Merge pull request #437 from presidentbeef/support_lts_versions

Add support for RailsLTS versions

Merge pull request #437 from presidentbeef/support_lts_versions
Add support for RailsLTS versions
add9e26a · Justin · 0c37f7de · 5d99f32b · add9e26a · add9e26a
6 changed file
--- a/lib/brakeman/checks/base_check.rb
+++ b/lib/brakeman/checks/base_check.rb
@@ -452,10 +452,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
  #Returns true if low_version <= RAILS_VERSION <= high_version
  #
  #If the Rails version is unknown, returns false.
-  def version_between? low_version, high_version
-    return false unless tracker.config[:rails_version]
+  def version_between? low_version, high_version, current_version = nil
+    current_version ||= tracker.config[:rails_version]
+    return false unless current_version

-    version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
+    version = current_version.split(".").map! { |n| n.to_i }
    low_version = low_version.split(".").map! { |n| n.to_i }
    high_version = high_version.split(".").map! { |n| n.to_i }

@@ -478,6 +479,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
    true
  end

+  def lts_version? version
+    tracker.config[:gems] and
+    tracker.config[:gems][:'railslts-version'] and
+    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
+  end
+
  def gemfile_or_environment
    if @app_tree.exists?("Gemfile")
      "Gemfile"

--- a/lib/brakeman/checks/check_number_to_currency.rb
+++ b/lib/brakeman/checks/check_number_to_currency.rb
@@ -6,6 +6,8 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
  @description = "Checks for number_to_currency XSS vulnerability in certain versions"

  def run_check
+    return if lts_version? '2.3.18.6'
+
    if (version_between? "2.0.0", "3.2.15" or version_between? "4.0.0", "4.0.1")
      check_number_to_currency_usage


--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -575,7 +575,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
  end

  def check_rails_versions_against_cve_issues
-    [
+    issues = [
      {
        :cve => "CVE-2012-2660",
        :versions => [%w[2.0.0 2.3.14 2.3.17], %w[3.0.0 3.0.12 3.0.13], %w[3.1.0 3.1.4 3.1.5], %w[3.2.0 3.2.3 3.2.4]],
@@ -601,12 +601,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
        :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
        :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
      },
-      {
+
+    ]
+
+    unless lts_version? '2.3.18.6'
+     issues << {
        :cve => "CVE-2013-6417",
        :versions => [%w[2.0.0 3.2.15 3.2.16], %w[4.0.0 4.0.1 4.0.2]],
        :url => "https://groups.google.com/d/msg/ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
-      },
-    ].each do |cve_issue|
+      }
+    end
+
+    issues.each do |cve_issue|
      cve_warning_for cve_issue[:versions], cve_issue[:cve], cve_issue[:url]
    end
  end

--- a/lib/brakeman/checks/check_translate_bug.rb
+++ b/lib/brakeman/checks/check_translate_bug.rb
@@ -7,6 +7,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
  @description = "Report XSS vulnerability in translate helper"

  def run_check
+    return if lts_version? '2.3.18.6'
    if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
        version_between?('3.0.0', '3.0.10') or
        version_between?('3.1.0', '3.1.1')

--- a/test/tests/brakeman.rb
+++ b/test/tests/brakeman.rb
@@ -41,6 +41,11 @@ class BaseCheckTests < Test::Unit::TestCase
    @check.send(:version_between?, low, high)
  end

+  def lts_version? version, low
+    @tracker.config = { :gems => { :"railslts-version" => version } }
+    @check.send(:lts_version?, low)
+  end
+
  def test_version_between
    assert version_between?("2.3.8", "2.3.0", "2.3.8")
    assert version_between?("2.3.8", "2.3.0", "2.3.14")
@@ -61,6 +66,12 @@ class BaseCheckTests < Test::Unit::TestCase
    assert version_between?("3.2.9.rc2", "3.2.5", "4.0.0")
  end

+  def test_lts_version
+    @tracker.config = { :rails_version => "2.3.18" }
+    assert lts_version? '2.3.18.6', '2.3.18.6'
+    assert !lts_version?('2.3.18.1', '2.3.18.6')
+    assert !lts_version?(nil, '2.3.18.6')
+  end
 end

 class ConfigTests < Test::Unit::TestCase

--- a/test/tests/rescanner.rb
+++ b/test/tests/rescanner.rb
@@ -252,4 +252,19 @@ class RescannerTests < Test::Unit::TestCase
    assert_new 1
    assert_fixed 0
  end
+
+  def test_gemfile_lock_rails_lts
+    gemfile = "Gemfile.lock"
+
+    before_rescan_of gemfile, "rails_with_xss_plugin" do
+      append gemfile, "railslts-version (2.3.18.6)"
+    end
+
+    #@original is actually modified
+    assert @original.config[:gems][:"railslts-version"], "2.3.18.6"
+    assert_reindex :none
+    assert_changes
+    assert_new 0
+    assert_fixed 3
+  end
 end