From 5dc5db41bbbd6f595680bca822ee0afd2ffdcc2d Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Tue, 12 Jun 2012 14:37:22 -0700
Subject: [PATCH] Add check for CVE-2012-2695

---
 lib/brakeman/checks/check_sql.rb         | 12 ++++++++++++
 test/tests/test_rails2.rb                | 11 +++++++++--
 test/tests/test_rails3.rb                | 10 +++++++++-
 test/tests/test_rails31.rb               | 10 +++++++++-
 test/tests/test_rails_with_xss_plugin.rb | 10 +++++++++-
 5 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/lib/brakeman/checks/check_sql.rb b/lib/brakeman/checks/check_sql.rb
index 728df3bf..2a71d354 100644
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -43,6 +43,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Checking version of Rails for CVE-2012-2661"
     check_rails_version_for_cve_2012_2661
 
+    Brakeman.debug "Checking version of Rails for CVE-2012-2695"
+    check_rails_version_for_cve_2012_2695
+
     Brakeman.debug "Processing possible SQL calls"
     calls.each do |c|
       process_result c
@@ -104,6 +107,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
+  def check_rails_version_for_cve_2012_2695
+    if version_between?("2.0.0", "3.0.0") || version_between?("3.0.0", "3.0.13") || version_between?("3.1.0", "3.1.5") || version_between?("3.2.0", "3.2.5")
+      warn :warning_type => 'SQL Injection',
+        :message => 'All versions of Rails before 3.0.14, 3.1.6, and 3.2.6 contain a SQL Injection Vulnerability: CVE-2012-2695; Upgrade to 3.2.6, 3.1.6, 3.0.14',
+        :confidence => CONFIDENCE[:high],
+        :file => gemfile_or_environment
+    end
+  end
+
   def process_scope_with_block model_name, args
     scope_name = args[1][1]
     block = args[-1][-1]
diff --git a/test/tests/test_rails2.rb b/test/tests/test_rails2.rb
index a4a1d2b1..2a749de2 100644
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
         :controller => 1,
         :model => 2,
         :template => 27,
-        :warning => 27 }
+        :warning => 28 }
     else
       @expected ||= {
         :controller => 1,
         :model => 2,
         :template => 27,
-        :warning => 28 }
+        :warning => 29 }
     end
   end
 
@@ -172,6 +172,13 @@ class Rails2Tests < Test::Unit::TestCase
       :confidence => 0
   end
 
+  def test_rails_cve_2012_2695
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2695/,
+      :confidence => 0
+  end
+
   def test_sql_injection_find_by_sql
     assert_warning :type => :warning,
       :warning_type => "SQL Injection",
diff --git a/test/tests/test_rails3.rb b/test/tests/test_rails3.rb
index 5f23a32b..bf038359 100644
--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -15,7 +15,7 @@ class Rails3Tests < Test::Unit::TestCase
       :controller => 1,
       :model => 5,
       :template => 22,
-      :warning => 25
+      :warning => 26
     }
   end
 
@@ -183,6 +183,14 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /Gemfile/
   end
 
+  def test_rails_cve_2012_2695
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2695/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
   def test_sql_injection_find_by_sql
     assert_warning :type => :warning,
       :warning_type => "SQL Injection",
diff --git a/test/tests/test_rails31.rb b/test/tests/test_rails31.rb
index 2531faf2..54077285 100644
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 0,
       :template => 4,
       :controller => 1,
-      :warning => 39 }
+      :warning => 40 }
   end
 
   def test_without_protection
@@ -96,6 +96,14 @@ class Rails31Tests < Test::Unit::TestCase
       :file => /Gemfile/
   end
 
+  def test_rails_cve_2012_2695
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2695/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
   def test_sql_injection_scope_lambda
     assert_warning :type => :warning,
       :warning_type => "SQL Injection",
diff --git a/test/tests/test_rails_with_xss_plugin.rb b/test/tests/test_rails_with_xss_plugin.rb
index 505b3d1c..608ab506 100644
--- a/test/tests/test_rails_with_xss_plugin.rb
+++ b/test/tests/test_rails_with_xss_plugin.rb
@@ -11,7 +11,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :controller => 1,
       :model => 3,
       :template => 1,
-      :warning => 12 }
+      :warning => 13 }
   end
 
   def report
@@ -136,6 +136,14 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :file => /Gemfile/
   end
 
+  def test_rails_cve_2012_2695
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :message => /CVE-2012-2695/,
+      :confidence => 0,
+      :file => /Gemfile/
+  end
+
   def test_sql_injection_12 
     assert_warning :type => :warning,
       :warning_type => "SQL Injection",
-- 
GitLab