arachni 0.3 → 0.4

data/ACKNOWLEDGMENTS.md

@@ -10,5 +10,5 @@ I’d like to thank:
 
 for allowing me to test Arachni against their websites during the early stages of development.
 
-All the people on [GitHub](http://github.com/Zapotek/arachni/issues) 
+All the people on [GitHub](http://github.com/Zapotek/arachni/issues)
 that have submitted bugs and given constructive feedback.

data/CHANGELOG.md

@@ -1,6 +1,152 @@
 
 # ChangeLog
 
+## Version 0.4 _(January 7, 2012)_
+- RPC Infrastructure (**New**)
+   - Dispatcher
+      - Dispatchers can now be connected to form a High Performance Grid and share scan workloads.
+      - Users can now specify a range of ports to be used for spawned Instances. [Issue #76]
+      - Now checks for signal availability before using <em>trap()</em>. (**New**) [Issue #71]
+      - Now uses Windows compliant filenames for the logs. (**New**) [Issue #70]
+   - Ruby's XMLRPC libraries have been replaced by <a href="https://github.com/Arachni/arachni-rpc">Arachni-RPC</a>,
+    a light-weight and high-performance custom client/server RPC implementation.
+- Added <em>extras</em> directory holding components that are considered too specialised, dangerous or in some way unsuitable for
+    utilising without explicit user interaction. (**New**)
+    - Modules
+       - Recon
+          - SVN Digger dirs -- Finds directories, based on wordlists created from open source repositories (Herman Stevens)
+          - SVN Digger files -- Finds files, based on wordlists created from open source repositories (Herman Stevens)
+          - RAFT dirs (Herman Stevens)
+          - RAFT files (Herman Stevens)
+- Framework
+   - <em>stats()</em>
+      - Fixed bug that caused the <em>current_page</em> to not be refreshed during timing attacks.
+      - Fixed bug that caused a less than 100% progress at the end of scans. [Issue #86]
+      - If the crawler is limited by link-count it will be taken under consideration.
+   - Significantly reduced memory footprint by re-scheduling the consumption of Trainer generated pages.
+- User Interfaces
+   - WebUI
+      - Sinatra
+         - Updated to use the light-weight and high-performance <a href="http://code.macournoyer.com/thin/">Thin</a> server.
+         - Added <a href="https://github.com/raggi/async_sinatra">async_sinatra</a> to allow for asynchronous responses. (**New**)
+      - Added support for HTTP Basic Auth (**New**)
+      - Updated screens to provide access to HPG (High Performance Grid) features:
+         - Home
+            - Added option to enable HPG mode on a per scan basis (**New**)
+         - Dispatchers
+            - Added node information (Nickname, Pipe ID, Weight, Cost). (**New**)
+            - Added neighbour inspection per dispatcher. (**New**)
+            - Added log inspection per dispatcher. (**New**)
+            - Improved accuracy of instance statuses.
+            - Added percentages for memory and CPU usage per instance. (**New**)
+         - Instance (scan management)
+            - Provides an average of all stats of scanner instances. (**New**)
+            - Added per instance progress bars. (**New**)
+            - Added per instance statuses. (**New**)
+            - Added est. remaining time. (**New**)
+         - Settings
+            - Added proxy settings. [Issue #74] (**New**)
+            - Added settings for restrict and extend paths options. (**New**)
+      - Fixed small typo in "Settings" screen. [Issue #62]
+      - Reports -- AFR report is now served straight-up to avoid corruption. [Issue #55]
+      - Add-ons -- Updated to use the new async libraries.
+      - Added help buttons. (**New**)
+   - CLI
+      - Improved interrupt handler:
+         - It now exits in a cleaner fashion and is more obedient.
+         - Added est. remaining time. (**New**)
+         - Added progressbar. (**New**)
+- HTTP client
+   - Added support for including custom headers. [Issue #90] (**New**)
+   - Refactored in order for all methods to use <em>request()</em>.
+   - Bug-fixed cookie preservation.
+- Spider
+   - spider-first option removed and set to true by default.
+   - Added "--depth" parameter. (**New**)
+   - Fixed incorrect implementation of the inclusion filters.
+   - Now follows "Location" headers directly and bypasses the trainer.
+   - Added support for extending the crawl scope with a file that contains newline separated URLs. (**New**) [Issue #67]
+   - Added support for restricting the crawl scope with a file that contains newline separated URLs. (**New**)
+   - Made more resilient against malformed/non-standard URLs. [Issue #57]
+- Parser
+   - Encoded URLs with fragments right after the host caused URI.parse to fail. [Issue #66]
