[Security] Bump grape from 0.14.0 to 1.1.0

[dependabot-preview[bot]]

Bumps grape from 0.14.0 to 1.1.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

ruby-grape Gem has XSS via "format" parameter When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.

Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Patched versions: >= 1.1.0 Unaffected versions: none

Changelog

Sourced from grape's changelog.

1.1.0 (2018/8/4)

Features

• #1759: Instrument serialization as 'format_response.grape' - @zvkemp.

Fixes

• #1762: Fix unsafe HTML rendering on errors - @ctennis.
• #1759: Update appraisal for rails_edge - @zvkemp.
• #1758: Fix expanding load_path in gemspec - @2maz.
• #1765: Use 415 when request body is of an unsupported media type - @jdmurphy.
• #1771: Fix param aliases with 'given' blocks - @jereynolds.

1.0.3 (2018/4/23)

Fixes

• #1755: Fix shared params with exactly_one_of - @milgner.
• #1740: Fix dependent parameter validation using given when parameter is a Hash - @jvortmann.
• #1737: Fix translating error when passing symbols as params in custom validations - @mlzhuyi.
• #1749: Allow rescue from non-StandardError exceptions - @dm1try.
• #1750: Fix a circular dependency warning due to router being loaded by API - @salasrod.
• #1752: Fix include_missing behavior for aliased parameters - @jonasoberschweiber.
• #1754: Allow rescue from non-StandardError exceptions to use default error handling - @jelkster.
• #1756: Allow custom Grape exception handlers when the built-in exception handling is enabled - @soylent.

1.0.2 (2018/1/10)

Features

• #1686: Avoid coercion of a value if it is valid - @timothysu.
• #1688: Removes yard docs - @ramkumar-kr.
• #1702: Added danger-toc, verify correct TOC in README - @dblock.
• #1711: Automatically coerce arrays and sets of types that implement a parse method - @dslh.

Fixes

• #1710: Fix wrong transformation of empty Array in declared params - @pablonahuelgomez.
• #1722: Fix catch-all hiding multiple versions of an endpoint after the first definition - @zherr.
• #1724: Optional nested array validation - @ericproulx.
• #1725: Fix rescue_from :all documentation - @Jelkster.
• #1726: Improved startup performance during API method generation - @jkowens.
• #1727: Fix infinite loop when mounting endpoint with same superclass - @jkowens.

1.0.1 (2017/9/8)

Features

• #1652: Add the original exception to the error_formatter the original exception - @dcsg.

... (truncated)

Commits

• 0fb170c Preparing for release, 1.1.0.
• a152d98 Fix param aliases within 'given' blocks (#1771)
• 2dcef9a Merge pull request #1765 from jdmurphy/415_status
• 6209297 Use 415 status code when content type is not supported
• d845a3a Merge pull request #1764 from budnik/patch-1
• 03f7e4c Fixes few examples syntax
• 6876b71 When returning an HTML error, make sure it's safe (#1763)
• 9a4b939 Merge pull request #1758 from 2maz/master
• 3ee2956 Fix expanding LOAD_PATH in gemspec
• c951628 Merge pull request #1759 from zvkemp/instrument-serialization
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)