Sha256: 10a0312d621192b61ace61f584acfc726cdb54bf12c2eb0965e3f60c7b90016b

Contents?: true

Size: 829 Bytes

Versions: 11

Compression:

Stored size: 829 Bytes

Contents

require 'brakeman/checks/base_check'

#Check for versions with vulnerable html escape method
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Checks for versions before 2.3.14 which have a vulnerable escape method"

  def run_check
    if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 

      warn :warning_type => 'Cross Site Scripting',
        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
        :confidence => CONFIDENCE[:high],
        :file => gemfile_or_environment,
        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
    end
  end
end

Version data entries

11 entries across 11 versions & 1 rubygems

Version Path
brakeman-1.9.2 lib/brakeman/checks/check_escape_function.rb
brakeman-1.9.1 lib/brakeman/checks/check_escape_function.rb
brakeman-1.9.0 lib/brakeman/checks/check_escape_function.rb
brakeman-1.9.0.pre2 lib/brakeman/checks/check_escape_function.rb
brakeman-1.9.0.pre1 lib/brakeman/checks/check_escape_function.rb
brakeman-1.8.3 lib/brakeman/checks/check_escape_function.rb
brakeman-1.8.2 lib/brakeman/checks/check_escape_function.rb
brakeman-1.8.1 lib/brakeman/checks/check_escape_function.rb
brakeman-1.8.0 lib/brakeman/checks/check_escape_function.rb
brakeman-1.7.1 lib/brakeman/checks/check_escape_function.rb
brakeman-1.7.0 lib/brakeman/checks/check_escape_function.rb