+   - Auditable elements
+      - If there are 2 or more password fields in a form an extra variation is added with
+        the same inputs for all passwords in case it's a 'please repeat your password' thing. (**New**) [Issue #59]
+- Plugins
+   - API -- Added <code>distributable?()</code> and <code>merge()</code> class methods which declare
+        if a plug-in can be distributed to all instances when running in Grid mode and merge an array of its own results respectively.
+      - Distributable plug-ins:
+         - Content-Types
+         - Cookie collector
+         - Healthmap
+         - Profiler
+         - AutoThrottle
+   - Profiler -- Removed response time logging and moved it to <em>defaults</em>.
+   - Proxy -- Fixed bug which caused some headers not to be forwarded. [Issue #64]
+   - Discovery (accompanied by appropriate report formatters). (**New**) [Issue #81]
+      - Performs anomaly detection on issues logged by discovery modules and warns of the possibility of false positives where applicable.
+   - Added the 'defaults' subdirectory which contains plug-ins that should be loaded by default.
+   - Added: (**New**)
+      - ReScan -- It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
+      - BeepNotify -- Beeps when the scan finishes.
+      - LibNotify -- Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
+      - EmailNotify -- Sends a notification (and optionally a report) over SMTP at the end of the scan.
+      - Manual verification -- Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
+      - Resolver -- Resolves vulnerable hostnames to IP addresses.
+- Reports
+   - HTML report
+      - Fixed replay forms to include URL params in the <em>action</em> attribute. [Issue #73]
+      - Refactored and broken into erb partials.
+      - Organised subsections into tabs. (**New**)
+      - HTML responses of logged Issues are now rendered on-demand. [Issue #88]
+      - Added graph showing issue trust totals. (**New**)
+      - The main issue graph shows trusted and untrusted issues in 2 different series.
+      - ALl JavaScript and CSS code is now included in the report for off-line viewing.
+      - Removed manual-verification piechart, obsoleted by the trust chart.
+      - Replaced Highcharts with jqPlot due to licensing reasons.
+      - Removed false-positive reporting -- was causing segfaults on Mac OSX. [Issue #126]
+   - Added (**New**)
+      - JSON -- Exports the audit results as a JSON serialized Hash.
+      - Marshal -- Exports the audit results as a Marshal serialized Hash.
+      - YAML -- Exports the audit results as a YAML serialized Hash.
+- Heeded Ruby's warnings (<em>ruby -w</em>).
+- Modules
+   - API
+      - Auditor
+         - Added helper methods for checking the existence of remote files and directories. (**New**)
+         - Added helper methods for issue logging. (**New**)
+   - Refactored modules replacing duplicate code with the new helper methods.
+   - Audit
+      - XSS -- Updated to actually inject an element, parse the HTML response and
+        look for that element before logging in order to eliminate false positives. [Issue #59]
+      - Path traversal -- Fixed broken regular expressions
+      - SQL Injection -- Fixed broken regular expressions
+      - XSS Path -- Updated to verify the injection using HTML parsing
+      - XSS URI -- Made obsolete and will be removed from future releases -- loads and runs XSS Path instead.
+   - Recon
+      - Added MixedResource detection module (<a href="http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html">Reference</a>) (**New**) [Issue #56]
+- Meta-Modules
+   - Have all been converted to regular plug-ins in order to make distribution across the Grid easier.
+- Dependencies
+   - Added
+      - Arachni-RPC
+      - EventMachine
+      - EM Synchrony
+      - AsyncSinatra
+   - Updated
+      - Typhoeus => 0.3.3
+      - Sys-proctable => 0.9.1
+      - Nokogiri => 1.5.0
+      - Sinatra => 1.3.1
+      - Datamapper => 1.1.0
+      - Json => 1.6.1
+      - Datamapper SQLite adapter => 1.1.0
+      - Net-SSH => 2.2.1
+   - Removed
+      - Rack-CSRF
+      - JSON (Provided by DataMapper)
+
 ## Version 0.3 _(July 26, 2011)_
 - HTTP client
    - Fixed race condition in timeout options.

data/CONTRIBUTORS.md

@@ -7,5 +7,6 @@ These are the people that helped improve Arachni either by submitting code, sugg
 - [Brandon Potter](mailto:bpotter8705@gmail.com) for the original "arachni_web_autostart" script
 - [Steve Pinkham](http://github.com/spinkham) for beta testing and patches.
 - [Aung Khant](mailto:aungkhant@yehg.net) for general suggestions.
+- [Herman Stevens](mailto:herman@astyran.com) for contributing recon modules.
 
