Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue w/ "beta" value check in `version_between?` #1305

Closed
n00ge opened this Issue Jan 21, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@n00ge
Copy link

n00ge commented Jan 21, 2019

Background

Brakeman version: 4.4.0
Rails version: 5.2.1.1
Ruby version: 2.5.1p57

Issue

sprockets 4.0.0.beta8 appears to be a safe version in CVE-2018-3760 which is the version I have in my Gemfile.lock
See the following as the code check to confirm versions:
https://github.com/presidentbeef/brakeman/pull/1241/files#diff-4620b984ac2f48fe9350181b4e7c1ca7R19

It should not show an error. Currently I am seeing:

Confidence: High
Category: Path Traversal
Check: SprocketsPathTraversal
Message: sprockets 4.0.0.beta8 has a path traversal vulnerability (CVE-2018-3760). Upgrade to sprockets 4.0.0.beta8 or newer

It appears to be an issue with the version_between? check and the "beta" text in the version. See the definition of version_between? here:

def version_between? low_version, high_version, current_version = nil

Splitting on "." and mapping :to_i for "beta8" produces a value of 0:

$ irb
irb(main):001:0> "beta8".to_i
=> 0

I assume alpha/beta values should be split out and mapped differently?

@presidentbeef

This comment has been minimized.

Copy link
Owner

presidentbeef commented Jan 22, 2019

Oops, I guess I didn't test that CVE warning very well!

Yes, non-integer versions need to be handled better.

Thank you for reporting this issue!

presidentbeef added a commit that referenced this issue Mar 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.