Changelog for
ruby2.4-rubygem-brakeman-4.3.1-lp150.1.2.x86_64.rpm :
* Thu Jun 07 2018 factory-autoAATTkulow.org- updated to version 4.3.1 see installed CHANGES.md
* Wed May 16 2018 factory-autoAATTkulow.org- updated to version 4.3.0 see installed CHANGES.md
* Sat Mar 24 2018 factory-autoAATTkulow.org- updated to version 4.2.1 see installed CHANGES.md
* Fri Feb 23 2018 factory-autoAATTkulow.org- updated to version 4.2.0 see installed CHANGES.md
* Tue Jan 09 2018 cooloAATTsuse.com- updated to version 4.1.1 see installed CHANGES.md
* Thu Dec 14 2017 cooloAATTsuse.com- updated to version 4.1.0 see installed CHANGES
* Wed Oct 11 2017 cooloAATTsuse.com- updated to version 4.0.1 see installed CHANGES
* Mon Aug 28 2017 cooloAATTsuse.com- updated to version 3.7.2 see installed CHANGES
* Thu Aug 03 2017 cooloAATTsuse.com- updated to version 3.7.0 see installed CHANGES
* Tue May 23 2017 cooloAATTsuse.com- updated to version 3.6.2 see installed CHANGES
* Mon Mar 27 2017 cooloAATTsuse.com- updated to version 3.6.1 see installed CHANGES
* Fri Mar 24 2017 cooloAATTsuse.com- updated to version 3.6.0 see installed CHANGES
* Thu Feb 02 2017 cooloAATTsuse.com- updated to version 3.5.0 see installed CHANGES
* Thu Nov 03 2016 cooloAATTsuse.com- updated to version 3.4.1 see installed CHANGES
* Thu Sep 08 2016 cooloAATTsuse.com- updated to version 3.4.0 see installed CHANGES
* Sat Aug 13 2016 cooloAATTsuse.com- updated to version 3.3.5 see installed CHANGES
* Thu Jul 21 2016 cooloAATTsuse.com- updated to version 3.3.3 see installed CHANGES
* Mon Jun 13 2016 cooloAATTsuse.com- updated to version 3.3.2 see installed CHANGES
* Fri Jun 03 2016 cooloAATTsuse.com- updated to version 3.3.1 see installed CHANGES 3.0.7 (2016-05-22)
* Add additional attributes feature to shortcuts
* Freeze string literals
* Fri May 06 2016 cooloAATTsuse.com- updated to version 3.3.0 see installed CHANGES
* Wed Mar 02 2016 cooloAATTsuse.com- updated to version 3.2.1 see installed CHANGES [#] 3.2.1
* Remove `multi_json` dependency from `bin/brakeman`
* Thu Feb 25 2016 cooloAATTsuse.com- updated to version 3.2.0 see installed CHANGES [#] 3.2.0
* Skip Symbol DoS check on Rails 5
* Only update ignore config file on changes
* Sort ignore config file
* Support calls using `&.` operator
* Update ruby_parser dependency to 3.8.1
* Remove `fastercsv` dependency
* Fix finding calls with `targets: nil`
* Remove `multi-json` dependecy
* Handle CoffeeScript in HAML
* Avoid render warnings about params[:action]/params[:controller]
* Index calls in class bodies but outside methods
* Fri Jan 29 2016 cooloAATTsuse.com- updated to version 3.1.5 see installed CHANGES [#] 3.1.5
* Fix CodeClimate construction of --only-files (Will Fleming)
* Add check for denial of service via routes (CVE-2015-7581)
* Warn about RCE with `render params` (CVE-2016-0752)
* Add check for `strip_tags` XSS (CVE-2015-7579)
* Add check for `sanitize` XSS (CVE-2015-7578/80)
* Add check for `reject_if` proc bypass (CVE-2015-7577)
* Add check for mime-type denial of service (CVE-2016-0751)
* Add check for basic auth timing attack (CVE-2015-7576)
* Add initial Rails 5 support
* Check for implict integer comparison in dynamic finders
* Support directories better in --only-files and --skip-files (Patrick Toomey)
* Avoid warning about `permit` in SQL
* Handle guards using `detect`
* Avoid warning on user input in comparisons
* Handle module names with self methods
* Add session manipulation documentation
* Wed Dec 23 2015 cooloAATTsuse.com- updated to version 3.1.4 see installed CHANGES [#] 3.1.4
* Emit brakeman\'s native fingerprints for Code Climate engine (Noah Davis)
* Ignore secrets.yml if in .gitignore
* Clean up Ruby warnings (Andy Waite)
* Increase test coverage for option parsing (Zander Mackie)
* Work around safe_yaml error
