Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Clarify 2.x warning for CVE-2013-0155

  • Loading branch information...
commit 7e83781bbef1851c05ae1f31c71dff454a2fb8fc 1 parent a922487
@presidentbeef authored
View
10 lib/brakeman/checks/check_sql.rb
@@ -138,9 +138,15 @@ def check_rails_version_for_cve_2012_5664
end
def check_rails_version_for_cve_2013_0155
- if version_between?("2.0.0", "2.3.15") || version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
+ if version_between?("3.0.0", "3.0.18") || version_between?("3.1.0", "3.1.9") || version_between?("3.2.0", "3.2.10")
+ message = 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19'
+ elsif version_between?("2.0.0", "2.3.15")
+ message = "Rails #{@rails_version} contains a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 2.3.16"
+ end
+
+ if message
warn :warning_type => 'SQL Injection',
- :message => 'All versions of Rails before 3.0.19, 3.1.10, and 3.2.11 contain a SQL Injection Vulnerability: CVE-2013-0155; Upgrade to 3.2.11, 3.1.10, 3.0.19',
+ :message => message,
:confidence => CONFIDENCE[:high],
:file => gemfile_or_environment,
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
View
2  test/tests/test_rails2.rb
@@ -789,7 +789,7 @@ def test_sql_injection_CVE_2012_5664
def test_sql_injection_CVE_2013_0155
assert_warning :type => :warning,
:warning_type => "SQL Injection",
- :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.19,\ 3\.1/,
+ :message => /^Rails\ 2\.3\.11\ contains\ a\ SQL\ Injection\ Vu/,
:confidence => 0,
:file => /environment\.rb/
end
View
2  test/tests/test_rails_with_xss_plugin.rb
@@ -287,7 +287,7 @@ def test_session_secret_token
def test_sql_injection_CVE_2013_0155
assert_warning :type => :warning,
:warning_type => "SQL Injection",
- :message => /^All\ versions\ of\ Rails\ before\ 3\.0\.19,\ 3\.1/,
+ :message => /^Rails\ 2\.3\.14\ contains\ a\ SQL\ Injection\ Vu/,
:confidence => 0,
:file => /Gemfile/
end
Please sign in to comment.
Something went wrong with that request. Please try again.