Bump brakeman from 4.3.1 to 4.7.2

[dependabot-preview]

Bumps brakeman from 4.3.1 to 4.7.2.

Release notes

Sourced from brakeman's releases.

4.7.2

• Add request.params as query parameters (#1398)
• Handle more permit! cases (#1426)
• Remove version guard for named_scope vs. scope
• Find SQL injection in String#strip_heredoc target (#1433)
• Ensure file name is set when processing models
• Bundle ruby_parser version 3.14.1 (#1429)

4.7.1

• Sort text report by file and line (Jacob Evelyn)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
• Check string length against limit before joining
• Fix flaky rails4 test (Adam Kiczula)
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Add release dates to each version in CHANGES (TheSpartan1980)

4.7.0

• Update Haml support to Haml 5.x (#1044)
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Fix version_between? (Andrey Glushkov)
• Ignore interpolation in %W[] (#1399)
• Ignore form_for for XSS check

4.6.1

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0

• Add check for cookie serialization with Marshal (#1316)
• Add reverse tabnabbing check (Linos Giannopoulos)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression
• Skip calls to dup (#1374)
• Restore Warning#relative_path
• Better handling of gems with no version declared

4.5.1

• Add initial Rails 6 support
• Add optional check for config.force_ssl (#1181)
• Add deserialization warning for Oj.load/object_load
• Add SQL injection checks for destroy_by/delete_by
• Add SQL injection checks for find_or_create_by and friends

... (truncated)

Changelog

Sourced from brakeman's changelog.

4.7.2 - 2019-11-25

• Remove version guard for named_scope vs. scope
• Find SQL injection in String#strip_heredoc target
• Handle more permit! cases
• Ensure file name is set when processing model
• Add request.params as query parameters

4.7.1 - 2019-10-29

• Check string length against limit before joining
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Fix flaky rails4 test (Adam Kiczula)
• Added release dates to each version in CHANGES (TheSpartan1980)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call
• Sort text report by file and line (Jacob Evelyn)

4.7.0 - 2019-10-16

• Refactor Brakeman::Differ#second_pass (Benoit Côté-Jodoin)
• Ignore interpolation in %W[]
• Fix version_between? (Andrey Glushkov)
• Add support for ruby_parser 3.14.0
• Ignore form_for for XSS check
• Update Haml support to Haml 5.x
• Catch shell injection from -c shell commands (Jacob Evelyn)
• Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)

4.6.1 - 2019-07-24

• Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

4.6.0 - 2019-07-23

• Skip calls to dup
• Add reverse tabnabbing check (Linos Giannopoulos)
• Better handling of gems with no version declared
• Warn people that Haml 5 is not fully supported (Jared Beck)
• Avoid warning about file access with ActiveStorage::Filename#sanitized (Tejas Bubane)
• Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
• Restore Warning#relative_path
• Add check for cookie serialization with Marshal
• Index calls in initializers
• Improve template output handling in conditional branches
• Avoid assigning nil line numbers to Sexps
• Add special warning code for custom checks
• Add call matching by regular expression

4.5.1 - 2019-05-11

... (truncated)

Commits

• 0d9d3d0 Update gemspec metadata
• 221bb9e Bump to 4.7.2
• 196fad6 Merge pull request #1435 from presidentbeef/scopes_for_all
• 502b07c Remove version check for named_scope vs. scope
• ec8339d Merge pull request #1434 from presidentbeef/sqli_strip_heredoc
• 26da3e7 Find SQL injection in String#strip_heredoc
• bac27a1 Merge pull request #1431 from presidentbeef/model_file_names
• 23c8d11 Add test to check that every warning has a file
• 7b87045 Ensure file name is set during model processing
• 72b85bd Merge pull request #1427 from presidentbeef/more_or_less_permit_bang
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)