Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
a41b8fb3
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
a41b8fb3
编写于
2月 19, 2014
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
差异文件
Merge remote-tracking branch 'origin/Feb_18_CVEs'
Conflicts: CHANGES
上级
18c84428
662b2425
变更
19
隐藏空白更改
内联
并排
Showing
19 changed file
with
206 addition
and
56 deletion
+206
-56
CHANGES
CHANGES
+6
-0
lib/brakeman/checks/check_number_to_currency.rb
lib/brakeman/checks/check_number_to_currency.rb
+30
-19
lib/brakeman/checks/check_render_dos.rb
lib/brakeman/checks/check_render_dos.rb
+37
-0
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+15
-0
lib/brakeman/version.rb
lib/brakeman/version.rb
+1
-1
lib/brakeman/warning_codes.rb
lib/brakeman/warning_codes.rb
+5
-1
test/apps/rails3.2/app/controllers/users_controller.rb
test/apps/rails3.2/app/controllers/users_controller.rb
+4
-0
test/apps/rails3/app/controllers/products_controller.rb
test/apps/rails3/app/controllers/products_controller.rb
+4
-0
test/apps/rails4/Gemfile
test/apps/rails4/Gemfile
+1
-1
test/apps/rails4/app/views/users/index.html.erb
test/apps/rails4/app/views/users/index.html.erb
+3
-1
test/tests/only_files_option.rb
test/tests/only_files_option.rb
+4
-4
test/tests/rails2.rb
test/tests/rails2.rb
+6
-4
test/tests/rails3.rb
test/tests/rails3.rb
+16
-4
test/tests/rails31.rb
test/tests/rails31.rb
+3
-3
test/tests/rails32.rb
test/tests/rails32.rb
+17
-5
test/tests/rails4.rb
test/tests/rails4.rb
+28
-6
test/tests/rails4_with_engines.rb
test/tests/rails4_with_engines.rb
+3
-3
test/tests/rails_with_xss_plugin.rb
test/tests/rails_with_xss_plugin.rb
+3
-3
test/tests/rescanner.rb
test/tests/rescanner.rb
+20
-1
未找到文件。
CHANGES
浏览文件 @
a41b8fb3
...
...
@@ -5,6 +5,12 @@
* Skip identically rendered templates
* Fix HAML template processing
# 2.4.1
* Add check for CVE-2014-0082
* Add check for CVE-2014-0081, replaces CVE-2013-6415
* Add check for CVE-2014-0080
# 2.4.0
* Detect Rails LTS versions
...
...
lib/brakeman/checks/check_number_to_currency.rb
浏览文件 @
a41b8fb3
...
...
@@ -3,53 +3,64 @@ require 'brakeman/checks/base_check'
class
Brakeman::CheckNumberToCurrency
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Checks for number
_to_currency XSS vulnerability
in certain versions"
@description
=
"Checks for number
helpers XSS vulnerabilities
in certain versions"
def
run_check
return
if
lts_version?
'2.3.18.6'
if
(
version_between?
"2.0.0"
,
"3.2.15"
or
version_between?
"4.0.0"
,
"4.0.1"
)
check_number_to_currency_usage
if
version_between?
"2.0.0"
,
"2.3.18"
or
version_between?
"3.0.0"
,
"3.2.16"
or
version_between?
"4.0.0"
,
"4.0.2"
check_number_helper_usage
generic_warning
unless
@found_any
end
end
def
generic_warning
message
=
"Rails
#{
tracker
.
config
[
:rails_version
]
}
has a vulnerability in number
_to_currency (CVE-2013-6415
). Upgrade to Rails version "
message
=
"Rails
#{
tracker
.
config
[
:rails_version
]
}
has a vulnerability in number
helpers (CVE-2014-0081
). Upgrade to Rails version "
if
version_between?
"2.3.0"
,
"3.2.1
5
"
message
<<
"3.2.1
6
"
if
version_between?
