Merge pull request #413 from presidentbeef/december_CVEs

Add checks for five latest CVEs

CVE-2013-4491
CVE-2013-6414
CVE-2013-6415
CVE-2013-6416
CVE-2013-6417

lib/brakeman/checks/check_header_dos.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for header DoS (CVE-2013-6414)"
+
+  def run_check
+    if (version_between? "3.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
+      message = "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version "
+
+      if version_between? "3.0.0", "3.2.15"
+        message << "3.2.16"
+      else
+        message << "4.0.2"
+      end
+
+      warn :warning_type => "Denial of Service",
+        :warning_code => :CVE_2013_6414,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
+    end
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:ActiveSupport, :on_load).any? and
+    tracker.check_initializers(:"ActionView::LookupContext::DetailsKey", :class_eval).any?
+  end
+end

lib/brakeman/checks/check_i18n_xss.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for i18n XSS (CVE-2013-4491)"
+
+  def run_check
+    if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1")# and not has_workaround?
+      message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
+
+      i18n_gem = tracker.config[:gems] && tracker.config[:gems][:i18n]
+
+      if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
+        message << "3.2.16 or i18n 0.5.1"
+      elsif version_between? "3.2.0", "4.0.1" and version_before i18n_gem, "0.6.6"
+        message << "4.0.2 or i18n 0.6.6"
+      else
+        return
+      end
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2013_4491,
+        :message => message,
+        :confidence => CONFIDENCE[:med],
+        :file => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
+    end
+  end
+
+  def version_before gem_version, target
+    return true unless gem_version
+    gem_version.split('.').map(&:to_i).zip(target.split('.').map(&:to_i)).each do |gv, t|
+      if gv < t
+        return true
+      elsif gv > t
+        return false
+      end
+    end
+
+    false
+  end
+
+  def has_workaround?
+    tracker.check_initializers(:I18n, :const_defined?).any? do |match|
+      match.last.first_arg == s(:lit, :MissingTranslation)
+    end
+  end
+end

lib/brakeman/checks/check_number_to_currency.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for number_to_currency XSS vulnerability in certain versions"
+
+  def run_check
+    if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
+      check_number_to_currency_usage
+
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in number_to_currency (CVE-2013-6415). Upgrade to Rails version "
+
+    if version_between? "2.3.0", "3.2.15"
+      message << "3.2.16"
+    else
+      message << "4.0.2"
+    end
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6415,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
+  end
+
+  def check_number_to_currency_usage
+    tracker.find_call(:target => false, :method => :number_to_currency).each do |result|
+      arg = result[:call].second_arg
+      next unless arg
+
+      if match = (has_immediate_user_input? arg or has_immediate_model? arg)
+        match = match.match if match.is_a? Match
+        @found_any = true
+        warn_on_number_to_currency result, match
+      end
+    end
+  end
+
+  def warn_on_number_to_currency result, match
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6415_call,
+      :message => "Currency value in number_to_currency is not safe in Rails #{@tracker.config[:rails_version]}",
+      :confidence => CONFIDENCE[:high],
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion",
+      :user_input => match
+  end
+end

lib/brakeman/checks/check_simple_format.rb

+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
+  Brakeman::Checks.add self
+
+  @description = "Checks for simple_format XSS vulnerability (CVE-2013-6416) in certain versions"
+
+  def run_check
+    if version_between? "4.0.0", "4.0.1"
+      @inspect_arguments = true
+      @ignore_methods = Set[:h, :escapeHTML]
+
+      check_simple_format_usage
+      generic_warning unless @found_any
+    end
+  end
+
+  def generic_warning
+    message = "Rails #{tracker.config[:rails_version]} has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"
+
+    warn :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416,
+      :message => message,
+      :confidence => CONFIDENCE[:med],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
+  end
+
+  def check_simple_format_usage
+    tracker.find_call(:target => false, :method => :simple_format).each do |result|
+      @matched = false
+      process_call result[:call]
+      if @matched
+        warn_on_simple_format result, @matched
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+  def warn_on_simple_format result, match
+    return if duplicate? result
+    add_result result
+
+    @found_any = true
+
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :CVE_2013_6416_call,
+      :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
+      :confidence => CONFIDENCE[:high],
+      :file => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
+      :user_input => match.match
+  end
+end

lib/brakeman/checks/check_sql.rb

@@ -556,6 +556,11 @@ def check_rails_versions_against_cve_issues
         :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
         :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
       },
+      {
+        :cve => "CVE-2013-6417",
+        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
+      },
     ].each do |cve_issue|
       cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
     end

