-
Notifications
You must be signed in to change notification settings - Fork 732
Roadmap
presidentbeef edited this page Oct 7, 2014
·
63 revisions
This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.
- Update to RubyParser 3.0
- Handle Rails 4 strong parameters
- Optional intra-procedural data flow for simple helper methods
- Switch to
multi_json
gem - Output Brakeman version
- Output scan duration
- Reduce Sexp creation
- Fix "Unhandled resource option")
- Session check is looking for
Rails3::...
which is silly - Fix YAML.load false positive
- Fix false positive on redirect to association
- Handle
append_before_filter
andprepend_before_filter
- Add "render path" to JSON output
- Warning identifiers
- Expand
skip_before_filter
check - Support for Slim
Bug fixes/CVEs only!
Bug fixes/CVEs only!
- Standardize default config file location
- Relative paths by default for JSON
- Remove
timestamp
from JSON output - Combine YAML/Marshal/CSV
load
checks into single check - Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
- Normalize SQL CVE warning messages to be less verbose
- Normalize warning messages in general
- Move
test/tests/test_*
totest/tests/*
- Bump confidence on mass assignment with
attr_protected
to medium - Fix false positive reports of
Model#id
andto_json
- Allow
--compare
and-o
/-f
together for nicer diff reports - Split into two packages, brakeman + brakeman-min
- Add
Tracker#warnings
instead ofTracker#checks.all_warnings
- Fix how mixin methods are handled - need to be duped
- Scan all versions in Gemfile.lock instead of special cases
- CVEs only
- Bugfixes/Internal improvements only
- Reorganize CVE checks
- Support
before_action
for Rails 4 - Support latest RailsLTS
- Warn on XSS in
render :inline
- False positive configuration
- Get rid of
Tracker#check_initializers
andFindCall
- Scan helpers and make them available in views for inter-procedural analysis
- Warn on
render :update
with user input
- Add libs to call index
- _Add ability to have optional checks not enabled by default _
- Move Checks information into Tracker#report where it makes sense
- Make
--separate-models
the default - In
BaseCheck
, only set@has_user_input
once (i.e.||=
) to match first not last - Make
CheckSymbolDoS
an optional check
- Add remediation steps to warnings when created
- Add
number_with_delimiter
, etc, to known bad, but have to check for:raise => true
- Better highlighting of user input in HTML output
- Add
rel="noreferrer"
to HTML report links - Prettier HTML output
- Rescue divide by zero errors (and turn into warnings...?)