"2.3.0"
,
"3.2.1
6
"
message
<<
"3.2.1
7
"
else
message
<<
"4.0.
2
"
message
<<
"4.0.
3
"
end
warn
:warning_type
=>
"Cross Site Scripting"
,
:warning_code
=>
:CVE_201
3_6415
,
:warning_code
=>
:CVE_201
4_0081
,
:message
=>
message
,
:confidence
=>
CONFIDENCE
[
:med
],
:file
=>
gemfile_or_environment
,
:link_path
=>
"https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
end
def
check_number_to_currency_usage
tracker
.
find_call
(
:target
=>
false
,
:method
=>
:number_to_currency
).
each
do
|
result
|
def
check_number_helper_usage
number_methods
=
[
:number_to_currency
,
:number_to_percentage
,
:number_to_human
]
tracker
.
find_call
(
:target
=>
false
,
:methods
=>
number_methods
).
each
do
|
result
|
arg
=
result
[
:call
].
second_arg
next
unless
arg
if
match
=
(
has_immediate_user_input?
arg
or
has_immediate_model?
arg
)
match
=
match
.
match
if
match
.
is_a?
Match
@found_any
=
true
warn_on_number_to_currency
result
,
match
if
not
check_helper_option
(
result
,
arg
)
and
hash
?
arg
hash_iterate
(
arg
)
do
|
key
,
value
|
break
if
check_helper_option
(
result
,
value
)
end
end
end
end
def
warn_on_number_to_currency
result
,
match
def
check_helper_option
result
,
exp
if
match
=
(
has_immediate_user_input?
exp
or
has_immediate_model?
exp
)
match
=
match
.
match
if
match
.
is_a?
Match
warn_on_number_helper
result
,
match
@found_any
=
true
else
false
end
end
def
warn_on_number_helper
result
,
match
warn
:
result
=>
result
,
:warning_type
=>
"Cross Site Scripting"
,
:warning_code
=>
:CVE_201
3_6415
_call
,
:message
=>
"
Currency value in number_to_currency is
not safe in Rails
#{
@tracker
.
config
[
:rails_version
]
}
"
,
:warning_code
=>
:CVE_201
4_0081
_call
,
:message
=>
"
Format options in
#{
result
[
:call
].
method
}
are
not safe in Rails
#{
@tracker
.
config
[
:rails_version
]
}
"
,
:confidence
=>
CONFIDENCE
[
:high
],
:link_path
=>
"https://groups.google.com/d/msg/ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
,
:user_input
=>
match
...
...
lib/brakeman/checks/check_render_dos.rb
0 → 100644
浏览文件 @
a41b8fb3
require
'brakeman/checks/base_check'
class
Brakeman::CheckRenderDoS
<
Brakeman
::
BaseCheck
Brakeman
::
Checks
.
add
self
@description
=
"Warn about denial of service with render :text (CVE-2014-0082)"
def
run_check
if
version_between?
"3.0.0"
,
"3.0.20"
or
version_between?
"3.1.0"
,
"3.1.12"
or
version_between?
"3.2.0"
,
"3.2.16"
tracker
.
find_call
(
:target
=>
nil
,
:method
=>
:render
).
each
do
|
result
|
if
text_render?
result
warn_about_text_render
break
end
end
end
end
def
text_render?
result
node_type?
result
[
:call
],
:render
and
result
[
:call
].
render_type
==
:text
end
def
warn_about_text_render
message
=
"Rails
#{
tracker
.
config
[
:rails_version
]
}
has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"
warn
:warning_type
=>
"Denial of Service"
,
:warning_code
=>
:CVE_2014_0082
,
:message
=>
message
,
:confidence
=>
CONFIDENCE
[
:high
],
:link_path
=>
"https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
,
:file
=>
gemfile_or_environment
end
end
lib/brakeman/checks/check_sql.rb
浏览文件 @
a41b8fb3
...
