bundler-audit 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
data/.document CHANGED
@@ -1,3 +1,3 @@
1
1
  -
2
2
  ChangeLog.md
3
- LICENSE.txt
3
+ COPYING.txt
data/ChangeLog.md CHANGED
@@ -1,3 +1,28 @@
1
+ ### 0.1.1 / 2013-02-12
2
+
3
+ * Fixed a Ruby 1.8 syntax error.
4
+
5
+ ### Advisories
6
+
7
+ * Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
8
+ * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
9
+ * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
10
+ * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
11
+ * [CVE-2012-267](http://osvdb.org/83077)
12
+ * [CVE-2012-1098](http://osvdb.org/79726)
13
+ * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
14
+ * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
15
+ * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
16
+ * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
17
+ * [CVE-2012-3463](http://osvdb.org/84515)
18
+ * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
19
+ * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
20
+
21
+ ### CLI
22
+
23
+ * If the advisory has no `patched_versions`, recommend removing or disabling
24
+ the gem until a patch is made available.
25
+
1
26
  ### 0.1.0 / 2013-02-11
2
27
 
3
28
  * Initial release:
@@ -14,3 +39,5 @@
14
39
  * [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
15
40
  * [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
16
41
  * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
42
+
43
+ [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme
data/Rakefile CHANGED
@@ -24,6 +24,38 @@ rescue LoadError => e
24
24
  end
25
25
  end
26
26
 
27
+ namespace :spec do
28
+ task :validate do
29
+ validate = lambda do |path,data,field,type|
30
+ value = data[field]
31
+
32
+ case value
33
+ when type
34
+ # no-op
35
+ when NilClass
36
+ warn "#{path}: #{field} is missing"
37
+ else
38
+ warn "#{path}: expected #{field} to be #{type} but was #{value.class}"
39
+ end
40
+ end
41
+
42
+ Dir.glob('data/bundler/audit/*/*.yml') do |path|
43
+ begin
44
+ data = YAML.load_file(path)
45
+
46
+ validate[path, data, 'url', String]
47
+ validate[path, data, 'title', String]
48
+ validate[path, data, 'description', String]
49
+ validate[path, data, 'cvss_v2', Float]
50
+ validate[path, data, 'patched_versions', Array]
51
+ rescue ArgumentError => error
52
+ warn "#{path}: #{error.message}"
53
+ end
54
+ end
55
+ end
56
+ end
57
+ task :spec => 'spec:validate'
58
+
27
59
  task :test => :spec
28
60
  task :default => :spec
29
61
 
data/bin/bundle-audit CHANGED
@@ -2,18 +2,8 @@
2
2
 
3
3
  require 'rubygems'
4
4
 
5
- root = File.expand_path(File.join(File.dirname(__FILE__),'..'))
6
- if File.directory?(File.join(root,'.git'))
7
- Dir.chdir(root) do
8
- begin
9
- require 'bundler/setup'
10
- rescue LoadError => e
11
- warn e.message
12
- warn "Run `gem install bundler` to install Bundler"
13
- exit -1
14
- end
15
- end
16
- end
5
+ lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
6
+ $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
17
7
 
