brakeman 3.0.4 → 3.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +4 -0
- data/lib/brakeman/checks/check_xml_dos.rb +17 -9
- data/lib/brakeman/version.rb +1 -1
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 15522576649f902090b9d006ffe66b063172eccb
|
|
4
|
+
data.tar.gz: 5028884d1539437c9571894dcf1ee8d580f60996
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 15ca6f4ad8ea0b91ca498a862638864e76de75633c96175229f2d3314304797d24addb57eaac7a137bc729fc8477694565caea013ad0dfceb61048e077d9150f
|
|
7
|
+
data.tar.gz: 963b6eed256fec2b7407b60918673117a40f2d504379107c4f597e8e482b84ca8bf7967fbcbdff0de417de0594398e16f6eaed16e7c0fd6ba83d8394d89025e3
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/CHANGES
CHANGED
|
@@ -6,29 +6,37 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
|
|
|
6
6
|
@description = "Checks for XML denial of service (CVE-2015-3227)"
|
|
7
7
|
|
|
8
8
|
def run_check
|
|
9
|
+
version = tracker.config[:rails_version]
|
|
10
|
+
|
|
9
11
|
fix_version = case
|
|
12
|
+
when version_between?("2.0.0", "3.2.21")
|
|
13
|
+
"3.2.22"
|
|
10
14
|
when version_between?("4.1.0", "4.1.10")
|
|
11
15
|
"4.1.11"
|
|
12
16
|
when version_between?("4.2.0", "4.2.1")
|
|
13
17
|
"4.2.2"
|
|
14
|
-
when version_between?("4.
|
|
15
|
-
return
|
|
16
|
-
when version_between?("4.2.2", "9.9.9")
|
|
17
|
-
return
|
|
18
|
-
when has_workaround?
|
|
19
|
-
return
|
|
20
|
-
else
|
|
18
|
+
when version_between?("4.0.0", "4.0.99")
|
|
21
19
|
"4.2.2"
|
|
20
|
+
when (version.nil? and tracker.options[:rails3])
|
|
21
|
+
version = "3.x"
|
|
22
|
+
"3.2.22"
|
|
23
|
+
when (version.nil? and tracker.options[:rails4])
|
|
24
|
+
version = "4.x"
|
|
25
|
+
"4.2.2"
|
|
26
|
+
else
|
|
27
|
+
return
|
|
22
28
|
end
|
|
23
29
|
|
|
24
|
-
|
|
30
|
+
return if has_workaround?
|
|
31
|
+
|
|
32
|
+
message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
|
|
25
33
|
|
|
26
34
|
warn :warning_type => "Denial of Service",
|
|
27
35
|
:warning_code => :CVE_2015_3227,
|
|
28
36
|
:message => message,
|
|
29
37
|
:confidence => CONFIDENCE[:med],
|
|
30
38
|
:gem_info => gemfile_or_environment,
|
|
31
|
-
:link_path => "
|
|
39
|
+
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
|
|
32
40
|
end
|
|
33
41
|
|
|
34
42
|
def has_workaround?
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0.
|
|
4
|
+
version: 3.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
|
30
30
|
bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
|
|
31
31
|
mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
|
|
32
32
|
-----END CERTIFICATE-----
|
|
33
|
-
date: 2015-06-
|
|
33
|
+
date: 2015-06-20 00:00:00.000000000 Z
|
|
34
34
|
dependencies:
|
|
35
35
|
- !ruby/object:Gem::Dependency
|
|
36
36
|
name: test-unit
|
metadata.gz.sig
CHANGED
|
Binary file
|