 A big thanks to my buddy [Andreas](mailto:rainmakergr@gmail.com) for the original spider drawing used in the project graphics.

data/HACKING.md

@@ -90,9 +90,9 @@ power to work with.
 
 ## Creating New Plug-ins
 
-Unlike the two previous types of components plug-ins are demi-gods.
-Each plug-in is passed the instance of the running framework to do with it what it pleases.
-Via the framework they have access to all Arachni subsystems and can alter or extend Arachni's behavior on the fly.
+Unlike the two previous types of components plug-ins are demi-gods.<br/>
+Each plug-in is passed the instance of the running framework to do with it what it pleases.<br/>
+Via the framework they have access to all Arachni subsystems and can alter or extend Arachni's behavior on the fly.<br/>
 Plug-ins run in parallel to the framework and are executed right before the scan process starts.
 
 ## Licensing

data/README.md

@@ -2,7 +2,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>0.3</td>
+        <td>0.4</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -29,7 +29,7 @@
     </tr>
     <tr>
        <th>Author</th>
-       <td><a href="mailto:tasos.laskos@gmail.com">Tasos</a> <a href="mailto:zapotek@segfault.gr">Zapotek</a> <a href="mailto:tasos.laskos@gmail.com">Laskos</a></td>
+       <td><a href="mailto:tasos.laskos@gmail.com">Tasos Laskos</a></td>
     </tr>
     <tr>
         <th>Twitter</th>
@@ -37,7 +37,7 @@
     </tr>
     <tr>
         <th>Copyright</th>
-        <td>2010-2011</td>
+        <td>2010-2012 Tasos Laskos</td>
     </tr>
     <tr>
         <th>License</th>
@@ -47,23 +47,24 @@
 
 ![Arachni logo](http://zapotek.github.com/arachni/logo.png)
 
-Kindly sponsored by: [![NopSec](http://zapotek.github.com/arachni/nopsec_logo.png)](http://www.nopsec.com)
-
-Help by donating:
-[![Click here to lend your support to: Arachni - Web Application Security Scanner Framework and make a donation at www.pledgie.com!](http://pledgie.com/campaigns/14482.png)](http://www.pledgie.com/campaigns/14482)
-
 ## Synopsis
 
 Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping
 penetration testers and administrators evaluate the security of web applications.
 
-Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.<br/>
-Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling<br/>
-through the paths of a web application's cyclomatic complexity.<br/>
+Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process and
+is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.
+
+Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling<br/>
+through the paths of a web application's cyclomatic complexity and is able to adjust itself accordingly.<br/>
 This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.
 
-Finally, Arachni yields great performance due to its asynchronous HTTP  model (courtesy of [Typhoeus](https://github.com/pauldix/typhoeus)).<br/>
-Thus, you'll only be limited by the responsiveness of the server under audit and your available bandwidth.
+Moreover, Arachni yields great performance due to its asynchronous HTTP model (courtesy of [Typhoeus](https://github.com/pauldix/typhoeus)) --
+especially when combined with a High Performance Grid setup which allows you to combine the resources of multiple nodes for lightning fast scans.<br/>
+Thus, you'll only be limited by the responsiveness of the server under audit.
+
+Finally, it is versatile enough to cover a great deal of use cases,
+ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits.
 
 **Note**: _Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc with the addition of custom modules._
 
@@ -85,7 +86,8 @@ From a user's or a component developer's point of view everything appears simple
 
 ### General
 
- - Cookie-jar support
+ - Cookie-jar support.
+ - Custom header support.
  - SSL support.
  - User Agent spoofing.
  - Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
@@ -94,16 +96,16 @@ From a user's or a component developer's point of view everything appears simple
  - Highlighted command line output.
  - UI abstraction:
     - Command line UI
-    - Web UI (Utilizing the Client - Dispatch-server XMLRPC architecture)
-    - XMLRPC Client/Dispatch server
-       - Centralised deployment
-       - Multiple clients
-       - Parallel scans
-       - SSL encryption
-       - SSL cert based client authentication
-       - Remote monitoring
+    - Web UI (Utilizing the Client - Dispatcher RPC infrastructure)
  - Pause/resume functionality.
  - High performance asynchronous HTTP requests.
+ - Open [RPC](https://github.com/Zapotek/arachni/wiki/RPC-API) Client/Dispatcher Infrastructure
+    - Distributed deployment
+    - Multiple clients
+    - Parallel scans
+    - SSL encryption (with peer authentication)
+    - Remote monitoring
+    - Support for [High Performance Grid](https://github.com/Zapotek/arachni/wiki/RPC-server#wiki-grid) configuration, combining the resources of multiple nodes to perform fast scans.
 
