# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.0.1] - 2024-01-31

### Added

#### Core Features
- Recursive taint analysis for tracking user input through function calls
- Multi-language support (Japanese/English)
- Syntax highlighting in terminal output
- Multiple output formats: text, JSON, HTML, SARIF, Markdown
- Docker support for easy deployment
- Configuration file support (.security-lint.json)

#### Vulnerability Detection

**XSS (Cross-Site Scripting)**
- Blade `{!! !!}` raw output detection
- JavaScript context XSS
- Event handler attribute XSS
- URL context XSS (javascript: URLs)
- Style injection
- Template injection
- Escape bypass function detection
- Dangerous hardcoded HTML detection

**SQL Injection**
- Laravel Query Builder raw methods
- PDO/MySQLi direct queries
- String concatenation in queries
- Sanitizer bypass detection

**Command Injection**
- Shell execution functions (exec, shell_exec, system, etc.)
- Code execution functions (eval, create_function, etc.)
- Dynamic file includes
- Symfony Process usage

**Path Traversal**
- File operation functions
- Laravel Storage operations
- File download/upload

**Authentication Security**
- Weak hash algorithms (MD5, SHA1)
- Hardcoded credentials detection
- Timing-vulnerable comparisons

**CSRF/Session Security**
- Missing CSRF tokens
- Insecure session configuration
- Session fixation

**Configuration Security**
- Debug output (phpinfo, var_dump, dd)
- Insecure unserialize
- Sensitive information logging

**Laravel-Specific Security**
- Mass Assignment (missing $fillable/$guarded)
- Raw SQL injection (DB::raw, whereRaw without bindings)
- CSRF protection (forms without @csrf)
- File upload validation (extensions-only without mimes)
- Route authentication middleware
- Rate limiting for auth routes

### Security
- Safe pattern recognition for Laravel helpers (route(), url(), action())
- Value-based credential detection to reduce false positives
- Escape function recognition (htmlspecialchars, e(), etc.)

[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1