From 77ebd9d4fd0ce463bfca4a770e0d51b86873fb6a Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 22:33:18 +0200 Subject: [PATCH] Fixed Version compare for issue #179 --- data/plugin_vulns.xml | 1 + data/vuln.xsd | 1 + lib/common/models/vulnerability.rb | 15 +++++++++++---- lib/common/models/wp_item/vulnerable.rb | 13 ++++++++++++- lib/common/version_compare.rb | 7 +++++++ 5 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 lib/common/version_compare.rb diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 3f6a260b..de0eb80a 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -3144,6 +3144,7 @@ http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html exploits/unix/webapp/php_wordpress_total_cache RCE + 0.9.2.9 diff --git a/data/vuln.xsd b/data/vuln.xsd index a2c286bf..a11e3910 100644 --- a/data/vuln.xsd +++ b/data/vuln.xsd @@ -51,6 +51,7 @@ + diff --git a/lib/common/models/vulnerability.rb b/lib/common/models/vulnerability.rb index e4b89ae2..83b15733 100755 --- a/lib/common/models/vulnerability.rb +++ b/lib/common/models/vulnerability.rb @@ -5,20 +5,22 @@ require 'vulnerability/output' class Vulnerability include Vulnerability::Output - attr_accessor :title, :references, :type, :metasploit_modules + attr_accessor :title, :references, :type, :fixed_in, :metasploit_modules # # @param [ String ] title The title of the vulnerability # @param [ String ] type The type of the vulnerability # @param [ Array ] references References urls # @param [ Array ] metasploit_modules Metasploit modules for the vulnerability + # @param [ String ] fixed_in Vuln fixed in Version X # # @return [ Vulnerability ] - def initialize(title, type, references, metasploit_modules = []) + def initialize(title, type, references, metasploit_modules = [], fixed_in) @title = title @type = type @references = references @metasploit_modules = metasploit_modules + @fixed_in = fixed_in end # @param [ Vulnerability ] other @@ -26,7 +28,11 @@ class Vulnerability # @return [ Boolean ] # :nocov: def ==(other) - title == other.title && type == other.type && references == other.references + title == other.title && + type == other.type && + references == other.references && + fixed_in == other.fixed_in && + metasploit_modules == other.metasploit_modules end # :nocov: @@ -40,7 +46,8 @@ class Vulnerability xml_node.search('title').text, xml_node.search('type').text, xml_node.search('reference').map(&:text), - xml_node.search('metasploit').map(&:text) + xml_node.search('metasploit').map(&:text), + xml_node.search('fixed_in').text ) end diff --git a/lib/common/models/wp_item/vulnerable.rb b/lib/common/models/wp_item/vulnerable.rb index d814c9ba..c1405768 100755 --- a/lib/common/models/wp_item/vulnerable.rb +++ b/lib/common/models/wp_item/vulnerable.rb @@ -12,7 +12,18 @@ class WpItem vulnerabilities = Vulnerabilities.new xml.xpath(vulns_xpath).each do |node| - vulnerabilities << Vulnerability.load_from_xml_node(node) + vuln = Vulnerability.load_from_xml_node(node) + if vuln + if version && vuln.fixed_in && !vuln.fixed_in.empty? + if VersionCompare::is_newer_or_same?(vuln.fixed_in, version) + # "Hooray, fixed" + else + vulnerabilities << vuln + end + else + vulnerabilities << vuln + end + end end vulnerabilities end diff --git a/lib/common/version_compare.rb b/lib/common/version_compare.rb new file mode 100644 index 00000000..aa4e9e28 --- /dev/null +++ b/lib/common/version_compare.rb @@ -0,0 +1,7 @@ +# encoding: UTF-8 + +class VersionCompare + def self.is_newer_or_same?(version1, version2) + (version1 == version2) || (Gem::Version.new(version1) < Gem::Version.new(version2)) + end +end \ No newline at end of file