 ### Website Crawler
 
@@ -114,6 +116,7 @@ From a user's or a component developer's point of view everything appears simple
  - Adjustable link count limit.
  - Adjustable redirect limit.
  - Modular path extraction via "Path Extractor" components.
+ - Can read paths from multiple user supplied files (to both restrict and extend the scope of the crawl).
 
 ### HTML Parser
 
@@ -174,6 +177,13 @@ The analyzer can graciously handle badly written HTML code due to a combination
         - E-mail address disclosure
         - US Social Security Number disclosure
         - Forceful directory listing
+        - Mixed Resource/Scripting
+    - Extras
+        - SVN Digger dirs
+        - SVN Digger files
+        - RAFT dirs
+        - RAFT files
+
 
 ### Report Management
 
@@ -183,8 +193,11 @@ The analyzer can graciously handle badly written HTML code due to a combination
     - HTML (Cheers to [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.)
     - XML
     - TXT
-    - YAML serialization
-    - Metareport (providing Metasploit integration to allow for [automated and assisted exploitation](http://zapotek.github.com/arachni/file.EXPLOITATION.html))
+    - AFR -- The default Arachni Framework Report format.
+    - JSON
+    - Marshal
+    - YAML
+    - Metareport -- Providing Metasploit integration to allow for [automated and assisted exploitation](http://zapotek.github.com/arachni/file.EXPLOITATION.html).
 
 ### Plug-in Management
 
@@ -192,6 +205,7 @@ The analyzer can graciously handle badly written HTML code due to a combination
  - Plug-ins are framework demi-gods, they have direct access to the framework instance.
  - Can be used to add any functionality to Arachni.
  - Currently available plugins:
+    - ReScan -- It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
     - Passive Proxy -- Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit
     - Form based AutoLogin
     - Dictionary attacker for HTTP Auth
@@ -201,11 +215,17 @@ The analyzer can graciously handle badly written HTML code due to a combination
     - Healthmap -- Generates sitemap showing the health of each crawled/audited URL
     - Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
     - WAF (Web Application Firewall) Detector -- Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes
-    - MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
-       - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
-       - TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.</br>
-            It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
-       - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
+    - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
+    - TimingAttacks -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.</br>
+         It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
+    - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
+    - Discovery -- Performs anomaly detection on issues logged by discovery modules and warns of the possibility of false positives where applicable.
+    - BeepNotify -- Beeps when the scan finishes.
+    - LibNotify -- Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
+    - EmailNotify -- Sends a notification (and optionally a report) over SMTP at the end of the scan.
+    - Manual verification -- Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
+    - Resolver -- Resolves vulnerable hostnames to IP addresses.
+
 
 ### Trainer subsystem
 
@@ -216,51 +236,63 @@ However, this is usually not required since Arachni is aware of which requests a
 
 Still, this can be an invaluable asset to Fuzzer modules.
 
-## Usage
-
-### [WebUI](https://github.com/Zapotek/arachni/wiki/Web-user-interface)
-
-
-### [Command line interface](https://github.com/Zapotek/arachni/wiki/Command-line-user-interface)
-
-## Installation
+## [Installation](https://github.com/Zapotek/arachni/wiki/Installation)
 
 ### CDE packages for Linux
 
-<del>Arachni is released as [CDE packages](http://stanford.edu/~pgbovine/cde.html) for your convinience.<br/>
+Arachni is released as [CDE packages](http://stanford.edu/~pgbovine/cde.html) for your convinience.<br/>
 CDE packages are self contained and thus alleviate the need for Ruby and other dependencies to be installed or root access.<br/>
 You can download the latest CDE package from the [download](https://github.com/Zapotek/arachni/downloads) page and escape the dependency hell.<br/>
-If you decide to go the CDE route you can skip the rest, you're done.</del>
-
-Due to some incompatibility this release does not have a CDE package yet.
+If you decide to go the CDE route you can skip the rest, you're done.
 
