Merge pull request #302 from errm/errm/open-ended-upper-limit

Adds a test to ensure that patched_versions has an open ended upper l…
rubysec · Jan 9, 2018 · 40ecb3d · 40ecb3d
2 parents 5657381 + e6bdeb0
commit 40ecb3d
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 6 deletions.
diff --git a/gems/actionpack/CVE-2016-2097.yml b/gems/actionpack/CVE-2016-2097.yml
@@ -87,4 +87,5 @@ unaffected_versions:
 
 patched_versions:
   - "~> 3.2.22.2"
-  - "~> 4.1.14, >= 4.1.14.2"
+  - "~> 4.1.14"
+  - ">= 4.1.14.2"
diff --git a/gems/actionpack/OSVDB-103440.yml b/gems/actionpack/OSVDB-103440.yml
@@ -16,7 +16,7 @@ description: |
 cvss_v2: 5.0
 
 unaffected_versions:
-  - ~> 4.0.0
+  - ">= 4.0.0"
 
 patched_versions:
   - ">= 3.2.17"
diff --git a/gems/fog-dragonfly/OSVDB-90647.yml b/gems/fog-dragonfly/OSVDB-90647.yml
@@ -14,3 +14,5 @@ description: |
 cvss_v2: 7.5
 unaffected_versions:
   - "< 0.7.0"
+patched_versions:
+  - ">= 0.9.14"
diff --git a/gems/rails-html-sanitizer/CVE-2015-7578.yml b/gems/rails-html-sanitizer/CVE-2015-7578.yml
@@ -44,4 +44,4 @@ description: |
   Thanks to Ben Murphy and Marien for reporting this.
     
 patched_versions:
-  - "~> 1.0.3"
+  - ">= 1.0.3"
diff --git a/gems/rails-html-sanitizer/CVE-2015-7579.yml b/gems/rails-html-sanitizer/CVE-2015-7579.yml
@@ -72,4 +72,4 @@ unaffected_versions:
   - "~> 1.0.1"
 
 patched_versions:
-  - "~> 1.0.3"
+  - ">= 1.0.3"
diff --git a/gems/rails-html-sanitizer/CVE-2015-7580.yml b/gems/rails-html-sanitizer/CVE-2015-7580.yml
@@ -67,4 +67,4 @@ description: |
   Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
 
 patched_versions:
-  - "~> 1.0.3"
+  - ">= 1.0.3"
diff --git a/spec/gem_example.rb b/spec/gem_example.rb
@@ -3,7 +3,7 @@
 
 shared_examples_for "Gem Advisory" do |path|
   include_examples 'Advisory', path
-  
+
   advisory = YAML.load_file(path)
 
   describe path do
@@ -17,5 +17,21 @@
         expect(subject.downcase).to eq(gem.downcase)
       end
     end
+
+    describe "versions" do
+      it "assumes that future versions will be patched" do
+        unaffected_versions = advisory['unaffected_versions'] || []
+        patched_versions    = advisory['patched_versions'] || []
+
+        versions = (unaffected_versions + patched_versions).sort_by do |v|
+          Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
+        end
+
+        # If a gem is unpatched this test makes no sense
+        unless patched_versions.none?
+          expect(versions.last.match(/^>=|^>/)).to be_truthy
+        end
+      end
+    end
   end
 end