brakeman-min 3.0.4 → 3.0.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/CHANGES +4 -0
  5. data/lib/brakeman/checks/check_xml_dos.rb +17 -9
  6. data/lib/brakeman/version.rb +1 -1
  7. metadata +2 -2
  8. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 31a26a3b03270d2eafb08540e523d94c27211d20
4
- data.tar.gz: 3fd570c30df5855aebfc9a542e3c54676bacc808
3
+ metadata.gz: 1ab8f92f7224264621f18aecefd5b06831ad029f
4
+ data.tar.gz: db8f98753198a72409cd673a4a346f8702cbd3cd
5
5
  SHA512:
6
- metadata.gz: ea02eed9126d6375399ea7e9a4001978882e2f89c9ba8c90b1467f763aad9691cec19e54dc8cf45efe04d61d39e205d258c2a80b341177d63110868e0e31db39
7
- data.tar.gz: d7d24ce1144f1d2db5b74823aeac8f63fef342733537b28929e1d1ba793597eda33fece5fe0fd0c07450d00f7d9435b262b608ac2842215767e853585b10d8c7
6
+ metadata.gz: 92e31897ee455b1e5e96db7e668b740bddf4ddba338a60cb721e62cbdcf97e9762cd2fc63837b6fcd1754722e9aaccb33f83ccc8c778b62ea98e28cd104e421e
7
+ data.tar.gz: a13ae68c1d7cfb36ae35e412a50c1c25198492184b593787400ac3855951186c59c8ad7ff22cfe46e2f592ee2e3f6717de87109a074185f3f48ab5a4abe1ffc3
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/CHANGES CHANGED
@@ -1,3 +1,7 @@
1
+ # 3.0.5
2
+
3
+ * Fix check for CVE-2015-3227
4
+
1
5
  # 3.0.4
2
6
 
3
7
  * Add check for CVE-2015-3226 (XSS via JSON keys)
data/lib/brakeman/checks/check_xml_dos.rb CHANGED
@@ -6,29 +6,37 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
6
6
  @description = "Checks for XML denial of service (CVE-2015-3227)"
7
7
 
8
8
  def run_check
9
+ version = tracker.config[:rails_version]
10
+
9
11
  fix_version = case
12
+ when version_between?("2.0.0", "3.2.21")
13
+ "3.2.22"
10
14
  when version_between?("4.1.0", "4.1.10")
11
15
  "4.1.11"
12
16
  when version_between?("4.2.0", "4.2.1")
13
17
  "4.2.2"
14
- when version_between?("4.1.11", "4.1.99")
15
- return
16
- when version_between?("4.2.2", "9.9.9")
17
- return
18
- when has_workaround?
19
- return
20
- else
18
+ when version_between?("4.0.0", "4.0.99")
21
19
  "4.2.2"
20
+ when (version.nil? and tracker.options[:rails3])
21
+ version = "3.x"
22
+ "3.2.22"
23
+ when (version.nil? and tracker.options[:rails4])
24
+ version = "4.x"
25
+ "4.2.2"
26
+ else
27
+ return
22
28
  end
23
29
 
24
- message = "Rails #{tracker.config[:rails_version]} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
30
+ return if has_workaround?
31
+
32
+ message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
25
33
 
26
34
  warn :warning_type => "Denial of Service",
27
35
  :warning_code => :CVE_2015_3227,
28
36
  :message => message,
29
37
  :confidence => CONFIDENCE[:med],
30
38
  :gem_info => gemfile_or_environment,
31
- :link_path => "repos/canvas-lms/config/application.rb"
39
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
32
40
  end
33
41
 
34
42
  def has_workaround?
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "3.0.4"
2
+ Version = "3.0.5"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.4
4
+ version: 3.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
@@ -30,7 +30,7 @@ cert_chain:
30
30
  bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
31
31
  mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
32
32
  -----END CERTIFICATE-----
33
- date: 2015-06-18 00:00:00.000000000 Z
33
+ date: 2015-06-20 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: test-unit
metadata.gz.sig CHANGED
Binary file