18
8
  require 'bundler/audit/cli'
19
9
 
@@ -0,0 +1,17 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/70667
3
+ title: |
4
+ Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
5
+ Address Arbitrary Shell Command Injection
6
+
7
+ description: >
8
+ Mail Gem for Ruby contains a flaw related to the failure to properly
9
+ sanitise input passed from an email from address in the 'deliver()'
10
+ function in 'lib/mail/network/delivery_methods/sendmail.rb' before
11
+ being used as a command line argument. This may allow a remote
12
+ attacker to inject arbitrary shell commands.
13
+
14
+ cvss_v2: 6.8
15
+
16
+ patched_versions:
17
+ - ">= 2.2.15"
@@ -0,0 +1,16 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/81631
3
+ title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
4
+
5
+ description: >
6
+ Mail Gem for Ruby contains a flaw that allows a remote
7
+ attacker to traverse outside of a restricted path. The issue is due
8
+ to the program not properly sanitizing user input, specifically
9
+ directory traversal style attacks (e.g., ../../) supplied via the
10
+ 'to' parameter within the delivery method. This directory traversal
11
+ attack would allow the attacker to modify arbitrary files.
12
+
13
+ cvss_v2: 5.0
14
+
15
+ patched_versions:
16
+ - ">= 2.4.4"
@@ -0,0 +1,13 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/81632
3
+ title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
4
+
5
+ description: >
6
+ Mail Gem for Ruby contains a flaw that occurs within
7
+ the sendmail and exim delivery methods, which may allow an attacker
8
+ to execute arbitrary shell commands..
9
+
10
+ cvss_v2: 7.5
11
+
12
+ patched_versions:
13
+ - ">= 2.4.4"
@@ -0,0 +1,14 @@
1
+ ---
2
+ url: http://osvdb.org/83077
3
+ title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
4
+
5
+ description: |
6
+ Rack::Cache (rack-cache) contains a flaw related to the
7
+ rubygem caching sensitive HTTP headers. This will result in a
8
+ weakness that may make it easier for an attacker to gain access to a
9
+ user's session via a specially crafted header.
10
+
11
+ cvss_v2: 7.5
12
+
13
+ patched_versions:
14
+ - ">= 1.2"
@@ -0,0 +1,19 @@
1
+ ---
2
+ url: http://osvdb.org/79726
3
+ title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that allows a remote cross-site
7
+ scripting (XSS) attack. This flaw exists because athe application
8
+ does not validate direct manipulations of SafeBuffer objects via
9
+ '[]' and other methods. This may allow a user to create a specially
10
+ crafted request that would execute arbitrary script code in a user's
11
+ browser within the trust relationship between their browser and the
12
+ server.
13
+
14
+ cvss_v2: 4.3
15
+
16
+ patched_versions:
17
+ - ~> 3.0.12
18
+ - ~> 3.1.4
19
+ - ">= 3.2.2"
@@ -0,0 +1,19 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/79727
3
+ title: Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that allows a remote cross-site
7
+ scripting (XSS) attack. This flaw exists because the application does
8
+ not validate manually generated 'select tag options' upon submission
9
+ to actionpack/lib/action_view/helpers/form_options_helper.rb. This may
10
+ allow a user to create a specially crafted request that would execute
11
+ arbitrary script code in a user's browser within the trust
12
+ relationship between their browser and the server.
13
+
14
+ cvss_v2: 4.3
15
+
16
+ patched_versions:
17
+ - ~> 3.0.12
18
+ - ~> 3.1.4
19
+ - ">= 3.2.2"
@@ -0,0 +1,17 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/82610
3
+ title: Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw related to the way ActiveRecord handles
7
+ parameters in conjunction with the way Rack parses query parameters.
8
