Merge pull request #144 from presidentbeef/fix_version_comparison

Allow comparison of versions of unequal length

lib/brakeman/checks/base_check.rb

@@ -428,17 +428,17 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     high_version = high_version.split(".").map! { |n| n.to_i }
 
     version.each_with_index do |v, i|
-      if v < low_version[i]
+      if v < low_version.fetch(i, 0)
         return false
-      elsif v > low_version[i]
+      elsif v > low_version.fetch(i, 0)
         break
       end
     end
 
     version.each_with_index do |v, i|
-      if v > high_version[i]
+      if v > high_version.fetch(i, 0)
         return false
-      elsif v < high_version[i]
+      elsif v < high_version.fetch(i, 0)
         break
       end
     end

lib/brakeman/checks/check_select_vulnerability.rb

@@ -15,7 +15,7 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
       suggested_version = "3.1.4"
     elsif version_between? "3.2.0", "3.2.1"
       suggested_version = "3.2.2"
-    elsif version_between? "2.0.0", "3.0.0"
+    elsif version_between? "2.0.0", "2.3.14"
       suggested_version = "3 or use options_for_select"
     else
       return

lib/brakeman/checks/check_sql.rb

@@ -90,7 +90,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2012_2660
-    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
+    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.12") || version_between?("3.1.0", "3.1.4") || version_between?("3.2.0", "3.2.3")
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.13, 3.1.5, and 3.2.5 contain a SQL Query Generation Vulnerability: CVE-2012-2660; Upgrade to 3.2.5, 3.1.5, 3.0.13',
         :confidence => CONFIDENCE[:high],
@@ -110,7 +110,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   def check_rails_version_for_cve_2012_2695
-    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
+    if version_between?("2.0.0", "2.3.14") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
       warn :warning_type => 'SQL Injection',
         :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain SQL Injection Vulnerabilities: CVE-2012-2694 and CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
         :confidence => CONFIDENCE[:high],

test/tests/test_brakeman.rb

@@ -41,3 +41,33 @@ class SexpTests < Test::Unit::TestCase
     assert_equal call.args, Sexp.new()
   end
 end
+
+class BaseCheckTests < Test::Unit::TestCase
+  FakeTracker = Struct.new(:config)
+
+  def setup
+    @tracker = FakeTracker.new
+    @check = Brakeman::BaseCheck.new @tracker
+  end
+
+  def version_between? version, high, low
+    @tracker.config = { :rails_version => version }
+    @check.send(:version_between?, high, low)
+  end
+
+  def test_version_between
+    assert version_between?("2.3.8", "2.3.0", "2.3.8")
+    assert version_between?("2.3.8", "2.3.0", "2.3.14")
+    assert version_between?("2.3.8", "1.0.0", "5.0.0")
+  end
+
+  def test_version_not_between
+    assert_equal false, version_between?("3.2.1", "2.0.0", "3.0.0")
+    assert_equal false, version_between?("3.2.1", "3.0.0", "3.2.0")
+    assert_equal false, version_between?("0.0.0", "3.0.0", "3.2.0")
+  end
+
+  def test_version_between_longer
+    assert_equal false, version_between?("1.0.1.2", "1.0.0", "1.0.1")
+  end
+end