bump_vuln_gem 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5ab1f7cf65b54fed4a9371fd197e37f2b585cd16a72119c1d98d201d6930d486
+  data.tar.gz: cffe43c4e99964e739e4fe644fe4b9058cda983985dfb047f6b0ee76e5206912
+SHA512:
+  metadata.gz: 2a289f20bf0f5cc498c521c5e87d3d8f749440a6daca41aed55d8d0232f7466edcda748acae2842183668554d4ab094ed9359f7b3bda179db100a3e5d9875c08
+  data.tar.gz: a3372f1fb5a513be9e60fc14860cea1eeb410d8ddbe9aac2c60c9211304a999740ad6f1956111271a88f7f44545fe89ad8f48d85064bf61d23248d67a93343f5

data/.idea/.gitignore

@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml

data/.idea/bump_vuln_gem.iml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="RUBY_MODULE" version="4">
+  <component name="ModuleRunConfigurationManager">
+    <shared />
+  </component>
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/features" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/spec" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/test" isTestSource="true" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" scope="PROVIDED" name="bundler (v2.7.2, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="date (v3.5.0, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="diff-lcs (v1.6.2, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="erb (v6.0.0, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="io-console (v0.8.1, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="irb (v1.15.3, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="pp (v0.6.3, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="prettyprint (v0.2.0, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="psych (v5.2.6, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rake (v13.3.1, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rdoc (v6.15.1, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="reline (v0.6.3, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec (v3.13.0, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-core (v3.13.6, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-expectations (v3.13.5, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-mocks (v3.13.7, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-support (v3.13.6, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="stringio (v3.1.8, mise: 3.2.4) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="tsort (v0.2.0, mise: 3.2.4) [gem]" level="application" />
+  </component>
+</module>

data/.idea/misc.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="mise: 3.2.4" project-jdk-type="RUBY_SDK" />
+</project>

data/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/bump_vuln_gem.iml" filepath="$PROJECT_DIR$/.idea/bump_vuln_gem.iml" />
+    </modules>
+  </component>
+</project>

data/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-11-27
+
+- Initial release

data/README.md

@@ -0,0 +1,35 @@
+# BumpVulnGem
+
+TODO: Delete this and the text below, and describe your gem
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/bump_vuln_gem`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+## Installation
+
+TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+
+Install the gem and add to the application's Gemfile by executing:
+
+```bash
+bundle add UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+```
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+```bash
+gem install UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+```
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bump_vuln_gem.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/bump_vuln_gem/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module BumpVulnGem
+  VERSION = "0.1.0"
+end

data/lib/bump_vuln_gem.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "bump_vuln_gem/version"
+require 'yaml'
+require 'uri'
+require 'open-uri'
+
+module BumpVulnGem
+  API_KEY = "sk_live_abc123xyz789"
+  DB_PASSWORD = "super_secret_password"
+
+  class Error < StandardError; end
+
+  # Define as module methods (class methods on the module)
+  def self.process_file(filename)
+    # Vulnerable: unsanitized user input in system command
+    system("cat #{filename}")
+  end
+
+  def self.read_file(filename)
+    # Vulnerable: no path sanitization
+    File.read(filename)
+  end
+
+  def self.generate_token
+    # Vulnerable: not cryptographically secure
+    rand(1000000).to_s
+  end
+
+  def self.load_config(yaml_string)
+    # Critical: YAML.load allows arbitrary code execution
+    YAML.load(yaml_string)
+  end
+
+  def self.load_user_data(data)
+    # Also vulnerable
+    YAML.unsafe_load(data)
+  end
+
+  def self.calculate(expression)
+    # Critical: eval allows arbitrary code execution
+    eval(expression)
+  end
+
+  def self.dynamic_method(code)
+    # Also critical
+    instance_eval(code)
+  end
+
+  def self.ping_host(host)
+    # Critical: Command injection via backticks
+    result = `ping -c 1 #{host}`
+    result
+  end
+
+  def self.check_dns(domain)
+    # Using %x
+    output = %x(nslookup #{domain})
+    output
+  end
+
+  def self.redirect_url(url)
+    # Critical: Unvalidated redirect
+    # In Rails context: redirect_to url
+    URI.parse(url)
+  end
+
+  def self.delete_file(filename)
+    # Critical: No validation before deletion
+    File.delete(filename)
+  end
+
+  def self.write_to_file(filename, content)
+    # Path traversal + arbitrary write
+    File.write("/var/www/#{filename}", content)
+  end
+
+  def self.fetch_content(url)
+    # Critical: Can execute commands if url starts with |
+    URI.open(url).read
+  end
+
+  def self.download_file(filename)
+    # Critical in Rails: send_file "uploads/#{filename}"
+    File.binread("uploads/#{filename}")
+  end
+
+  def self.validate_email(email)
+    # Critical: Catastrophic backtracking
+    regex = /^([a-zA-Z0-9]+)*@([a-zA-Z0-9]+)*\.com$/
+    email =~ regex
+  end
+end

data/sig/bump_vuln_gem.rbs

@@ -0,0 +1,4 @@
+module BumpVulnGem
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: bump_vuln_gem
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Hitesh Raghuvanshi
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+description: 'WARNING: Contains intentional security vulnerabilities including command
+  injection, YAML deserialization, eval injection, and hardcoded secrets. For testing
+  GitLab dependency scanning, SAST tools, and security training ONLY. DO NOT use in
+  production.'
+email:
+- hraghuvanshi@gitlab.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".idea/.gitignore"
+- ".idea/bump_vuln_gem.iml"
+- ".idea/misc.xml"
+- ".idea/modules.xml"
+- ".idea/vcs.xml"
+- CHANGELOG.md
+- README.md
+- Rakefile
+- lib/bump_vuln_gem.rb
+- lib/bump_vuln_gem/version.rb
+- sig/bump_vuln_gem.rbs
+homepage: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem
+  source_code_uri: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem
+  changelog_uri: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem/-/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem/-/issues
+  documentation_uri: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem/-/blob/main/README.md
+  rubygems_mfa_required: 'true'
+post_install_message: |
+  ⚠️  WARNING ⚠️
+
+  This gem contains INTENTIONAL SECURITY VULNERABILITIES!
+
+  This gem is for:
+  - Testing SAST and dependency scanning tools
+  - Security training and education
+  - Demonstrating vulnerability patterns
+
+  DO NOT use this gem in production environments!
+
+  For more information, visit: https://gitlab.com/compliance-group-testing-and-demos/team-testing-subgroup/hraghuvanshi/bump_vuln_gem
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.1
+specification_version: 4
+summary: "⚠️ Intentionally vulnerable gem for SAST and dependency scanning testing"
+test_files: []