lib/brakeman/processors/gem_processor.rb

@@ -15,6 +15,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
     if gem_lock
       get_rails_version gem_lock
       get_json_version gem_lock
+      get_i18n_version gem_lock
     elsif @tracker.config[:gems][:rails] =~ /(\d+.\d+.\d+)/
       @tracker.config[:rails_version] = $1
     end
@@ -61,4 +62,8 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
     @tracker.config[:gems][:json] = get_version("json", gem_lock)
     @tracker.config[:gems][:json_pure] = get_version("json_pure", gem_lock)
   end
+
+  def get_i18n_version gem_lock
+    @tracker.config[:gems][:i18n] = get_version("i18n", gem_lock)
+  end
 end

lib/brakeman/warning_codes.rb

@@ -62,7 +62,14 @@ module Brakeman::WarningCodes
     :unsafe_symbol_creation => 59,
     :dangerous_attr_accessible => 60,
     :local_request_config => 61,
-    :detailed_exceptions => 62
+    :detailed_exceptions => 62,
+    :CVE_2013_4491 => 63,
+    :CVE_2013_6414 => 64,
+    :CVE_2013_6415 => 65,
+    :CVE_2013_6415_call => 66,
+    :CVE_2013_6416 => 67,
+    :CVE_2013_6416_call => 68,
+    :CVE_2013_6417 => 69,
   }
 
   def self.code name

test/apps/rails3.2/config/initializers/header_dos_protection.rb

+# https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
+ActiveSupport.on_load(:action_view) do 
+  ActionView::LookupContext::DetailsKey.class_eval do 
+    class << self 
+      alias :old_get :get 
+
+      def get(details) 
+        if details[:formats] 
+          details = details.dup 
+          syms    = Set.new Mime::SET.symbols 
+          details[:formats] = details[:formats].select { |v| 
+            syms.include? v 
+          } 
+        end 
+        old_get details 
+      end 
+    end 
+  end 
+end 

test/apps/rails4/app/views/users/index.html.erb

@@ -5,3 +5,7 @@
 <%= raw call_something(params).to_json %>
 
 <%= raw params[:stuff].to_json %>
+
+<%= number_to_currency(params[:cost], params[:currency]) %>
+
+<%= number_to_currency(params[:cost], h(params[:currency])) %> Should not warn

test/apps/rails4/config/initializers/i18n.rb

+require 'i18n' 
+
+# Override exception handler to more carefully html-escape missing-key results. 
+class HtmlSafeI18nExceptionHandler 
+  Missing = I18n.const_defined?(:MissingTranslation) ? I18n::MissingTranslation : I18n::MissingTranslationData 
+
+  def initialize(original_exception_handler) 
+    @original_exception_handler = original_exception_handler 
+  end 
+
+  def call(exception, locale, key, options) 
+    if exception.is_a?(Missing) && options[:rescue_format] == :html 
+      keys = exception.keys.map { |k| Rack::Utils.escape_html k } 
+      key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize } 
+      %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>) 
+    else 
+      @original_exception_handler.call(exception, locale, key, options) 
+    end 
+  end 
+end 

test/apps/rails4_with_engines/engines/user_removal/app/views/users/show.html.erb

@@ -15,6 +15,13 @@
   <%= @user_data %>
 </p>
 
+<p>
+  <b>Stuff I like:</b>
+  <%= simple_format(@user.likes, :class => "likes") %>
+  <%= simple_format("some string", :color => params[:color]) %>
+  <%= simple_format("some string", :id => h(params[:color])) %> should not warn
+</p>
+
 
 <%= link_to 'Edit', edit_user_path(@user) %> |
 <%= link_to 'Back', users_path %>

test/tests/only_files_option.rb

@@ -11,8 +11,7 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
       :controller => 0,
       :model => 0,
       :template => 1,
-      :generic => 4 }
-
+      :generic => 8 }
 
     if RUBY_PLATFORM == 'java'
       @expected[:generic] += 1
@@ -53,4 +52,49 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
       :file => /sanitized\.html\.erb/
   end
 
+  def test_i18n_xss_CVE_2013_4491
+    assert_warning :type => :warning,
+      :warning_code => 63,
+      :fingerprint => "de0e11056b9f9af7b8570d5354185cd7e17a18cc61d627555fe4adfff00fb447",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ an\ XSS\ vulnerability/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ /,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
 end

test/tests/rails2.rb

@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
         :controller => 1,
         :model => 3,
         :template => 45,
-        :generic => 46 }
+        :generic => 48 }
     else
       @expected ||= {
         :controller => 1,
         :model => 3,
         :template => 45,
-        :generic => 47 }
+        :generic => 49 }
     end
   end
 
