def check_json_version name, version
return if version >= "1.7.7" or
(version >= "1.6.8" and version < "1.7.0") or
(version >= "1.5.5" and version < "1.6.0")
warning_type = "Denial of Service"
confidence = :medium
gem_name = "#{name} gem"
message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
if version >= "1.7.0"
confidence = :high
warning_type = "Remote Code Execution"
message = msg(msg_version(version, "json gem"), " has a remote code execution vulnerability. Upgrade to ", msg_version("1.7.7", "json gem"))
elsif version >= "1.6.0"
message << msg_version("1.6.8", gem_name)
elsif version >= "1.5.0"
message << msg_version("1.5.5", gem_name)
else
confidence = :weak
message << msg_version("1.5.5", gem_name)
end
if confidence == :medium and uses_json_parse?
confidence = :high
end
warn :warning_type => warning_type,
:warning_code => :CVE_2013_0269,
:message => message,
:confidence => confidence,
:gem_info => gemfile_or_environment(name),
:link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
end