* Fri Dec 04 2015 cooloAATTsuse.com- updated to version 3.1.3 see installed CHANGES [#] 3.1.3
* Check for session secret in secrets.yml
* Respect `exit_on_warn` in config file
* Avoid warning on `without_protection: true` with hash literals
* Make sure before_filter call with block is still a call
* CallIndex improvements
* Restore minimum Highline version (Kevin Glowacz)
* Add Code Climate output format (Ashley Baldwin-Hunter/Devon Blandin/John Pignata/Michael Bernstein)
* Iteratively replace values
* Output nil instead of false for user_input in JSON
* Depend on safe_yaml 1.0 or later
* Test coverage improvements for Brakema module (Bethany Rentz)
* Thu Oct 29 2015 cooloAATTsuse.com- updated to version 3.1.2 see installed CHANGES [#] 3.1.2
* Treat `current_user` like a model
* Set user input value for inline renders
* Avoid warning on inline renders with safe content types
* Handle empty interpolation in HAML filters
* Ignore filters that are not method names
* Avoid warning about model find/find_by
* in hrefs
* Use SafeYAML to load configuration files
* Warn on SQL query keys, not values in hashes
* Allow inspection of recursive Sexps
* Add line numbers to class-level warnings
* Handle `private def ...`
* Catch divide-by-zero in alias processing
* Reduce string allocations in Warning#initialize
* Sortable tables in HTML report (David Lanner)
* Search for config file relative to application root
* Thu Sep 24 2015 cooloAATTsuse.com- updated to version 3.1.1 see installed CHANGES [#] 3.1.1
* Add optional check for use of MD5 and SHA1
* Avoid warning when linking to decorated models
* Add check for user input in session keys
* Fix chained assignment
* Treat a.try(&:b) like a.b()
* Consider j/escape_javascript safe inside HAML JavaScript blocks
* Better HAML processing of find_and_preserve calls
* Add more Arel methods to be ignored in SQL
* Fix absolute paths for Windows (Cody Frederick)
* Support newer terminal-table releases
* Allow searching call index methods by regex (Alex Ianus)
* Tue Sep 01 2015 cooloAATTsuse.com- updated to version 3.1.0 see installed CHANGES [#] 3.1.0
* Add support for gems.rb/gems.locked
* Update render path information in JSON reports
* Remove renaming of several Sexp nodes
* Convert YAML config keys to symbols (Karl Glaser)
* Use railties version if rails gem is missing (Lucas Mazza)
* Warn about unverified SSL mode in Net::HTTP.start
* Add Model, Controller, Template, Config classes internally
* Report file being parsed in debug output
* Update dependencies to Ruby 1.8 incompatible versions
* Treat Array.new and Hash.new as arrays/hashes
* Fix handling of string concatenation with existing string
* Treat html_safe like raw()
* Fix low confidence XSS warning code
* Avoid warning on path creation methods in link_to
* Expand safe methods to match methods with targets
* Avoid duplicate eval() warnings
* Tue Jun 23 2015 cooloAATTsuse.com- updated to version 3.0.5 see installed CHANGES [#] 3.0.5
* Fix check for CVE-2015-3227
* Fri Jun 19 2015 cooloAATTsuse.com- updated to version 3.0.4 see installed CHANGES [#] 3.0.4
* Add check for CVE-2015-3226 (XSS via JSON keys)
* Add check for CVE-2015-3227 (XML DoS)
* Treat `<%==` as unescaped output
* Update `ruby_parser` dependency to 3.7.0
* Fri May 01 2015 cooloAATTsuse.com- updated to version 3.0.3 see installed CHANGES [#] 3.0.3
* Ignore more Arel methods in SQL
* Warn about protect_from_forgery without exceptions (Neil Matatall)
* Handle lambdas as filters
* Ignore quoted_table_name in SQL (Gabriel Sobrinho)
* Warn about RCE and file access with `open`
* Handle array include? guard conditionals
* Do not ignore targets of `to_s` in SQL
* Add Rake task to exit with error code on warnings (masarakki)
* Tue Mar 10 2015 cooloAATTsuse.com- updated to version 3.0.2
