[Security] Bump brakeman from 4.5.0 to 4.7.1

[dependabot-preview]

Bumps brakeman from 4.5.0 to 4.7.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

brakeman world writable files allow local privilege escalation
The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local
privilege escalation because of world-writable files. For example,
if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used,
a local user can insert malicious code into the
ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

Patched versions: >= 4.7.1
Unaffected versions: <= 4.4.0

Release notes

Sourced from brakeman's releases.

4.7.1

• Sort text report by file and line (Jacob Evelyn)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
• Check string length against limit before joining
• Fix flaky rails4 test (Adam Kiczula)
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Add release dates to each version in CHANGES (TheSpartan1980)

4.7.0

• Update Haml support to Haml 5.x (#1044)
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Fix version_between? (Andrey Glushkov)
• Ignore interpolation in %W[] (#1399)
• Ignore form_for for XSS check

4.6.1

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0

• Add check for cookie serialization with Marshal (#1316)
• Add reverse tabnabbing check (Linos Giannopoulos)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression
• Skip calls to dup (#1374)
• Restore Warning#relative_path
• Better handling of gems with no version declared

4.5.1

• Add initial Rails 6 support
• Add optional check for config.force_ssl (#1181)
• Add deserialization warning for Oj.load/object_load
• Add SQL injection checks for destroy_by/delete_by
• Add SQL injection checks for find_or_create_by and friends
• Check link_to with block for href XSS (#1339)
• Convert !! calls to boolean value (#1343)
• Use relative paths for __FILE__
• Represent file paths internally as Brakeman::FilePath
• Handle empty partial names
• Handle trailing comma in block args
• Remove code for Ruby versions prior to 1.9

Changelog

Sourced from brakeman's changelog.

4.7.1 - 2019-10-29

• Check string length against limit before joining
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Fix flaky rails4 test (Adam Kiczula)
• Added release dates to each version in CHANGES (TheSpartan1980)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call
• Sort text report by file and line (Jacob Evelyn)

4.7.0 - 2019-10-16

• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Ignore interpolation in %W[]
• Fix version_between? (Andrey Glushkov)
• Add support for ruby_parser 3.14.0
• Ignore form_for for XSS check
• Update Haml support to Haml 5.x
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)

4.6.1 - 2019-07-24

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0 - 2019-07-23

• Skip calls to dup
• Add reverse tabnabbing check (Linos Giannopoulos)
• Better handling of gems with no version declared
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Restore Warning#relative_path
• Add check for cookie serialization with Marshal
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression

4.5.1 - 2019-05-11

• Add Brakeman::FilePath to represent file paths
• Handle trailing comma in block args
• Properly handle empty partial name
• Use relative paths for __FILE__
• Convert !! calls to boolean value
• Add optional check for config.force_ssl
• Remove code for Ruby versions prior to 1.9

... (truncated)

Commits

• b2efd59 Bump to 4.7.1
• 46fcb34 Update CHANGES
• 23232f6 Merge pull request #1421 from presidentbeef/check_string_length_first
• 3f24340 Merge pull request #1420 from presidentbeef/symbol_to_s_2_7_0
• 23c017a Symbol#to_s returns frozen string in Ruby 2.7.0
• 25fad31 Merge pull request #1419 from adamkiczula/fix_flaky_test
• bfc6471 Fix flaky rails4 test
• 1cf56ca Merge pull request #1418 from TheSpartan1980/release-dates
• e0d1ff7 Update CHANGES.md
• da1cd50 Merge pull request #1411 from JacobEvelyn/master
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codecov]

Codecov Report

Merging #105 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #105   +/-   ##
=======================================
  Coverage   89.83%   89.83%           
=======================================
  Files          25       25           
  Lines         610      610           
=======================================
  Hits          548      548           
  Misses         62       62

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update abfc2e1...c829aae. Read the comment docs.