...
@@ -51,6 +51,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
Brakeman
.
debug
"Processing possible SQL calls"
calls
.
each
{
|
call
|
process_result
call
}
check_CVE_2014_0080
end
#Find calls to named_scope() or scope() in models
...
...
@@ -638,6 +640,19 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
end
end
# TODO: Move all SQL CVE checks to separate class
def
check_CVE_2014_0080
return
unless
version_between?
"4.0.0"
,
"4.0.2"
and
@tracker
.
config
[
:gems
].
include?
:pg
warn
:warning_type
=>
'SQL Injection'
,
:warning_code
=>
:CVE_2014_0080
,
:message
=>
"Rails
#{
tracker
.
config
[
:rails_version
]
}
contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3"
,
:confidence
=>
CONFIDENCE
[
:high
],
:file
=>
gemfile_or_environment
,
:link_path
=>
"https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
end
def
upgrade_version?
versions
versions
.
each
do
|
low
,
high
,
upgrade
|
return
upgrade
if
version_between?
low
,
high
...
...
lib/brakeman/version.rb
浏览文件 @
a41b8fb3
module
Brakeman
Version
=
"2.4.
0
"
Version
=
"2.4.
1
"
end
lib/brakeman/warning_codes.rb
浏览文件 @
a41b8fb3
...
...
@@ -71,7 +71,11 @@ module Brakeman::WarningCodes
:CVE_2013_6416_call
=>
68
,
:CVE_2013_6417
=>
69
,
:mass_assign_permit!
=>
70
,
:ssl_verification_bypass
=>
71
:ssl_verification_bypass
=>
71
,
:CVE_2014_0080
=>
72
,
:CVE_2014_0081
=>
73
,
:CVE_2014_0081_call
=>
74
,
:CVE_2014_0082
=>
75
,
}
def
self
.
code
name
...
...
test/apps/rails3.2/app/controllers/users_controller.rb
浏览文件 @
a41b8fb3
...
...
@@ -92,4 +92,8 @@ class UsersController < ApplicationController
def
show_detailed_exceptions?
false
# no warning
end
def
render_text
render
:text
=>
"oh noes my service"
end
end
test/apps/rails3/app/controllers/products_controller.rb
浏览文件 @
a41b8fb3
...
...
@@ -80,4 +80,8 @@ class ProductsController < ApplicationController
format
.
xml
{
head
:ok
}
end
end
def
render_some_text
render
:text
=>
"jello"
end
end
test/apps/rails4/Gemfile
浏览文件 @
a41b8fb3
...
...
@@ -3,7 +3,7 @@ source 'https://rubygems.org'
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem
'rails'
,
'4.0.0'
gem
'
sqlite3
'
gem
'
pg
'
# Gems used only for assets and not required
# in production environments by default.
...
...
test/apps/rails4/app/views/users/index.html.erb
浏览文件 @
a41b8fb3
...
...
@@ -8,4 +8,6 @@
<%=
number_to_currency
(
params
[
:cost
],
params
[
:currency
])
%>
<%=
number_to_currency
(
params
[
:cost
],
h
(
params
[
:currency
]))
%>
Should not warn
<%=
number_to_human
(
params
[
:cost
],
format:
h
(
params
[
:format
]))
%>
Should not warn
<%=
number_to_percentage
(
params
[
:cost
],
negative_format:
params
[
:format
])
%>
test/tests/only_files_option.rb
浏览文件 @
a41b8fb3
...
...
@@ -74,13 +74,13 @@ class OnlyFilesOptionTests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.2\.9\.rc2
has\ a\ vulnerability\ in\ numbe
/
,
:message
=>
/^Rails\ 3\.2\.9\.rc2
\ has\ a\ vulnerability\ in\ n
/
,
:confidence
=>
1
,
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
...
...
test/tests/rails2.rb
浏览文件 @
a41b8fb3
...
