Two new Rails vulnerabilities were reported today:
* Manual options are not escaped in select():
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
* Some operations on SafeBuffer mistakenly return strings marked as
html_safe:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913
This release checks for these issues, amongst other changes.
Changes since 1.4.0:
* Add version check for SafeBuffer vulnerability
* Add check for select vulnerability in Rails 3
* select() is no longer considered safe in Rails 2
* Add check for skipping CSRF protection with a blacklist
* Add JSON report format
* Model#id should not be considered XSS
* Standardize methods to check for SQL injection
* Fix Rails 2 route parsing issue with nested routes
It is VERY likely some of these changes will introduce new warnings or
disregard previous warnings (hopefully only false positives).
For more information:
http://brakemanscanner.org/blog/2012/03/01/brakeman-1-dot-5-0-released/