@@ -955,6 +955,28 @@ class Rails2Tests < Test::Unit::TestCase
       :relative_path => "config/environment.rb"
   end
 
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "1822c8179beeb0358b71c545bad0dd824104aed8b995fe0781c1b6e324417a91",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 2\.3\.11\ has\ a\ vulnerability\ in\ numb/,
+      :confidence => 1,
+      :relative_path => "config/environment.rb"
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "378978cda99add8404dd38db466f6ffa0b824ea8c57270d98869241a240d12a6",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.11\ contains\ a\ SQL\ injection\ vu/,
+      :confidence => 0,
+      :relative_path => "config/environment.rb",
+      :user_input => nil
+  end
+
   def test_to_json
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",
@@ -1230,13 +1252,13 @@ class Rails2WithOptionsTests < Test::Unit::TestCase
         :controller => 1,
         :model => 4,
         :template => 45,
-        :generic => 46 }
+        :generic => 48 }
     else
       @expected ||= {
         :controller => 1,
         :model => 4,
         :template => 45,
-        :generic => 47 }
+        :generic => 49 }
     end
   end
 

test/tests/rails3.rb

@@ -16,7 +16,7 @@ class Rails3Tests < Test::Unit::TestCase
       :controller => 1,
       :model => 8,
       :template => 38,
-      :generic => 63
+      :generic => 66
     }
 
     if RUBY_PLATFORM == 'java'
@@ -1081,12 +1081,48 @@ class Rails3Tests < Test::Unit::TestCase
 
   def test_denial_of_service_CVE_2013_1854
     assert_no_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
       :warning_type => "Denial of Service",
       :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vul/,
       :confidence => 1,
       :file => /Gemfile/
   end
 
+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.0\.3\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 3\.0\.3\ contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_http_only_session_setting
     assert_warning :type => :warning,
       :warning_type => "Session Setting",

test/tests/rails31.rb

@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 3,
       :template => 23,
       :controller => 4,
-      :generic => 74 }
+      :generic => 77 }
   end
 
   def test_without_protection
@@ -802,12 +802,48 @@ class Rails31Tests < Test::Unit::TestCase
 
   def test_denial_of_service_CVE_2013_1854
     assert_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
       :warning_type => "Denial of Service",
       :message => /^Rails\ 3\.1\.0\ has\ a\ denial\ of\ service\ vul/,
       :confidence => 1,
       :file => /Gemfile/
   end
 
+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :message => /^Rails\ 3\.1\.0\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.1\.0\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 3\.1\.0\ contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_to_json_with_overwritten_config
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",

test/tests/rails32.rb

@@ -11,8 +11,7 @@ class Rails32Tests < Test::Unit::TestCase
       :controller => 0,
       :model => 5,
       :template => 11,
-      :generic => 7 }
-
+      :generic => 10 }
 
     if RUBY_PLATFORM == 'java'
       @expected[:generic] += 1
@@ -82,12 +81,48 @@ class Rails32Tests < Test::Unit::TestCase
 
   def test_denial_of_service_CVE_2013_1854
     assert_warning :type => :warning,
+      :warning_code => 55,
+      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
       :warning_type => "Denial of Service",
       :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ vul/,
       :confidence => 1,
       :file => /Gemfile/
   end
 
+  def test_i18n_xss_CVE_2013_4491
+    assert_warning :type => :warning,
+      :warning_code => 63,
+      :fingerprint => "de0e11056b9f9af7b8570d5354185cd7e17a18cc61d627555fe4adfff00fb447",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ an\ XSS\ vulnerability/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 3\.2\.9\.rc2 contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_redirect_1
     assert_warning :type => :warning,
       :warning_type => "Redirect",

test/tests/rails4.rb

@@ -14,8 +14,8 @@ class Rails4Tests < Test::Unit::TestCase
     @expected ||= {
       :controller => 0,
       :model => 0,
-      :template => 0,
-      :generic => 5
+      :template => 1,
+      :generic => 9
     }
   end
 
