Skip to content

Bump brakeman from 4.7.2 to 4.10.1

NipaNipa requested to merge dependabot/bundler/brakeman-4.10.1 into master

Bumps brakeman from 4.7.2 to 4.10.1.

Release notes

Sourced from brakeman's releases.

4.10.1

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

4.10.0

4.9.1

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
  • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)
  • Bundle latest ruby_parser (4.15.0)

4.9.0

  • Add --ensure-ignore-notes (Eli Block)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Always scan environment.rb
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Do not warn about mass assignment with params.permit!.slice
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
  • Remove whitelist/blacklist language, add clarifications
  • Add "full call" information to call index results
  • Updated Slim dependency (Jeremiah Church)

4.8.2

  • Add --text-fields option
  • Add check for CVE-2020-8159
  • Add check for escaping HTML entities in JSON configuration option
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)

4.8.1

  • Warn about global(!) mass assignment
  • Check SQL query strings using String#strip or String.squish (#1459)
  • Handle non-symbol keys in locals hash for render (#1465)
  • Index calls in render arguments (#1459)

4.8.0

  • Add JUnit XML report format (Naoki Kimurai)
  • Sort ignore files by fingerprint and line (Ngan Pham)
  • Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
  • User-friendly message when ignore config file has invalid JSON (D. Hicks)
  • Freeze call index results, fix thread-safety issue
  • Properly render confidence in Markdown report (#1446)
  • Report old warnings as fixed if zero warnings reported
... (truncated)
Changelog

Sourced from brakeman's changelog.

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

4.10.0 - 2020-09-28

  • Add SARIF report format (Steve Winton)

4.9.1 - 2020-09-04

  • Check chomped strings for SQL injection
  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Always set line number for joined arrays
  • Avoid warning about missing attr_accessible if protected_attributes gem is used

4.9.0 - 2020-08-04

  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add --ensure-ignore-notes (Eli Block)
  • Remove whitelist/blacklist language, add clarifications
  • Do not warn about mass assignment with params.permit!.slice
  • Add "full call" information to call index results
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
  • Always scan environment.rb

4.8.2 - 2020-05-12

  • Add check for CVE-2020-8159
  • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)
  • Add --text-fields option
  • Add check for escaping HTML entities in JSON configuration

4.8.1 - 2020-04-06

  • Check SQL query strings using String#strip or String.squish
  • Handle non-symbol keys in locals hash for render()
  • Warn about global(!) mass assignment
  • Index calls in render arguments

4.8.0 - 2020-02-18

  • Add JUnit-XML report format (Naoki Kimura)
  • Sort ignore files by fingerprint and line (Ngan Pham)
... (truncated)
Commits
  • 95d0238 Bump to 4.10.1
  • 09b80df Add new Haml 5.2.0 escaping method
  • c73f314 Ensure RubyParser is passed path as a string
  • f09d161 Prevent render loops with absolute paths
  • 407bef0 Add rexml as a dependency
  • ec0d41e Attempt to test against Ruby 3.0
  • 89c51e9 Use Sexp#sexp_body instead of Sexp#[1..-1]
  • 8f696e3 Bump to 4.10.0
  • 2beaac0 Update CHANGES
  • 5daa392 Add SARIF output format
  • Additional commits viewable in compare view

Merge request reports