Bump brakeman from 4.7.2 to 4.10.1
Bumps brakeman from 4.7.2 to 4.10.1.
Release notes
Sourced from brakeman's releases.
4.10.1
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths (#1536)
- Ensure RubyParser is passed file path as a String (#1534)
- Support new Haml 5.2.0 escaping method (#1517)
4.10.0
- Add SARIF report format (Steve Winton)
4.9.1
- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)- Check
chomp
ed strings for SQL injection (#1509)- Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used (#1512)- Bundle latest ruby_parser (4.15.0)
4.9.0
- Add
--ensure-ignore-notes
(Eli Block)- Add check for user input in
ERB.new
(Matt Hickman)- Add check for CVE-2020-8166 (Jamie Finnigan)
- Always scan
environment.rb
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Do not warn about mass assignment with
params.permit!.slice
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards- Remove whitelist/blacklist language, add clarifications
- Add "full call" information to call index results
- Updated Slim dependency (Jeremiah Church)
4.8.2
- Add
--text-fields
option- Add check for CVE-2020-8159
- Add check for escaping HTML entities in JSON configuration option
- Fix
authenticate_or_request_with_http_basic
check for passed blocks (Hugo Corbucci)4.8.1
- Warn about global(!) mass assignment
- Check SQL query strings using
String#strip
orString.squish
(#1459)- Handle non-symbol keys in
locals
hash forrender
(#1465)- Index calls in render arguments (#1459)
4.8.0
... (truncated)
- Add JUnit XML report format (Naoki Kimurai)
- Sort ignore files by fingerprint and line (Ngan Pham)
- Catch dangerous concatenation in
CheckExecute
(Jacob Evelyn)- User-friendly message when ignore config file has invalid JSON (D. Hicks)
- Freeze call index results, fix thread-safety issue
- Properly render confidence in Markdown report (#1446)
- Report old warnings as fixed if zero warnings reported
Changelog
Sourced from brakeman's changelog.
4.10.1 - 2020-12-24
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths
- Ensure RubyParser is passed file path as a String
- Support new Haml 5.2.0 escaping method
4.10.0 - 2020-09-28
- Add SARIF report format (Steve Winton)
4.9.1 - 2020-09-04
- Check
chomp
ed strings for SQL injection- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)- Always set line number for joined arrays
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used4.9.0 - 2020-08-04
- Add check for CVE-2020-8166 (Jamie Finnigan)
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Add check for user input in
ERB.new
(Matt Hickman)- Add
--ensure-ignore-notes
(Eli Block)- Remove whitelist/blacklist language, add clarifications
- Do not warn about mass assignment with
params.permit!.slice
- Add "full call" information to call index results
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards- Always scan
environment.rb
4.8.2 - 2020-05-12
- Add check for CVE-2020-8159
- Fix
authenticate_or_request_with_http_basic
check for passed blocks (Hugo Corbucci)- Add
--text-fields
option- Add check for escaping HTML entities in JSON configuration
4.8.1 - 2020-04-06
- Check SQL query strings using
String#strip
orString.squish
- Handle non-symbol keys in locals hash for render()
- Warn about global(!) mass assignment
- Index calls in render arguments
4.8.0 - 2020-02-18
... (truncated)
- Add JUnit-XML report format (Naoki Kimura)
- Sort ignore files by fingerprint and line (Ngan Pham)
Commits
-
95d0238
Bump to 4.10.1 -
09b80df
Add new Haml 5.2.0 escaping method -
c73f314
Ensure RubyParser is passed path as a string -
f09d161
Prevent render loops with absolute paths -
407bef0
Add rexml as a dependency -
ec0d41e
Attempt to test against Ruby 3.0 -
89c51e9
Use Sexp#sexp_body instead of Sexp#[1..-1] -
8f696e3
Bump to 4.10.0 -
2beaac0
Update CHANGES -
5daa392
Add SARIF output format - Additional commits viewable in compare view