...
@@ -991,14 +991,16 @@ class Rails2Tests < Test::Unit::TestCase
:relative_path
=>
"config/environment.rb"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
1822c8179beeb0358b71c545bad0dd824104aed8b995fe0781c1b6e324417a91
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
dd82650c29c3ec7b77437c32d394641744208b42b2aeb673d54e5f42c51e6c33
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 2\.3\.11\ has\ a\ vulnerability\ in\ numb/
,
:confidence
=>
1
,
:relative_path
=>
"config/environment.rb"
:relative_path
=>
"config/environment.rb"
,
:user_input
=>
nil
end
def
test_sql_injection_CVE_2013_6417
...
...
test/tests/rails3.rb
浏览文件 @
a41b8fb3
...
...
@@ -16,7 +16,7 @@ class Rails3Tests < Test::Unit::TestCase
:controller
=>
1
,
:model
=>
8
,
:template
=>
38
,
:generic
=>
7
0
:generic
=>
7
1
}
if
RUBY_PLATFORM
==
'java'
...
...
@@ -1149,10 +1149,10 @@ class Rails3Tests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.0\.3\ has\ a\ vulnerability\ in\ numbe/
,
...
...
@@ -1173,6 +1173,18 @@ class Rails3Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_denial_of_service_CVE_2014_0082
assert_warning
:type
=>
:warning
,
:warning_code
=>
75
,
:fingerprint
=>
"403a72d08a90043384fe56d3a6bc3e255b8799b380693914143d403607433db7"
,
:warning_type
=>
"Denial of Service"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vuln/
,
:confidence
=>
0
,
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
end
def
test_http_only_session_setting
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Session Setting"
,
...
...
test/tests/rails31.rb
浏览文件 @
a41b8fb3
...
...
@@ -820,10 +820,10 @@ class Rails31Tests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.1\.0\ has\ a\ vulnerability\ in\ numbe/
,
...
...
test/tests/rails32.rb
浏览文件 @
a41b8fb3
...
...
@@ -11,7 +11,7 @@ class Rails32Tests < Test::Unit::TestCase
:controller
=>
0
,
:model
=>
5
,
:template
=>
11
,
:generic
=>
1
0
}
:generic
=>
1
1
}
if
RUBY_PLATFORM
==
'java'
@expected
[
:generic
]
+=
1
...
...
@@ -99,13 +99,13 @@ class Rails32Tests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.2\.9\.rc2
has\ a\ vulnerability\ in\ numbe
/
,
:message
=>
/^Rails\ 3\.2\.9\.rc2
\ has\ a\ vulnerability\ in\ n
/
,
:confidence
=>
1
,
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
...
...
@@ -123,6 +123,18 @@ class Rails32Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_denial_of_service_CVE_2014_0082
assert_warning
:type
=>
:warning
,
:warning_code
=>
75
,
:fingerprint
=>
"403a72d08a90043384fe56d3a6bc3e255b8799b380693914143d403607433db7"
,
:warning_type
=>
"Denial of Service"
,
:line
=>
nil
,
:message
=>
/^Rails\ 3\.2\.9\.rc2\ has\ a\ denial\ of\ service\ /
,
:confidence
=>
0
,
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
end
def
test_redirect_1
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Redirect"
,
...
...
test/tests/rails4.rb
浏览文件 @
a41b8fb3
...
...
@@ -14,8 +14,8 @@ class Rails4Tests < Test::Unit::TestCase
@expected
||=
{
:controller
=>
0
,
:model
=>
1
,
:template
=>
1
,
:generic
=>
1
8
:template
=>
2
,
:generic
=>
1
9
}
end
...
...
