brakeman 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. data.tar.gz.sig +0 -0
  2. data/CHANGES +5 -0
  3. data/lib/brakeman/checks/check_i18n_xss.rb +1 -1
  4. data/lib/brakeman/checks/check_number_to_currency.rb +2 -2
  5. data/lib/brakeman/version.rb +1 -1
  6. metadata +4 -4
  7. metadata.gz.sig +0 -0
data.tar.gz.sig CHANGED
Binary file
data/CHANGES CHANGED
@@ -1,3 +1,8 @@
1
+ # 2.3.1
2
+
3
+ * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
4
+ * Fix link for CVE-2013-6415 (number_to_currency)
5
+
1
6
  # 2.3.0
2
7
 
3
8
  * Add check for Parameters#permit!
data/lib/brakeman/checks/check_i18n_xss.rb CHANGED
@@ -6,7 +6,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
6
6
  @description = "Checks for i18n XSS (CVE-2013-4491)"
7
7
 
8
8
  def run_check
9
- if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1")# and not has_workaround?
9
+ if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
10
10
  message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
11
11
 
12
12
  i18n_gem = tracker.config[:gems] && tracker.config[:gems][:i18n]
data/lib/brakeman/checks/check_number_to_currency.rb CHANGED
@@ -27,7 +27,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
27
27
  :message => message,
28
28
  :confidence => CONFIDENCE[:med],
29
29
  :file => gemfile_or_environment,
30
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
30
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
31
31
  end
32
32
 
33
33
  def check_number_to_currency_usage
@@ -49,7 +49,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
49
49
  :warning_code => :CVE_2013_6415_call,
50
50
  :message => "Currency value in number_to_currency is not safe in Rails #{@tracker.config[:rails_version]}",
51
51
  :confidence => CONFIDENCE[:high],
52
- :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion",
52
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ",
53
53
  :user_input => match
54
54
  end
55
55
  end
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "2.3.0"
2
+ Version = "2.3.1"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- hash: 3
4
+ hash: 1
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 3
9
- - 0
10
- version: 2.3.0
9
+ - 1
10
+ version: 2.3.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Justin Collins
@@ -36,7 +36,7 @@ cert_chain:
36
36
  bdw=
37
37
  -----END CERTIFICATE-----
38
38
 
39
- date: 2013-12-12 00:00:00 Z
39
+ date: 2013-12-13 00:00:00 Z
40
40
  dependencies:
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: ruby_parser
metadata.gz.sig CHANGED
Binary file