* Mon Feb 09 2015 cooloAATTsuse.com- updated to version 3.0.1
* Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
* Properly format command interpolation (again)
* Remove Slim dependency (Casey West)
* Allow for controllers/models/templates in directories under `app/` (Neal Harris)
* Add `--add-libs-path` for additional libraries (Patrick Toomey)
* Properly process libraries (Patrick Toomey) [#] 3.0.0
* Add check for CVE-2014-7829
* Add check for cross site scripting via inline renders
* Fix formatting of command interpolation
* Local variables are no longer formatted as `(local var)`
* Actually skip skipped before filters
* `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip)
* Fix parsing of `<%==` in ERB
* Sort warnings by fingerprint in JSON report (Jeff Yip)
* Handle symmetric multiple assignment
* Do not branch for self attribute assignment `x = x.y`
* Fix CVE for CVE-2011-2932
* Remove \"fake filters\" from warning fingerpints
* Index calls in `lib/` files
* Move Symbol DoS to optional checks
* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
* Change `--separate-models` to be the default
* Mon Nov 03 2014 tboergerAATTsuse.com- Updated to 2.6.3 - 2.6.3 - Whitelist `exists` arel method from SQL injection check - Avoid warning about Symbol DoS on safe parameters as method targets - Fix stack overflow in ProcessHelper#class_name - Add optional check for unscoped find queries (Ben Toews) - Add framework for optional checks - Fix stack overflow for cycles in class ancestors (Jeff Rafter) - 2.6.2 - Add check for CVE-2014-3415 - Avoid warning about symbolizing safe parameters - Update ruby2ruby dependency to 2.1.1 - Expand app path in one place instead of all over (Jeff Rafter) - Add `--add-checks-path` option for external checks (Clint Gibler) - Fix SQL injection detection in deep nested string building - Add `-4` option to force Rails 4 mode - Check entire call for `send` - Check for .gitignore of secrets in subdirectories - Fix block statment endings in Erubis - Fix undefined variable in controller processing error (Jason Barnabe)
* Mon Oct 13 2014 cooloAATTsuse.com- adapt to new rubygem packaging
* Sun Oct 12 2014 adrianAATTsuse.de- adapt to new rubygem packaging style
* Mon Jul 14 2014 cooloAATTsuse.com- updated to version 2.6.1
* Add check for CVE-2014-3482 and CVE-2014-3483
* Add support for keyword arguments in blocks
* Remove unused warning codes (Bill Fischer) [#] 2.6.0
* Fix detection of `:host` setting in redirects with chained calls
* Add check for CVE-2014-0130
* Add `find_by`/`find_by!` to SQLi check for Rails 4
* Parse most files upfront instead of on demand
* Do not branch values for `+=`
* Update to use RubyParser 3.5.0 (Patrick Toomey)
* Improve default route detection in Rails 3/4 (Jeff Jarmoc)
* Handle controllers and models split across files (Patrick Toomey)
* Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn)
* Ignore more model methods in redirects
* Fix CheckRender with nested render calls
* Sun May 18 2014 cooloAATTsuse.com- updated to version 2.5.0
* Add support for RailsLTS 2.3.18.7 and 2.3.18.8
* Add support for Rails 4 `before_actions` and friends
* Move SQLi CVE checks to `CheckSQLCVEs`
* Check for protected_attributes gem
* Fix SQLi detection in chain calls in scopes
* Add GitHub-flavored Markdown output format (Greg Ose)
* Fix false positives when sanitize() is used in SQL (Jeff Yip)
* Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
* Check all arguments in Model.select for SQLi
* Fix false positive when :host is specified in redirect
* Handle more non-literals in routes
* Add check for regex denial of service (Ben Toews)
* Sun Mar 23 2014 cooloAATTsuse.com- updated to version 2.4.3
* Remove `rescue Exception`
* Fix duplicate warnings about sanitize CVE
* Reuse duplicate call location information
