Changes since 4.2.0:
- Add warning for CVE-2018-3741
- Add warning for CVE-2018-8048
- Scan
app/jobs/
directory - Handle
template_exists?
in controllers (#1124)
This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.
Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.
CVE-2018-3741
CVE-2018-3741 is a vulnerability in the rails-html-sanitizer
gem which may allow bypassing attribute whitelists and therefore cross-site scripting.
(changes)
CVE-2018-8048
CVE-2018-8048 is a similar vulnerability in the loofah
gem.
(changes)
Scan Jobs
Brakeman will now scan files in the app/jobs/
directory and treat them as additional libraries.
(changes)
Template Guard Condition
Brakeman will no longer warn about dynamic render paths if template_exists?
is used as a guard condition.
(changes)
A Note on Vulnerabilities in Depdendencies
Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.
Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.