RubyGems - brakeman - Versions diffs - 3.0.4 → 3.0.5 - Mend

brakeman 3.0.4 → 3.0.5

Files changed (8) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/CHANGES +4 -0
data/lib/brakeman/checks/check_xml_dos.rb +17 -9
data/lib/brakeman/version.rb +1 -1
metadata +2 -2
metadata.gz.sig +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 671edf90c9a6617a03edf1680468156fae6669c8
-  data.tar.gz: bcf565963e0fb72c20abcafd66354080ebba9f12
+  metadata.gz: 15522576649f902090b9d006ffe66b063172eccb
+  data.tar.gz: 5028884d1539437c9571894dcf1ee8d580f60996
 SHA512:
-  metadata.gz: 7b692920e4a22fd864319fb72c91aa4f44fb5c7d64744844f733ca242e927eb6c2495f6e66a901f6b7244830cdcb30dfb51b04a13fe17475c2ac66c74a40dd7d
-  data.tar.gz: a94d30896765f99e633b6be8e2897bee0046daf07135a6d2099a3e8476a8d925973278efc7266e1ed241a8d630f5002a60ee01de0c77c11d141859cba66a83bf
+  metadata.gz: 15ca6f4ad8ea0b91ca498a862638864e76de75633c96175229f2d3314304797d24addb57eaac7a137bc729fc8477694565caea013ad0dfceb61048e077d9150f
+  data.tar.gz: 963b6eed256fec2b7407b60918673117a40f2d504379107c4f597e8e482b84ca8bf7967fbcbdff0de417de0594398e16f6eaed16e7c0fd6ba83d8394d89025e3

checksums.yaml.gz.sig CHANGED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/CHANGES CHANGED

@@ -1,3 +1,7 @@
+# 3.0.5
+* Fix check for CVE-2015-3227
 # 3.0.4
 * Add check for CVE-2015-3226 (XSS via JSON keys)

data/lib/brakeman/checks/check_xml_dos.rb CHANGED

@@ -6,29 +6,37 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
   @description = "Checks for XML denial of service (CVE-2015-3227)"
   def run_check
+    version = tracker.config[:rails_version]
     fix_version = case
+                  when version_between?("2.0.0", "3.2.21")
+                    "3.2.22"
                   when version_between?("4.1.0", "4.1.10")
                     "4.1.11"
                   when version_between?("4.2.0", "4.2.1")
                     "4.2.2"
-                  when version_between?("4.1.11", "4.1.99")
-                    return
-                  when version_between?("4.2.2", "9.9.9")
-                    return
-                  when has_workaround?
-                    return
-                  else
+                  when version_between?("4.0.0", "4.0.99")
                     "4.2.2"
+                  when (version.nil? and tracker.options[:rails3])
+                    version = "3.x"
+                    "3.2.22"
+                  when (version.nil? and tracker.options[:rails4])
+                    version = "4.x"
+                    "4.2.2"
+                  else
+                    return
                   end
-    message = "Rails #{tracker.config[:rails_version]} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+    return if has_workaround?
+    message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
     warn :warning_type => "Denial of Service",
       :warning_code => :CVE_2015_3227,
       :message => message,
       :confidence => CONFIDENCE[:med],
       :gem_info => gemfile_or_environment,
-      :link_path => "repos/canvas-lms/config/application.rb"
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
   end
   def has_workaround?

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.0.4"
+  Version = "3.0.5"
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.0.4
+  version: 3.0.5
 platform: ruby
 authors:
 - Justin Collins
@@ -30,7 +30,7 @@ cert_chain:
   bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
   mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
   -----END CERTIFICATE-----
-date: 2015-06-18 00:00:00.000000000 Z
+date: 2015-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit

metadata.gz.sig CHANGED

Binary file