Update brakeman: 4.3.0 → 4.7.0 (minor)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ brakeman (4.3.0 → 4.7.0) · Repo · Changelog

Release Notes

4.7.0

• Update Haml support to Haml 5.x (#1044)
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Fix version_between? (Andrey Glushkov)
• Ignore interpolation in %W[] (#1399)
• Ignore form_for for XSS check

4.6.1

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0

• Add check for cookie serialization with Marshal (#1316)
• Add reverse tabnabbing check (Linos Giannopoulos)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression
• Skip calls to dup (#1374)
• Restore Warning#relative_path
• Better handling of gems with no version declared

4.5.1

• Add initial Rails 6 support
• Add optional check for config.force_ssl (#1181)
• Add deserialization warning for Oj.load/object_load
• Add SQL injection checks for destroy_by/delete_by
• Add SQL injection checks for find_or_create_by and friends
• Check link_to with block for href XSS (#1339)
• Convert !! calls to boolean value (#1343)
• Use relative paths for __FILE__
• Represent file paths internally as Brakeman::FilePath
• Handle empty partial names
• Handle trailing comma in block args
• Remove code for Ruby versions prior to 1.9

4.5.0

• Officially drop support for running with older Ruby versions
• More thoroughly handle Shellwords escaping (#1323)
• Handle non-integer version number comparisons (#1305)
• Better handling of splat/kwsplat arguments (#1204)
• Handle ** inside Hash literals
• Add support for CoffeeScript in Slim templates
• Improve support for embedded template "filters"
• Remove Sass dependency
• Avoid joining strings with different encodings
• Improve "user input" reported for SQL injection
• Stop swallowing exceptions in AliasProcessor
• Add original exception to Tracker#errors list
• Use FileParser in Scanner to parse files
• Set location information in CheckContentTag
• Update RubyParser to 3.13.0

4.4.0

• Add check for CVE-2018-3760
• Add --enable option to enable optional checks
• Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
• Handle empty secrets.yml files (Naoki Kimura)
• Ignore Tempfiles in FileAccess warnings (Christina Koller)
• Avoid warning about command injection when String#shellescape and Shellwords.shelljoin are used (George Ogata)
• Treat if not like unless (#1225)
• Fix Rails 4 configuration handling
• Set default encoding to UTF-8
• Support reading gem versions from gemspecs
• Support gem versions which are just major.minor (e.g. 3.0)
• Correctly set rel="noreferrer" in HTML reports
• Fix thread-safety issue in CallIndex
• Fix trim mode for ERb templates in old Rails versions
• Avoid nil errors when concatenating arrays
• Add rendered template information to render paths
• Trim some unnecessary files from bundled gems
• Deadcode and typo fixes found via Coverity
• Complete overhaul of warning message construction
• Update to Slim 4.0.1 (Jake Peterson)
• Update to RubyParser 3.12.0
• Updated license

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

Coverage remained the same at 78.99% when pulling 0de2ff7 on depfu/update/brakeman-4.7.0 into 834bf0f on master.

[depfu]

Closed in favor of #69.