Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue w/ "beta" value check in `version_between?` #1305

n00ge opened this Issue Jan 21, 2019 · 1 comment


None yet
2 participants
Copy link

n00ge commented Jan 21, 2019


Brakeman version: 4.4.0
Rails version:
Ruby version: 2.5.1p57


sprockets 4.0.0.beta8 appears to be a safe version in CVE-2018-3760 which is the version I have in my Gemfile.lock
See the following as the code check to confirm versions:

It should not show an error. Currently I am seeing:

Confidence: High
Category: Path Traversal
Check: SprocketsPathTraversal
Message: sprockets 4.0.0.beta8 has a path traversal vulnerability (CVE-2018-3760). Upgrade to sprockets 4.0.0.beta8 or newer

It appears to be an issue with the version_between? check and the "beta" text in the version. See the definition of version_between? here:

def version_between? low_version, high_version, current_version = nil

Splitting on "." and mapping :to_i for "beta8" produces a value of 0:

$ irb
irb(main):001:0> "beta8".to_i
=> 0

I assume alpha/beta values should be split out and mapped differently?


This comment has been minimized.

Copy link

presidentbeef commented Jan 22, 2019

Oops, I guess I didn't test that CVE warning very well!

Yes, non-integer versions need to be handled better.

Thank you for reporting this issue!

presidentbeef added a commit that referenced this issue Mar 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.