* Only track original template output locations
* Skip identically rendered templates
* Fix HAML template processing
* Sat Feb 22 2014 cooloAATTsuse.com- updated to version 2.4.1
* Add check for CVE-2014-0082
* Add check for CVE-2014-0081, replaces CVE-2013-6415
* Add check for CVE-2014-0080
* Detect Rails LTS versions
* Reduce false positives for SQL injection in string building
* More accurate user input marking for SQL injection warnings
* Detect SQL injection in `delete_all`/`destroy_all`
* Detect SQL injection raw SQL queries using `connection`
* Parse exact versions from Gemfile.lock for all gems
* Ignore generators
* Update to RubyParser 3.4.0
* Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
* Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
* No longer raise exceptions if a class name cannot be determined
* Fingerprint attribute warnings individually (Case Taintor)
* Mon Dec 16 2013 cooloAATTsuse.com- updated to version 2.3.1
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
* Fix link for CVE-2013-6415 (number_to_currency)
* Fri Dec 13 2013 cooloAATTsuse.com- updated to version 2.3.0
* Add check for Parameters#permit!
* Add check for CVE-2013-4491 (i18n XSS)
* Add check for CVE-2013-6414 (header DoS)
* Add check for CVE-2013-6415 (number_to_currency)
* Add check for CVE-2013-6416 (simple_format XSS)
* Add check for CVE-2013-6417 (query generation)
* Fix typos in reflection and translate bug messages
* Collapse send/try calls
* Fix Slim XSS false positives (Noah Davis)
* Whitelist `Model#create` for redirects
* Fix scoping issues with instance variables and blocks
* Thu Oct 31 2013 cooloAATTsuse.com- updated to version 2.2.0
* Reduce command injection false positives
* Use Rails version from Gemfile if it is available
* Only add routes with actual names
* Ignore redirects to models using friendly_id (AJ Ostrow)
* Support scanning Rails engines (Geoffrey Hichborn)
* Add check for detailed exceptions in production
* Mon Sep 23 2013 cooloAATTsuse.com- updated to version 2.1.2
* Do not attempt to load custom Haml filters
* Do not warn about `to_json` XSS in Rails 4
* Add --table-width option to set width of text reports (ssendev)
* Remove fuzzy matching on dangerous attr_accessible values
* Mon Aug 26 2013 cooloAATTsuse.com- updated to version 2.1.1
* New warning code for dangerous attributes in attr_accessible
* Do not warn on attr_accessible using roles
* More accurate results for model attribute warnings
* Use exit code zero with `-z` if all warnings ignored
* Respect ignored warnings in rescans
* Ignore dynamic controller names in routes
* Fix infinite loop when run as rake task (Matthew Shanley)
* Respect ignored warnings in tabs format reports
* Wed Jul 31 2013 cooloAATTsuse.com- updated to version 2.1.0
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
* Support for ignoring warnings
* Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
* Update to ruby_parser 3.2.2
* Add brakeman-min gemspec
* Load gem dependencies on-demand
* Output JSON diff to file if -o option is used
* Add check for authenticate_or_request_with_http_basic
* Refactor of SQL injection check code (Bart ten Brinke)
* Fix detection of duplicate XSS warnings
* Refactor reports into separate classes
* Allow use of Slim 2.x (Ian Zabel)
* Return error exit code when application path is not found
* Add `--branch-limit` option, limit to 5 by default
* Add more methods to check for command injection
* Fix output format detection to be more strict again
* Allow empty Brakeman configuration file [#] 2.0.0
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
* Add Marshal/CSV deserialization check
* Combine deserialization checks into single check
* Avoid duplicate \"Dangerous Send\" and \"Unsafe Reflection\" warnings