+ This issue may allow an attacker to inject arbitrary 'IS NULL' clauses
9
+ in to application SQL queries. This may also allow an attacker to have
10
+ the SQL query check for NULL in arbitrary places.
11
+
12
+ cvss_v2: 7.5
13
+
14
+ patched_versions:
15
+ - ~> 3.0.13
16
+ - ~> 3.1.5
17
+ - ">= 3.2.4"
@@ -0,0 +1,18 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/82403
3
+ title: Ruby on Rails where Method ActiveRecord Class SQL Injection
4
+
5
+ description: >
6
+ Ruby on Rails (RoR) contains a flaw that may allow an attacker to
7
+ carry out an SQL injection attack. The issue is due to the
8
+ ActiveRecord class not properly sanitizing user-supplied input to
9
+ the 'where' method. This may allow an attacker to inject or
10
+ manipulate SQL queries in an application built on RoR, allowing for
11
+ the manipulation or disclosure of arbitrary data.
12
+
13
+ cvss_v2: 5.0
14
+
15
+ patched_versions:
16
+ - ~> 3.0.13
17
+ - ~> 3.1.5
18
+ - ">= 3.2.4"
@@ -0,0 +1,17 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/84243
3
+ title: Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that may allow a remote denial of
7
+ service. The issue is triggered when an error occurs in
8
+ actionpack/lib/action_controller/metal/http_authentication.rb when the
9
+ with_http_digest helper method is being used. This may allow a remote
10
+ attacker to cause a loss of availability for the program.
11
+
12
+ cvss_v2: 4.3
13
+
14
+ patched_versions:
15
+ - ~> 3.0.16
16
+ - ~> 3.1.7
17
+ - ">= 3.2.7"
@@ -0,0 +1,19 @@
1
+ ---
2
+ url: http://osvdb.org/84515
3
+ title: Ruby on Rails select_tag Helper Method prompt Value XSS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that allows a remote cross-site
7
+ scripting (XSS) attack. This flaw exists because input passed via the
8
+ prompt value is not properly sanitized by the select_tag helper method
9
+ before returning it to the user. This may allow a user to create a
10
+ specially crafted request that would execute arbitrary script code in
11
+ a user's browser within the trust relationship between their browser
12
+ and the server.
13
+
14
+ cvss_v2: 4.3
15
+
16
+ patched_versions:
17
+ - ~> 3.0.17
18
+ - ~> 3.1.8
19
+ - ">= 3.2.8"
@@ -0,0 +1,18 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/84516
3
+ title: Ruby on Rails HTML Escaping Code XSS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that allows a remote
7
+ cross-site scripting (XSS) attack. This flaw exists because the HTML
8
+ escaping code functionality does not properly escape a single quote
9
+ character. This may allow a user to create a specially crafted
10
+ request that would execute arbitrary script code in a user's browser
11
+ within the trust relationship between their browser and the server.
12
+
13
+ cvss_v2: 4.3
14
+
15
+ patched_versions:
16
+ - ~> 3.0.17
17
+ - ~> 3.1.8
18
+ - ">= 3.2.8"
@@ -0,0 +1,19 @@
1
+ ---
2
+ url: http://www.osvdb.org/show/osvdb/84513
3
+ title: Ruby on Rails strip_tags Helper Method XSS
4
+
5
+ description: >
6
+ Ruby on Rails contains a flaw that allows a remote cross-site
7
+ scripting (XSS) attack. This flaw exists because the application
8
+ does not validate input passed via the 'strip_tags' helper method
9
+ before returning it to the user. This may allow a user to create a
10
+ specially crafted request that would execute arbitrary script code
11
+ in a user's browser within the trust relationship between their
12
+ browser and the server.
13
+
14
+ cvss_v2: 4.3
15
+
16
+ patched_versions:
17
+ - ~> 3.0.17
18
+ - ~> 3.1.8
19
+ - ">= 3.2.8"
@@ -52,7 +52,7 @@ module Bundler
52
52
  data['cvss_v2'],
53
53
  Array(data['patched_versions']).map { |version|
54
54
  Gem::Requirement.new(*version.split(', '))
55
- },
55
+ }
56
56
  )
57
57
  end
58
58
 
