v0.14.1

What's Changed

• fix: include shared java rules dir by @elsapet in #101

Full Changelog: v0.14.0...v0.14.1

v0.14.0

What's Changed

• chore: update jwt_weak_encryption.yml by @cfabianski in #98
• feat(java): add file permission (other) rule by @elsapet in #99
• fix: ruby open telemetry snapshot by @elsapet in #96
• feat(java): add missing integrity check rule by @elsapet in #97
• feat: add Java RSA no padding rule by @elsapet in #95
• feat: add Java Padding Oracle encryption vulnerability rule by @elsapet in #93

Full Changelog: v0.13.0...v0.14.0

v0.13.0

What's Changed

• ci: split out canary test and make it manual by @gotbadger in #92
• test: update snapshots for cli changes by @didroe in #91
• feat: improve library detection in js hardcoded secret and helmet rules by @didroe in #84
• feat: add Java DES encryption rules by @elsapet in #90
• feat: split JavaScript hash and encryption rules by @elsapet in #86
• feat: split ruby password encryption and hashing rules by @elsapet in #88
• feat: split and re-name Java hashing rule(s) by @elsapet in #89
• feat(java): insecure cookie rule by @didroe in #94
• feat(java): add desde and xss response writer by @vjerci in #47

Full Changelog: v0.12.0...v0.13.0

v0.12.0

What's Changed

• feat: split ruby hash and encryption rules by @elsapet in #83
• feat: use result scope for data sources by @didroe in #75
• feat(java): Add log injection rule by @tgkarthik in #85
• feat: add sanitized patterns by @cfabianski in #87

New Contributors

• @tgkarthik made their first contribution in #85

Full Changelog: v0.11.0...v0.12.0

v0.11.0

What's Changed

• feat: add rails mass assignment rule by @elsapet in #67
• fix: set severity to warning by @elsapet in #70
• fix: extend rails open redirect rule by @elsapet in #72
• feat: add session with HttpOnly disabled rule by @elsapet in #74
• fix: fix Rails SQL injection pattern by @elsapet in #76
• chore: update snapshots by @cfabianski in #56
• fix: helmet issues by @cfabianski in #77

Full Changelog: v0.10.0...v0.11.0

v0.10.0

What's Changed

• fix: case sensitivity in JWT JS rules by @elsapet in #50
• feat: add template libaries to javascript raw html rule by @didroe in #51
• fix: remove unless from rails callback rule by @elsapet in #53
• feat: rule improvement for juice-shop by @cfabianski in #45
• fix(ruby): exclude routes file from ruby hard-coded password rule by @elsapet in #59
• fix: add render method to JS react dangerously set inner html rule by @elsapet in #58
• feat: add ruby/rails cookie serialization strategy rule by @elsapet in #63
• refactor: use shared rules to extract common patterns by @didroe in #57
• feat: add try method to ruby reflection rule by @elsapet in #64
• feat: support destructuring express request object by @didroe in #52
• fix: add no config case to DOMpurify JS rule by @elsapet in #65
• ci: add canary release workflow by @didroe in #66
• ci: package shared rules by @didroe in #68
• ci: don't package shared java rules by @didroe in #69

Full Changelog: v0.9.0...v0.10.0

v0.9.0

What's Changed

• fix: detected typo by @gotbadger in #42
• fix: typo in ruby command injection rule by @elsapet in #48
• feat: add weak encryption key Rails rule by @elsapet in #34
• feat: gitlab improvements part 2 by @didroe in #46

Rule highlights

New rules

• Ruby: Detect model-specific weak encryption keys
• Ruby & JS/TS: Detect user input concatenated/interpolated into raw HTML strings
• JS/TS: Detect when user input is used to form a regular expression
• Ruby & JS/TS: Detect insecure websocket connections

Rule improvements

• Improved AWS lamda event object matching to reduce false positives
• Added stricter matching of Rails request objects
• Excludes password masks from the hardcoded secrets rule, as well as brings the JS secrets rule more in line with the Ruby version
• Updated how we interpret connections in Ruby
• Improved render_to pattern to match multiple arguments
• Limited which File methods are used in Ruby rules for matching paths
• Added matching for arbitrary receivers in Ruby weak encryption rule
• Ruby regex literals now handle flags better
• Changes to unsafe .permit to allow params.slice(:one, :two:).permit! syntax
• Treat Rails path helpers as sanitizers for open redirect rules.

Full Changelog: v0.8.0...v0.9.0

v0.8.0

What's Changed

• feat: java rules docs by @vjerci in #43

Full Changelog: v0.7.0...v0.8.0

v0.7.0

What's Changed

• feat: 2 simple java rules by @vjerci in #33

New Contributors

• @vjerci made their first contribution in #33

Full Changelog: v0.6.0...v0.7.0

v0.6.0

What's Changed

• docs: update description in javascript/aws_lambda/sql_injection.yml by @dankimio in #31
• fix: snapshot fingerprints from 1.4 by @gotbadger in #35
• ci: allow version usage in test by @gotbadger in #36
• feat: juice shop improvements part 2 by @didroe in #32
• ci: cancel previous tests on the same branch by @didroe in #39
• feat: gitlab improvements part 1 by @didroe in #38

New Contributors

• @dankimio made their first contribution in #31

Full Changelog: v0.5.0...v0.6.0