* Avoid duplicate results for Symbol DoS check
* Medium confidence for mass assignment to attr_protected models
* Remove \"timestamp\" key from JSON reports
* Remove deprecated config file locations
* Relative paths are used by default in JSON reports
* `--absolute-paths` replaces `--relative-paths`
* Only treat classes with names containing `Controller` like controllers
* Better handling of classes nested inside controllers
* Better handling of controller classes nested in classes/modules
* Handle `->` lambdas with no arguments
* Handle explicit block argument destructuring
* Skip Rails config options that are real objects
* Detect Rails 3 JSON escape config option
* Much better tracking of warning file names
* Fix errors when using `--separate-models` (Noah Davis)
* Fix fingerprint generation to actually use the file path
* Fix text report console output in JRuby
* Fix false positives on `Model#id`
* Fix false positives on `params.to_json`
* Fix model path guesses to use \"models/\" instead of \"controllers/\"
* Clean up SQL CVE warning messages
* Use exceptions instead of abort in brakeman lib
* Update to Ruby2Ruby 2.0.5
* Fri Apr 12 2013 cooloAATTsuse.com- updated to version 1.9.5
* Add check for unsafe symbol creation
* Do not warn on mass assignment with `slice`/`only`
* Do not warn on session secret if in `.gitignore`
* Fix scoping for blocks and block arguments
* Fix error when modifying blocks in templates
* Fix session secret check for Rails 4
* Fix crash on `before_filter` outside controller
* Fix `Sexp` hash cache invalidation
* Respect `quiet` option in configuration file
* Convert assignment to simple `if` expressions to `or`
* More fixes for assignments inside branches
* Pin to ruby2ruby version 2.0.3
* Tue Mar 19 2013 cooloAATTsuse.com- updated to version 1.9.4
* Add check for CVE-2013-1854
* Add check for CVE-2013-1855
* Add check for CVE-2013-1856
* Add check for CVE-2013-1857
* Fix `--compare` to work with older versions
* Add \"no-referrer\' to HTML report links
* Don\'t warn when invoking `send` on user input
* Slightly faster cloning of Sexps
* Detect another way to add `strong_parameters`
* Sun Mar 03 2013 cooloAATTsuse.com- updated to version 1.9.3
* Add render path to JSON report
* Add warning fingerprints
* Add check for unsafe reflection (Gabriel Quadros)
* Add check for skipping authentication methods with blacklist
* Add support for Slim templates
* Remove empty tables from reports (Owen Ben Davies)
* Handle `prepend/append_before_filter`
* Performance improvements when handling branches
* Fix processing of `production.rb`
* Fix version check for Ruby 2.0
* Expand HAML dependency to include 4.0
* Scroll errors into view when expanding in HTML report
* Add check for CVE-2013-0269
* Add check for CVE-2013-0276
* Add check for CVE-2013-0277
* Add check for CVE-2013-0333
* Check for more send-like methods
* Check for more SQL injection locations
* Check for more dangerous YAML methods
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
* Wed Jan 23 2013 cooloAATTsuse.com- updated to version 1.9.1
* Update to RubyParser 3.1.1 (neersighted)
* Remove ActiveSupport dependency (Neil Matatall)
* Do not warn on arrays passed to `link_to` (Neil Matatall)
* Warn on secret tokens
* Warn on more mass assignment methods
* Add check for CVE-2012-5664
* Add check for CVE-2013-0155
* Add check for CVE-2013-0156
* Add check for unsafe `YAML.load`
* Wed Dec 26 2012 cooloAATTsuse.com- updated to version 1.9.0
* Update to RubyParser 3
* Ignore route information by default
* Support `strong_parameters`
* Support newer `validates :format` call
* Add scan time to reports
* Add Brakeman version to reports
* Fix `CheckExecute` to warn on all string interpolation
* Fix false positive on `to_sql` calls
* Don\'t mangle whitespace in JSON code formatting