 ### Gem
 
 To install the Gem or work with the source code you'll also need the following system libraries:
 
-    $ sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev libsqlite3-dev
+    sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev libsqlite3-dev
 
-You will also need to have Ruby 1.9.2 installed *including* the dev package/headers.<br/>
-The prefered ways to accomplish this is by either using [RVM](http://rvm.beginrescueend.com/) or by downloading and compiling the source code for [Ruby 1.9.2](http://www.ruby-lang.org/en/downloads/) manually.
+You will also need to have Ruby 1.9.2 (or later) installed *including* the dev package/headers.<br/>
+The prefered ways to accomplish this is by either using [RVM](http://rvm.beginrescueend.com/) or by downloading and compiling the source code for [Ruby](http://www.ruby-lang.org/en/downloads/) manually.
 
 
 To install Arachni:
 
-    $ gem install arachni
+    gem install arachni
 
 ### Source
 
 If you want to clone the repository and work with the source code then you'll need to run the following to install all gem dependencies and Arachni:
 
-    $ rake install
+    git clone git://github.com/Zapotek/arachni.git
+    cd arachni
+    rake install
+
+
+### [Windows -- under Cygwin](https://github.com/Zapotek/arachni/wiki/Installation)
+
+
+## Usage
+
+### [Command line interface](https://github.com/Zapotek/arachni/wiki/Command-line-user-interface)
+
+### [WebUI](https://github.com/Zapotek/arachni/wiki/Web-user-interface)
+
+### [Starting a Dispatcher](https://github.com/Zapotek/arachni/wiki/RPC-server)
+
+
+## Configuration of <em>extras</em>
+
+The <em>extras</em> directory holds components that are considered too specialised, dangerous or in some way unsuitable for utilising without explicit user interaction. <br/>
+This directory was mainly added to distribute modules which can be helpful but should not be put in the default <em>modules</em> directory to prevent them from being
+automatically loaded.
 
+Should you want to use these extra components simply move them from the <em>extras</em> folder to their appropriate system directories.
 
 ## Supported platforms
 
-Arachni should work on all *nix and POSIX compliant platforms with Ruby
-and the aforementioned requirements.
+Arachni should work on all *nix and POSIX compliant platforms with Ruby and the aforementioned requirements.
 
-Windows users should run Arachni in Cygwin.
+Windows users can run Arachni in Cygwin by following these [instructions](https://github.com/Zapotek/arachni/wiki/Installation).
 
 ## Bug reports/Feature requests
 Please send your feedback using Github's issue system at

data/Rakefile

@@ -1,6 +1,6 @@
 =begin
                   Arachni
-  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 
   This is free software; you can copy and distribute and modify
   this program under the term of the GPL v2.0 License
@@ -8,6 +8,8 @@
 
 =end
 
+require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni/version'
+
 desc "Generate docs"
 
 task :docs do
@@ -54,11 +56,15 @@ desc "Cleaning report and log files."
 task :clean do
 
     sh "rm *.afr || true"
+    sh "rm *.yaml || true"
+    sh "rm *.json || true"
+    sh "rm *.marshal || true"
     sh "rm *.gem || true"
-    sh "rm logs/XMLRPC* || true"
-    sh "rm lib/ui/web/server/db/log.db || true"
-    sh "rm lib/ui/web/server/db/default.db || true"
-    sh "rm lib/ui/web/server/db/welcomed || true"
+    sh "rm logs/*.log || true"
+    sh "rm lib/arachni/ui/web/server/db/*.* || true"
+    sh "rm lib/arachni/ui/web/server/db/welcomed || true"
+    sh "rm lib/arachni/ui/web/server/public/reports/*.* || true"
+    sh "rm lib/arachni/ui/web/server/tmp/*.* || true"
 end
 
 
@@ -67,9 +73,6 @@ end
 #
 desc "Build the arachni gem."
 task :build  => [ :clean ] do
-
-    require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni'
-
     sh "gem build arachni.gemspec"
 end
 
@@ -79,9 +82,6 @@ end
 #
 desc "Build and install the arachni gem."
 task :install  => [ :build ] do
-
-    require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni'
-
     sh "gem install arachni-#{Arachni::VERSION}.gem"
 end
 
@@ -91,8 +91,5 @@ end
 #
 desc "Push a new version to Gemcutter"
 task :publish => [ :build ] do
-
-    require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni'
-
     sh "gem push arachni-#{Arachni::VERSION}.gem"
 end