Flarum 1.6.3 awareness. Unfortunately can't tell it apart from 1.6.2

clarkwinkelmann · clarkwinkelmann · commit 8218770e072c · 2023-01-11T16:10:00.000+01:00
diff --git a/app/FlarumVersion.php b/app/FlarumVersion.php
@@ -34,6 +34,7 @@ class FlarumVersion
     const V1_6_0 = "1.6.0";
     const V1_6_1 = "1.6.1";
     const V1_6_2 = "1.6.2";
+    const V1_6_3 = "1.6.3";
 
     // MD5 hash of the javascript of Flarum core, excluding the sourcemap declaration
     // Obtained through the GetCoreJavascriptHash command
@@ -60,7 +61,7 @@ class FlarumVersion
         '903356c565c82e0d3c6a44e550c425b4' => self::V1_5_0,
         '4135a73e3ffe1b9d0e7116a3e5bca4a3' => self::V1_6_0,
         '702cd2efea1b34a8d7faa0a3bfd00ffc' => self::V1_6_1,
-        '65ca188696b18e8dae09bde8c4153c9a' => self::V1_6_2,
+        '65ca188696b18e8dae09bde8c4153c9a' => [self::V1_6_2, self::V1_6_3],
     ];
 
     public array $adminJavascriptHashes = [
@@ -86,7 +87,7 @@ class FlarumVersion
         'c3f70117d274b204fba315ed6d0d74cf' => self::V1_5_0,
         '230a43eaea321ec606294148f5d1fd5e' => self::V1_6_0,
         '0db372f871bdbb3ad775b47b5ff20125' => self::V1_6_1,
-        '57370588974a1e187c656a3497f78dee' => self::V1_6_2,
+        '57370588974a1e187c656a3497f78dee' => [self::V1_6_2, self::V1_6_3],
     ];
 
     public static function isBeta7(array $versions): bool
diff --git a/app/FlarumVersionGuesser.php b/app/FlarumVersionGuesser.php
@@ -20,6 +20,7 @@ public function guess(string $html, string $bootScript): array
                 FlarumVersion::V1_6_0,
                 FlarumVersion::V1_6_1,
                 FlarumVersion::V1_6_2,
+                FlarumVersion::V1_6_3,
             ];
         }
 
diff --git a/app/Report/RatingAgent.php b/app/Report/RatingAgent.php
@@ -40,21 +40,53 @@ public function rate()
                     // If we're unsure, we won't mark vulnerable
                     // If the list of guest versions is empty, we skip this test, this will happen for forums running a custom build
                     if (count($versions) && count(array_diff($versions, [
+                            // I remember there was a major fix in beta 13 but can't find details
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
                             FlarumVersion::BETA_7,
                             FlarumVersion::BETA_8,
+
+                            // I remember there was a major fix in beta 13 but can't find details
+                            // https://github.com/flarum/framework/security/advisories/GHSA-3wjh-93gr-chh6 Missing CSRF
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
                             FlarumVersion::BETA_9,
                             FlarumVersion::BETA_10,
                             FlarumVersion::BETA_11,
                             FlarumVersion::BETA_12,
-                        ])) === 0) {
-                        return true;
-                    }
 
-                    // https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
-                    if (count($versions) && count(array_diff($versions, [
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
+                            FlarumVersion::BETA_13,
+                            FlarumVersion::BETA_14,
+                            FlarumVersion::BETA_14_1,
+                            FlarumVersion::BETA_15,
+                            FlarumVersion::BETA_16,
+
+                            // https://github.com/flarum/framework/security/advisories/GHSA-5qjq-69w6-fg57 XSS translator
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
+                            FlarumVersion::V1_0_0,
+                            FlarumVersion::V1_0_1,
+
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
+                            FlarumVersion::V1_0_2,
+                            FlarumVersion::V1_0_3,
+                            FlarumVersion::V1_0_4,
+                            FlarumVersion::V1_1_0,
+                            FlarumVersion::V1_1_1,
+                            FlarumVersion::V1_2_0,
+                            FlarumVersion::V1_2_1,
+                            FlarumVersion::V1_3_0,
+                            FlarumVersion::V1_3_1,
+                            FlarumVersion::V1_4_0,
+
+                            // https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x XSS discussion title
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
                             FlarumVersion::V1_5_0,
                             FlarumVersion::V1_6_0,
                             FlarumVersion::V1_6_1,
+
+                            // https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3 Mentions REST
+                            // https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4 Notifications leak
+                            // https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725 First post deleted
+                            FlarumVersion::V1_6_2,
                         ])) === 0) {
                         return true;
                     }
diff --git a/tests/Unit/FlarumVersionGuesserTest.php b/tests/Unit/FlarumVersionGuesserTest.php
@@ -540,6 +540,7 @@ function testV140Typical()
             FlarumVersion::V1_6_0,
             FlarumVersion::V1_6_1,
             FlarumVersion::V1_6_2,
+            FlarumVersion::V1_6_3,
         ], $this->guesser->guess($html, $html));
     }
 
@@ -553,6 +554,7 @@ function testV150Typical()
             FlarumVersion::V1_6_0,
             FlarumVersion::V1_6_1,
             FlarumVersion::V1_6_2,
+            FlarumVersion::V1_6_3,
         ], $this->guesser->guess($html, $html));
     }
 
@@ -566,6 +568,7 @@ function testV162Typical()
             FlarumVersion::V1_6_0,
             FlarumVersion::V1_6_1,
             FlarumVersion::V1_6_2,
+            FlarumVersion::V1_6_3,
         ], $this->guesser->guess($html, $html));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ public function guess(string $html, string $bootScript): array`
`20`	`20`	`FlarumVersion::V1_6_0,`
`21`	`21`	`FlarumVersion::V1_6_1,`
`22`	`22`	`FlarumVersion::V1_6_2,`
	`23`	`+ FlarumVersion::V1_6_3,`
`23`	`24`	`];`
`24`	`25`	`}`
`25`	`26`
Original file line number	Diff line number	Diff line change
`@@ -540,6 +540,7 @@ function testV140Typical()`
`540`	`540`	`FlarumVersion::V1_6_0,`
`541`	`541`	`FlarumVersion::V1_6_1,`
`542`	`542`	`FlarumVersion::V1_6_2,`
	`543`	`+ FlarumVersion::V1_6_3,`
`543`	`544`	`], $this->guesser->guess($html, $html));`
`544`	`545`	`}`
`545`	`546`
`@@ -553,6 +554,7 @@ function testV150Typical()`
`553`	`554`	`FlarumVersion::V1_6_0,`
`554`	`555`	`FlarumVersion::V1_6_1,`
`555`	`556`	`FlarumVersion::V1_6_2,`
	`557`	`+ FlarumVersion::V1_6_3,`
`556`	`558`	`], $this->guesser->guess($html, $html));`
`557`	`559`	`}`
`558`	`560`
`@@ -566,6 +568,7 @@ function testV162Typical()`
`566`	`568`	`FlarumVersion::V1_6_0,`
`567`	`569`	`FlarumVersion::V1_6_1,`
`568`	`570`	`FlarumVersion::V1_6_2,`
	`571`	`+ FlarumVersion::V1_6_3,`
`569`	`572`	`], $this->guesser->guess($html, $html));`
`570`	`573`	`}`
`571`	`574`	`}`