* Add AppTree as facade for filesystem (brynary)
* Add link for translate vulnerability warning (grosser)
* Rename LICENSE to MIT-LICENSE, remove from README (grosser)
* Add Rakefile to run tests (grosser)
* Better default config file locations (grosser)
* Reduce Sexp creation
* Handle empty model files
* Remove \"find by regex\" feature from `CallIndex`
* Wed Nov 14 2012 cooloAATTsuse.com- updated to version 1.8.3
* Use `multi_json` gem for better harmony
* Performance improvement for call indexing
* Fix issue with processing HAML files
* Handle pre-release versions when processing `Gemfile.lock`
* Only check first argument of `redirect_to`
* Fix false positives from `Model.arel_table` accesses
* Fix false positives on redirects to models decorated with Draper gem
* Fix false positive on redirect to model association
* Fix false positive on `YAML.load`
* Fix false positive XSS on any `to_i` output
* Fix error on Rails 2 name routes with no args
* Fix error in rescan of mixins with symbols in method name
* Do not rescan non-Ruby files in config/
* Fri Oct 26 2012 cooloAATTsuse.com- updated to version 1.8.2
* Fixed rescanning problems caused by 1.8.0 changes
* Fix scope calls with single argument
* Report specific model name in rendered collections
* Handle overwritten JSON escape settings
* Much improved test coverage
* Add CHANGES to gemspec
* Tue Sep 25 2012 cooloAATTsuse.com- updated to version 1.8.1
* Recover from errors in output formatting
* Fix false positive in redirect_to (Neil Matatall)
* Fix problems with removal of `Sexp#method_missing`
* Fix array indexing in alias processing
* Fix old mail_to vulnerability check
* Fix rescans when only controller action changes
* Allow comparison of versions with unequal lengths
* Handle super calls with blocks
* Respect `-q` flag for \"Rails 3 detected\" message
* Thu Sep 06 2012 cooloAATTsuse.com- updated to version 1.8.0
* Support relative paths in reports (fsword)
* Allow Brakeman to be run without tty (fsword)
* Fix exit code with --compare (fsword)
* Fix --rake option (Deepak Kumar)
* Add high confidence warnings for to_json XSS (Neil Matatall)
* Fix redirect_to false negative
* Fix duplicate warnings with raw calls
* Fix shadowing of rendered partials
* Add “render chain” to HTML reports
* Add check for XSS in content_tag
* Add full backtrace for errors in debug mode
* Treat model attributes in or expressions as immediate values
* Switch to method access for Sexp nodes
* Sun Aug 26 2012 cooloAATTsuse.com- updated to version 1.7.1
* Wed Aug 01 2012 cooloAATTsuse.com- updated to version 1.7.0
* Sat Jul 28 2012 cooloAATTsuse.com- update to latest gem2rpm
* Fri Jun 22 2012 cooloAATTsuse.com- update to 1.6.2 Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth) Avoid warning when redirecting to a model instance Raise confidence level for model attributes in redirects Add request.parameters as a parameters hash Return non-zero exit code when missing dependencies Fix before_filter :except logic Only accept symbol literals as before_filter names Cache before_filter lookups Turn off quiet mode by default for --compare
* Wed Apr 25 2012 cooloAATTsuse.com- update to 1.6.0 Remove the Ruport dependency (Neil Matatall) Add more informational JSON output (Neil Matatall) Add comparison to previous JSON report (Neil Matatall) Add highlighting of dangerous values in HTML/text reports Model#update_attribute should not raise mass assignment warning (Dave Worth) Don’t check find_by_
* method for SQL injection Fix duplicate reporting of mass assignment and SQL injection Fix rescanning of deleted files Properly check for rails_xss in Gemfile
* Wed Apr 11 2012 cooloAATTsuse.com- update to 1.5.3 Multiple output files can be specified
* Mon Apr 09 2012 cooloAATTsuse.com- initial package