Tests for CVE-2013-0277

a980a3e6 · Justin Collins · 2b0ccb95 · a980a3e6 · a980a3e6
隐藏空白更改
内联并排

Showing with 35 addition and 3 deletion

test/tests/test_rails2.rb test/tests/test_rails2.rb +10 -2

test/tests/test_rails3.rb test/tests/test_rails3.rb +25 -1

未找到文件。
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -10,13 +10,13 @@ class Rails2Tests < Test::Unit::TestCase
    if Brakeman::Scanner::RUBY_1_9
      @expected ||= {
        :controller => 1,
-        :model => 2,
+        :model => 3,
        :template => 41,
        :warning => 39 }
    else
      @expected ||= {
        :controller => 1,
-        :model => 2,
+        :model => 3,
        :template => 41,
        :warning => 40 }
    end
@@ -802,6 +802,14 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /environment\.rb/
  end

+  def test_remote_code_execution_CVE_2013_0277
+    assert_warning :type => :model,
+      :warning_type => "Remote Code Execution",
+      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
+      :confidence => 0,
+      :file => /unprotected\.rb/
+  end
+
  def test_to_json
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",

--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -13,7 +13,7 @@ class Rails3Tests < Test::Unit::TestCase
  def expected
    @expected ||= {
      :controller => 1,
-      :model => 5,
+      :model => 8,
      :template => 32,
      :warning => 51
    }
@@ -822,6 +822,30 @@ class Rails3Tests < Test::Unit::TestCase
      :file => /Gemfile/
  end

+  def test_remote_code_execution_CVE_2013_0277_protected
+    assert_warning :type => :model,
+      :warning_type => "Remote Code Execution",
+      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
+      :confidence => 1,
+      :file => /product\.rb/
+  end
+
+  def test_remote_code_execution_CVE_2013_0277_accessible
+    assert_warning :type => :model,
+      :warning_type => "Remote Code Execution",
+      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
+      :confidence => 1,
+      :file => /purchase\.rb/
+  end
+
+  def test_remote_code_execution_CVE_2013_0277_unprotected
+    assert_warning :type => :model,
+      :warning_type => "Remote Code Execution",
+      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
+      :confidence => 0,
+      :file => /user\.rb/
+  end
+
  def test_http_only_session_setting
    assert_warning :type => :warning,
      :warning_type => "Session Setting",