@@ -224,16 +224,26 @@ class Rails4Tests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:template
,
:warning_code
=>
66
,
:fingerprint
=>
"
0fb96b5f4b3a4dcdc677d126f492441e2f7b46880563a977b1246b30d3c117a0
"
,
:warning_code
=>
74
,
:fingerprint
=>
"
2d06291f03b443619407093e5921ee1e4eb77b1bf045607d776d9493da4a3f95
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
9
,
:message
=>
/^
Currency\ value\ in\ number_to_currency\ is\
/
,
:message
=>
/^
Format\ options\ in\ number_to_currency\ are
/
,
:confidence
=>
0
,
:relative_path
=>
"app/views/users/index.html.erb"
,
:user_input
=>
s
(
:call
,
s
(
:call
,
nil
,
:params
),
:[]
,
s
(
:lit
,
:currency
))
assert_warning
:type
=>
:template
,
:warning_code
=>
74
,
:fingerprint
=>
"c5f481595217e42fbeaf40f32e6407e66d64d246a9729c2c199053e64365ac96"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
12
,
:message
=>
/^Format\ options\ in\ number_to_percentage\ a/
,
:confidence
=>
0
,
:relative_path
=>
"app/views/users/index.html.erb"
,
:user_input
=>
s
(
:call
,
s
(
:call
,
nil
,
:params
),
:[]
,
s
(
:lit
,
:format
))
end
def
test_simple_format_xss_CVE_2013_6416
...
...
@@ -260,6 +270,18 @@ class Rails4Tests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_sql_injection_CVE_2014_0080
assert_warning
:type
=>
:warning
,
:warning_code
=>
72
,
:fingerprint
=>
"0ba20216bdda1cc067f9e4795bdb0d9224fd23c58317ecc09db67b6b38a2d0f0"
,
:warning_type
=>
"SQL Injection"
,
:line
=>
nil
,
:message
=>
/^Rails\ 4\.0\.0\ contains\ a\ SQL\ injection\ vul/
,
:confidence
=>
0
,
:relative_path
=>
"Gemfile"
,
:user_input
=>
nil
end
def
test_mass_assignment_with_permit!
assert_warning
:type
=>
:warning
,
:warning_code
=>
70
,
...
...
test/tests/rails4_with_engines.rb
浏览文件 @
a41b8fb3
...
...
@@ -28,10 +28,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
:relative_path
=>
"Gemfile"
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 4\.0\.0\ has\ a\ vulnerability\ in\ numbe/
,
...
...
test/tests/rails_with_xss_plugin.rb
浏览文件 @
a41b8fb3
...
...
@@ -381,10 +381,10 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
:user_input
=>
nil
end
def
test_number_to_currency_CVE_201
3_6415
def
test_number_to_currency_CVE_201
4_0081
assert_warning
:type
=>
:warning
,
:warning_code
=>
65
,
:fingerprint
=>
"
813b00b5c58567fb3f32051578b839cb25fc2d827834a30d4b213a4c126202a2
"
,
:warning_code
=>
73
,
:fingerprint
=>
"
f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695
"
,
:warning_type
=>
"Cross Site Scripting"
,
:line
=>
nil
,
:message
=>
/^Rails\ 2\.3\.14\ has\ a\ vulnerability\ in\ numb/
,
...
...
test/tests/rescanner.rb
浏览文件 @
a41b8fb3
...
...
@@ -265,6 +265,25 @@ class RescannerTests < Test::Unit::TestCase
assert_reindex
:none
assert_changes
assert_new
0
assert_fixed
3
assert_fixed
2
end
def
test_gemfile_rails_version_fix_CVE_2014_0082
gemfile
=
"Gemfile.lock"
before_rescan_of
gemfile
do
replace
gemfile
,
"rails (3.2.9.rc2)"
,
"rails (3.2.17)"
end
#@original is actually modified
assert
@original
.
config
[
:rails_version
],
"3.2.17"
assert_reindex
:none
assert_changes
assert_new
0
if
RUBY_PLATFORM
==
"java"
assert_fixed
10
else
assert_fixed
9
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录