Skip to content

Commit

Permalink
Update brakeman to fix false positive warning
Browse files Browse the repository at this point in the history 
We recently came across a [strange warning][0] in a `frontend` build:

```
== Warnings ==

Confidence: High
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 187
```

Version 2.10.0 is clearly more recent than 2.2.1. This came from how
brakeman was doing a check:
```
loofah_version and loofah_version < "2.2.1"
```
but in ruby `'2.10.0' < '2.2.1'` is true:
```
[2] pry(main)> '2.10.0' < '2.2.1'
=> true
```

This [has been fixed][1] in [version 5.0.2][2] so let's upgrade brakeman to
this new version.

[0]: https://ci.integration.publishing.service.gov.uk/job/frontend/job/update-rubocop/6/console
[1]: https://github.com/presidentbeef/brakeman/pull/1607/files
[2]: https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md#502---2021-06-07
  • Loading branch information
Alan Gabbianelli committed Jun 8, 2021
1 parent 72f380a commit 257955a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion govuk_test.gemspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
spec.require_paths = ["lib"]

spec.add_dependency "brakeman", "~> 4.6"
spec.add_dependency "brakeman", "~> 5.0.2"
spec.add_dependency "capybara"
spec.add_dependency "puma"
spec.add_dependency "selenium-webdriver", ">= 3.142"
Expand Down

0 comments on commit 257955a

Please sign in to comment.