Bump brakeman from 4.7.2 to 4.9.0
Bumps brakeman from 4.7.2 to 4.9.0.
Release notes
Sourced from brakeman's releases.
4.9.0
- Add
--ensure-ignore-notes
(Eli Block)- Add check for user input in
ERB.new
(Matt Hickman)- Add check for CVE-2020-8166 (Jamie Finnigan)
- Always scan
environment.rb
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Do not warn about mass assignment with
params.permit!.slice
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards- Remove whitelist/blacklist language, add clarifications
- Add "full call" information to call index results
- Updated Slim dependency (Jeremiah Church)
4.8.2
- Add
--text-fields
option- Add check for CVE-2020-8159
- Add check for escaping HTML entities in JSON configuration option
- Fix
authenticate_or_request_with_http_basic
check for passed blocks (Hugo Corbucci)4.8.1
- Warn about global(!) mass assignment
- Check SQL query strings using
String#strip
orString.squish
(#1459)- Handle non-symbol keys in
locals
hash forrender
(#1465)- Index calls in render arguments (#1459)
4.8.0
- Add JUnit XML report format (Naoki Kimurai)
- Sort ignore files by fingerprint and line (Ngan Pham)
- Catch dangerous concatenation in
CheckExecute
(Jacob Evelyn)- User-friendly message when ignore config file has invalid JSON (D. Hicks)
- Freeze call index results, fix thread-safety issue
- Properly render confidence in Markdown report (#1446)
- Report old warnings as fixed if zero warnings reported
- Initialize Rails version with
nil
(Carsten Wirth)- Fix output test when using newer Minitest
Changelog
Sourced from brakeman's changelog.
4.9.0 - 2020-08-04
- Add check for CVE-2020-8166 (Jamie Finnigan)
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Add check for user input in
ERB.new
(Matt Hickman)- Add
--ensure-ignore-notes
(Eli Block)- Remove whitelist/blacklist language, add clarifications
- Do not warn about mass assignment with
params.permit!.slice
- Add "full call" information to call index results
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards- Always scan
environment.rb
4.8.2 - 2020-05-12
- Add check for CVE-2020-8159
- Fix
authenticate_or_request_with_http_basic
check for passed blocks (Hugo Corbucci)- Add
--text-fields
option- Add check for escaping HTML entities in JSON configuration
4.8.1 - 2020-04-06
- Check SQL query strings using
String#strip
orString.squish
- Handle non-symbol keys in locals hash for render()
- Warn about global(!) mass assignment
- Index calls in render arguments
4.8.0 - 2020-02-18
- Add JUnit-XML report format (Naoki Kimura)
- Sort ignore files by fingerprint and line (Ngan Pham)
- Freeze call index results
- Fix output test when using newer Minitest
- Properly render confidence in Markdown report
- Report old warnings as fixed if zero warnings reported
- Catch dangerous concatenation in
CheckExecute
(Jacob Evelyn)- Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
- Initialize Rails version with
nil
(Carsten Wirth)
Commits
-
aaa1bf3
Bump to 4.9.0 -
a7aef1b
Merge branch 'chair6-add_cve_2020_8166' into main -
babf033
Fix Rails 5 test -
b9f64b2
Add CVE-2020-8166 test for Rails 6 -
b91eeda
Merge branch 'add_cve_2020_8166' of https://github.com/chair6/brakeman into c... -
e147561
Update CHANGES -
fb59f12
Merge pull request #1496 from presidentbeef/safe_yaml_load_false_positive -
5e75c98
Oops check the YAML.load if safe_yaml not used -
cf4d77e
Avoid warning about YAML.load if safe_yaml used -
da03f2b
Merge pull request #1495 from presidentbeef/update_erb_check_pr - Additional commits viewable in compare view