@@ -143,4 +143,60 @@ class Rails4Tests < Test::Unit::TestCase
       :relative_path => "app/controllers/friendly_controller.rb",
       :user_input => s(:call, s(:params), :[], s(:lit, :query))
   end
+
+  def test_i18n_xss_CVE_2013_4491
+    assert_warning :type => :warning,
+      :warning_code => 63,
+      :fingerprint => "de0e11056b9f9af7b8570d5354185cd7e17a18cc61d627555fe4adfff00fb447",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 4\.0\.0\ has\ an\ XSS\ vulnerability\ in\ /,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_denial_of_service_CVE_2013_6414
+    assert_warning :type => :warning,
+      :warning_code => 64,
+      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
+      :warning_type => "Denial of Service",
+      :message => /^Rails\ 4\.0\.0\ has\ a\ denial\ of\ service\ vuln/,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :template,
+      :warning_code => 66,
+      :fingerprint => "0fb96b5f4b3a4dcdc677d126f492441e2f7b46880563a977b1246b30d3c117a0",
+      :warning_type => "Cross Site Scripting",
+      :line => 9,
+      :message => /^Currency\ value\ in\ number_to_currency\ is\ /,
+      :confidence => 0,
+      :relative_path => "app/views/users/index.html.erb",
+      :user_input => s(:call, s(:call, nil, :params), :[], s(:lit, :currency))
+  end
+
+  def test_simple_format_xss_CVE_2013_6416
+    assert_warning :type => :warning,
+      :warning_code => 67,
+      :fingerprint => "e950ee1043d7f66b7f6ce99c2bf0876bd3ce8cb12818b52565b905cdb6004bad",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0 has\ a\ vulnerability\ in/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0 contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
 end

test/tests/rails4_with_engines.rb

@@ -10,14 +10,70 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
     @expected ||= {
       :controller => 0,
       :model => 5,
-      :template => 9,
-      :generic => 2 }
+      :template => 11,
+      :generic => 6 }
   end
 
   def report
     Rails4WithEngines
   end
 
+  def test_i18n_xss_CVE_2013_4491
+    assert_warning :type => :warning,
+      :warning_code => 63,
+      :fingerprint => "de0e11056b9f9af7b8570d5354185cd7e17a18cc61d627555fe4adfff00fb447",
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 4\.0\.0\ has\ an\ XSS\ vulnerability\ in\ /,
+      :confidence => 1,
+      :relative_path => "Gemfile"
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ has\ a\ vulnerability\ in\ numbe/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_xss_simple_format_CVE_2013_6416
+    assert_warning :type => :template,
+      :warning_code => 68,
+      :fingerprint => "0e340cc916e7487f118dae7cf3e3c1e6763c13455ec84ad56b4d3f520de8b3cb",
+      :warning_type => "Cross Site Scripting",
+      :line => 20,
+      :message => /^Values\ passed\ to\ simple_format\ are\ not\ s/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => s(:call, s(:call, s(:const, :User), :find, s(:call, s(:params), :[], s(:lit, :id))), :likes)
+
+    assert_warning :type => :template,
+      :warning_code => 68,
+      :fingerprint => "33d10865a3c6c1594ecbee5511cde466b474b0e819ef979193159559becfbd4c",
+      :warning_type => "Cross Site Scripting",
+      :line => 21,
+      :message => /^Values\ passed\ to\ simple_format\ are\ not\ s/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => s(:call, s(:params), :[], s(:lit, :color))
+  end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 4\.0\.0\ contains\ a\ SQL\ injection\ vul/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
   def test_redirect_1
     assert_warning :type => :generic,
       :warning_code => 18,

test/tests/rails_with_xss_plugin.rb

@@ -11,7 +11,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :controller => 1,
       :model => 3,
       :template => 2,
-      :generic => 20 }
+      :generic => 22 }
   end
 
   def report
@@ -334,4 +334,28 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :confidence => 1,
       :file => /Gemfile/
   end
+
+  def test_sql_injection_CVE_2013_6417
+    assert_warning :type => :warning,
+      :warning_code => 69,
+      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
+      :warning_type => "SQL Injection",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.14\ contains\ a\ SQL\ injection\ vu/,
+      :confidence => 0,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
+
+  def test_number_to_currency_CVE_2013_6415
+    assert_warning :type => :warning,
+      :warning_code => 65,
+      :fingerprint => "813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2",
+      :warning_type => "Cross Site Scripting",
+      :line => nil,
+      :message => /^Rails\ 2\.3\.14\ has\ a\ vulnerability\ in\ numb/,
+      :confidence => 1,
+      :relative_path => "Gemfile",
+      :user_input => nil
+  end
 end

test/tests/tabs_output.rb

@@ -3,9 +3,9 @@ class TestTabsOutput < Test::Unit::TestCase
 
   def test_reported_warnings
     if Brakeman::Scanner::RUBY_1_9
-      assert_equal Report.lines.to_a.count, 96
+      assert_equal 98, Report.lines.to_a.count
     else
-      assert_equal Report.lines.to_a.count, 97
+      assert_equal 99, Report.lines.to_a.count
     end
   end
 end