to only output summary
  • Fix a problem with Rails 3 routes

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.1.0

  • Relax required versions for dependencies
  • Performance improvements for source processing
  • Better progress reporting
  • Handle basic operators like << + - * /
  • Rescue more errors to prevent complete crashes
  • Compatibility with newer Haml versions
  • Fix some warnings

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 1.0.0

  • Better handling of assignments inside ifs
  • Check more expressions for SQL injection
  • Use latest ruby_parser for better 1.9 syntax support
  • Brakeman can now be used as a library
  • Faster call search
  • Add option to return error code if warnings are found (tw-ngreen)
  • Allow truncated messages to be expanded in HTML
  • Fix summary when using warning thresholds
  • Better support for Rails 3 routes
  • Reduce SQL injection duplicate warnings
  • Lower confidence on mass assignment with no user input
  • Ignore mass assignment using all literal arguments
  • Keep expanded context in view with HTML output

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.9.2

  • Fix Rails 3 configuration parsing
  • Add t() helper to check for translate XSS bug

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.9.1

Add warning for translator helper XSS vulnerability

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.9.0

  • Process Rails 3 configuration files
  • Check for config.active_record.whitelist_attributes = true
  • Always produce a warning for without_protection => true
  • Fix CSV output

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.8.4

  • Option for separate attr_accessible warnings
  • Option to set CSS file for HTML output
  • Add file names for version-specific warnings
  • Add line number for default routes in a controller
  • Fix hash_insert()
  • Remove use of Queue from threaded checks

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.8.2

  • Run checks in parallel threads by default
    • Fix compatibility with ruby_parser 2.3.1

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.8.1

  • Add option to assume all controller methods are actions
  • Recover from errors when parsing routes

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.8.3

  • Respect -w flag in .tabs format (tw-ngreen)
  • Escape HTML output of error messages
  • Add --skip-libs option

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.8.0

  • Add check for mass assignment using without_protection
  • Add check for password in http_basic_authenticate_with
  • Warn on user input in hash argument with mass assignment
  • auto_link is now considered safe for Rails >= 3.0.6
  • Output detected Rails version in report
  • Keep track of methods called in class definition
  • Add ruby_parser hack for Ruby 1.9 hash syntax
  • Add a few Rails 3.1 tests

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.7.2

  • Fix handling of params and cookies with nested access
  • Add CVEs for checks added in 0.7.0

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.7.1

Require BaseProcessor for GemProcessor

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.7.0

  • Allow local variable as a class name
  • Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  • Check for default routes in Rails 3 apps
  • Look in Gemfile or Gemfile.lock for Rails version

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.6.1

  • Fix XSS check for cookies as parameters in output
  • Don't bother calling super in CheckSessionSettings
  • Add escape_once as a safe method
  • Accept '\Z' or '\z' in model validations

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.6.0

  • Tests are in place and fully functional
  • Hide errors by default in HTML output
  • Warn if routes.rb cannot be found
  • Narrow methods assumed to be file access
  • Increase confidence for methods known to not escape output
  • Fixes to output processing for Erubis
  • Fixes for Rails 3 XSS checks
  • Fixes to line numbers with Erubis
  • Fixes to escaped output scanning
  • Update CSRF CVE-2011-0447 message to be less assertive

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.5.2

  • Output report file name when finished
  • Add initial tests for Rails 2.x
  • Fix ERB line numbers when using Ruby 1.9

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.5.1

Fix issue with 'has_one' => in routes

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.5.0

  • Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
  • Allow empty blocks in Rails 3 routes
  • Check initializer for session settings
  • Add line numbers to session setting warnings
  • Add --checks option to list checks

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.4.1

Fix reported line numbers when using new Erubis parser (mostly affects Rails 3 apps).

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.4.0

  • Handle Rails XSS protection properly
  • More detection options for rails_xss
  • Add --escape-html option

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.3.2

  • Autodetect Rails 3 applications
  • Turn on auto-escaping for Rails 3 apps
  • Check Model.create() for mass assignment

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.3.1

  • Always output a line number in tabbed output format
  • Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.2.2

  • Fix version_between? when no Rails version is specified

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.2.1

  • Add code snippet to tab output messages

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.1.1

  • Be more permissive with ActiveSupport version

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.1.0

  • Check link_to for XSS (because arguments are not escaped)
  • Process layouts better (although not perfectly yet)
  • Load custom Haml filters if they are in lib/
  • Tab separated output via .tabs output extension
  • Switch to normal versioning scheme

- Ruby
Published by presidentbeef about 12 years ago

https://github.com/presidentbeef/brakeman - 0.0.2

- Ruby
Published by presidentbeef about 12 years ago