Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.
Changes since 4.2.0:
- Add warning for CVE-2018-3741
- Add warning for CVE-2018-8048
template_exists?in controllers (#1124)
CVE-2018-3741 is a vulnerability in the
rails-html-sanitizer gem which may allow bypassing attribute whitelists and therefore cross-site scripting.
CVE-2018-8048 is a similar vulnerability in the
Brakeman will now scan files in the
app/jobs/ directory and treat them as additional libraries.
Template Guard Condition
Brakeman will no longer warn about dynamic render paths if
template_exists? is used as a guard condition.
A Note on Vulnerabilities in Depdendencies
Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.
Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.
The SHA256 sums for this release are:
3ba1cd39d98edcae7a0802ef0206de1438439cfdf4edb559c676877e2c253498 brakeman-4.2.1.gem 54a4aa336f3c21477a9bab12eeba6bb79ffa34a015e89a748621f7fd037d1943 brakeman-lib-4.2.1.gem d53f2275320dfe5609234e74ce3a73a7d8c44dfae824fb938a9bae2077a9aecf brakeman-min-4.2.1.gem
Thank you to everyone who reported bugs and contributed to this release.
If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.