Merge pull request #176 from presidentbeef/allow_non_production_versions_in_gemfile

Allow pre-release versions in Gemfile

lib/brakeman/processors/gem_processor.rb

@@ -40,7 +40,7 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
   end
 
   def get_rails_version gem_lock
-    if gem_lock =~ /\srails \((\d+.\d+.\d+)\)$/
+    if gem_lock =~ /\srails \((\d+.\d+.\d+.*)\)$/
       @tracker.config[:rails_version] = $1
     end
   end

test/apps/rails3.2/Gemfile

 source 'https://rubygems.org'
 
-gem 'rails', '3.2.8'
+gem 'rails', '3.2.9.rc2'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

test/apps/rails3.2/Gemfile.lock

 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.8)
-      actionpack (= 3.2.8)
+    actionmailer (3.2.9.rc2)
+      actionpack (= 3.2.9.rc2)
       mail (~> 2.4.4)
-    actionpack (3.2.8)
-      activemodel (= 3.2.8)
-      activesupport (= 3.2.8)
+    actionpack (3.2.9.rc2)
+      activemodel (= 3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -14,18 +14,18 @@ GEM
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.1.3)
-    activemodel (3.2.8)
-      activesupport (= 3.2.8)
+    activemodel (3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
       builder (~> 3.0.0)
-    activerecord (3.2.8)
-      activemodel (= 3.2.8)
-      activesupport (= 3.2.8)
+    activerecord (3.2.9.rc2)
+      activemodel (= 3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.8)
-      activemodel (= 3.2.8)
-      activesupport (= 3.2.8)
-    activesupport (3.2.8)
+    activeresource (3.2.9.rc2)
+      activemodel (= 3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
+    activesupport (3.2.9.rc2)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     arel (3.0.2)
@@ -61,17 +61,17 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.2.8)
-      actionmailer (= 3.2.8)
-      actionpack (= 3.2.8)
-      activerecord (= 3.2.8)
-      activeresource (= 3.2.8)
-      activesupport (= 3.2.8)
+    rails (3.2.9.rc2)
+      actionmailer (= 3.2.9.rc2)
+      actionpack (= 3.2.9.rc2)
+      activerecord (= 3.2.9.rc2)
+      activeresource (= 3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
       bundler (~> 1.0)
-      railties (= 3.2.8)
-    railties (3.2.8)
-      actionpack (= 3.2.8)
-      activesupport (= 3.2.8)
+      railties (= 3.2.9.rc2)
+    railties (3.2.9.rc2)
+      actionpack (= 3.2.9.rc2)
+      activesupport (= 3.2.9.rc2)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -106,7 +106,7 @@ DEPENDENCIES
   coffee-rails (~> 3.2.1)
   jquery-rails
   json
-  rails (= 3.2.8)
+  rails (= 3.2.9.rc2)
   sass-rails (~> 3.2.3)
   sqlite3
   uglifier (>= 1.0.3)

test/tests/test_brakeman.rb

@@ -48,4 +48,8 @@ class BaseCheckTests < Test::Unit::TestCase
   def test_version_between_longer
     assert_equal false, version_between?("1.0.1.2", "1.0.0", "1.0.1")
   end
+
+  def test_version_between_pre_release
+    assert version_between?("3.2.9.rc2", "3.2.5", "4.0.0")
+  end
 end

test/tests/test_rails32.rb

+abort "Please run using test/test.rb" unless defined? BrakemanTester
+
+Rails32 = BrakemanTester.run_scan "rails3.2", "Rails 3.2"
+
+class Rails32Tests < Test::Unit::TestCase
+  include BrakemanTester::FindWarning
+  include BrakemanTester::CheckExpected
+
+  def expected
+    @expected ||= {
+      :controller => 0,
+      :model => 0,
+      :template => 6,
+      :warning => 1 }
+  end
+
+  def report
+    Rails32
+  end
+
+  def test_rc_version_number
+    assert_equal "3.2.9.rc2", Rails32[:config][:rails_version]
+  end
+
+  def test_redirect_1
+    assert_warning :type => :warning,
+      :warning_type => "Redirect",
+      :line => 13,
+      :message => /^Possible\ unprotected\ redirect/,
+      :confidence => 0,
+      :file => /removal_controller\.rb/
+  end
+
+  def test_cross_site_scripting_2
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /_partial\.html\.erb/
+  end
+
+  def test_cross_site_scripting_3
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /controller_removed\.html\.erb/
+  end
+
+  def test_cross_site_scripting_4
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /implicit_render\.html\.erb/
+  end
+
+  def test_cross_site_scripting_5
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /_form\.html\.erb/
+  end
+
+  def test_cross_site_scripting_6
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /mixed_in\.html\.erb/
+  end
+
+  def test_cross_site_scripting_7
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 15,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /show\.html\.erb/
+  end
+
+  def test_mass_assignment_default
+    assert_no_warning :type => :model,
+      :warning_type => "Attribute Restriction",
+      :message => /^Mass\ assignment\ is\ not\ restricted\ using\ /,
+      :confidence => 0,
+      :file => /account\.rb/
+  end
+end

test/tests/test_rescanner.rb

@@ -242,7 +242,7 @@ class RescannerTests < Test::Unit::TestCase
     gemfile = "Gemfile.lock"
 
     before_rescan_of gemfile do
-      replace gemfile, "rails (3.2.8)", "rails (3.2.6)"
+      replace gemfile, "rails (3.2.9.rc2)", "rails (3.2.6)"
     end
 
     #@original is actually modified