Brakeman reporting false positive on CVE-2018-8048

[jarkko]

We're getting this with our Rails app, with the brand new loofah 2.10:

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 503

However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?

[psantos10]

We're getting this with our Rails app, with the brand new loofah 2.10:

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 503

However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?

Same issue here

[pezholio]

This is an issue with the Loofah version detection in Brakeman: https://github.com/presidentbeef/brakeman/issues/1603. There's a fix waiting to go in here https://github.com/presidentbeef/brakeman/pull/1604

[flavorjones]

@pezholio Thanks for the pointer, I'll leave this open until that's resolved so folks understand what's going on.

[jarkko]

Wait, how the heck did I end up posting this to the loofah issues, thought all the time I was in the Brakeman GitHub repo 🙈. Monday mood, indeed.

[pezholio]

@jarkko Happens to the best of us!

[pezholio]

FWIW - the fix is now in for Brakeman (https://github.com/presidentbeef/brakeman/pull/1607), and a new version has been pushed to RubyGems, so I think this can be closed

[flavorjones]

Thanks for your patience, everybody!