@@ -91,8 +91,14 @@ module Bundler
91
91
  say advisory.title
92
92
  end
93
93
 
94
- say "Patched Versions: ", :red
95
- say advisory.patched_versions.join(', ')
94
+ unless advisory.patched_versions.empty?
95
+ say "Solution: upgrade to ", :red
96
+ say advisory.patched_versions.join(', ')
97
+ else
98
+ say "Solution: ", :red
99
+ say "remove or disable this gem until a patch is available!", [:red, :bold]
100
+ end
101
+
96
102
  say
97
103
  end
98
104
 
@@ -18,6 +18,6 @@
18
18
  module Bundler
19
19
  module Audit
20
20
  # bundler-audit version
21
- VERSION = "0.1.0"
21
+ VERSION = "0.1.1"
22
22
  end
23
23
  end
metadata CHANGED
@@ -1,104 +1,117 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: bundler-audit
3
- version: !ruby/object:Gem::Version
4
- version: 0.1.0
3
+ version: !ruby/object:Gem::Version
4
+ hash: 25
5
5
  prerelease:
6
+ segments:
7
+ - 0
8
+ - 1
9
+ - 1
10
+ version: 0.1.1
6
11
  platform: ruby
7
- authors:
12
+ authors:
8
13
  - Postmodern
9
14
  autorequire:
10
15
  bindir: bin
11
16
  cert_chain: []
12
- date: 2013-02-12 00:00:00.000000000 Z
13
- dependencies:
14
- - !ruby/object:Gem::Dependency
17
+
18
+ date: 2013-02-12 00:00:00 Z
19
+ dependencies:
20
+ - !ruby/object:Gem::Dependency
15
21
  name: bundler
16
- requirement: !ruby/object:Gem::Requirement
22
+ prerelease: false
23
+ requirement: &id001 !ruby/object:Gem::Requirement
17
24
  none: false
18
- requirements:
25
+ requirements:
19
26
  - - ~>
20
- - !ruby/object:Gem::Version
21
- version: '1.0'
27
+ - !ruby/object:Gem::Version
28
+ hash: 15
29
+ segments:
30
+ - 1
31
+ - 0
32
+ version: "1.0"
22
33
  type: :runtime
34
+ version_requirements: *id001
35
+ - !ruby/object:Gem::Dependency
36
+ name: yard
23
37
  prerelease: false
24
- version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
- requirements:
27
- - - ~>
28
- - !ruby/object:Gem::Version
29
- version: '1.0'
30
- - !ruby/object:Gem::Dependency
31
- name: rspec
32
- requirement: !ruby/object:Gem::Requirement
38
+ requirement: &id002 !ruby/object:Gem::Requirement
33
39
  none: false
34
- requirements:
40
+ requirements:
35
41
  - - ~>
36
- - !ruby/object:Gem::Version
37
- version: '2.4'
42
+ - !ruby/object:Gem::Version
43
+ hash: 27
44
+ segments:
45
+ - 0
46
+ - 8
47
+ version: "0.8"
38
48
  type: :development
39
- prerelease: false
40
- version_requirements: !ruby/object:Gem::Requirement
41
- none: false
42
- requirements:
43
- - - ~>
44
- - !ruby/object:Gem::Version
45
- version: '2.4'
46
- - !ruby/object:Gem::Dependency
49
+ version_requirements: *id002
50
+ - !ruby/object:Gem::Dependency
47
51
  name: rubygems-tasks
48
- requirement: !ruby/object:Gem::Requirement
49
- none: false
50
- requirements:
51
- - - ~>
52
- - !ruby/object:Gem::Version
53
- version: '0.2'
54
- type: :development
55
52
  prerelease: false
56
- version_requirements: !ruby/object:Gem::Requirement
57
- none: false
58
- requirements:
59
- - - ~>
60
- - !ruby/object:Gem::Version
61
- version: '0.2'
62
- - !ruby/object:Gem::Dependency
63
- name: yard
64
- requirement: !ruby/object:Gem::Requirement
53
+ requirement: &id003 !ruby/object:Gem::Requirement
65
54
  none: false
66
- requirements:
55
+ requirements:
67
56
  - - ~>
68
- - !ruby/object:Gem::Version
69
- version: '0.8'
57
+ - !ruby/object:Gem::Version
58
+ hash: 15
59
+ segments:
60
+ - 0
61
+ - 2
62
+ version: "0.2"
70
63
  type: :development
64
+ version_requirements: *id003
65
+ - !ruby/object:Gem::Dependency
66
+ name: rspec
71
67
  prerelease: false
72
- version_requirements: !ruby/object:Gem::Requirement
68
+ requirement: &id004 !ruby/object:Gem::Requirement
73
69
  none: false
74
- requirements:
70
+ requirements:
75
71
  - - ~>
76
- - !ruby/object:Gem::Version
77
- version: '0.8'
72
+ - !ruby/object:Gem::Version
73
+ hash: 11
74
+ segments:
75
+ - 2
76
+ - 4
77
+ version: "2.4"
78
+ type: :development
79
+ version_requirements: *id004
78
80
  description: bundler-audit provides patch-level verification for Bundled apps.
79
81
  email: postmodern.mod3@gmail.com
80
- executables:
82
+ executables:
81
83
  - bundle-audit
82
84
  extensions: []
83
- extra_rdoc_files:
85
+
86
+ extra_rdoc_files:
84
87
  - COPYING.txt
85
88
  - ChangeLog.md
86
- - LICENSE.txt
87
89
  - README.md
88
- files:
90
+ files:
89
91
  - .document
90
92
  - .gitignore
91
93
  - .rspec
92
94
  - .yardopts
93
95
  - COPYING.txt
94
96
  - ChangeLog.md
95
- - LICENSE.txt
96
97
  - README.md
97
98
  - Rakefile
98
99
  - bin/bundle-audit
99
100
  - bundler-audit.gemspec
100
101
  - data/bundler/audit/json/2013-0269.yml
102
+ - data/bundler/audit/mail/2011-0739.yml
103
+ - data/bundler/audit/mail/2012-2139.yml
104
+ - data/bundler/audit/mail/2012-2140.yml
105
+ - data/bundler/audit/rack-cache/2012-267.yml
101
106
  - data/bundler/audit/rack/2013-0263.yml
107
+ - data/bundler/audit/rails/2012-1098.yml
108
+ - data/bundler/audit/rails/2012-1099.yml
109
+ - data/bundler/audit/rails/2012-2660.yml
110
+ - data/bundler/audit/rails/2012-2661.yml
111
+ - data/bundler/audit/rails/2012-3424.yml
112
+ - data/bundler/audit/rails/2012-3463.yml
113
+ - data/bundler/audit/rails/2012-3464.yml
114
+ - data/bundler/audit/rails/2012-3465.yml
102
115
  - data/bundler/audit/rails/2013-0155.yml
103
116
  - data/bundler/audit/rails/2013-0156.yml
104
117
  - data/bundler/audit/rails/2013-0276.yml
@@ -117,28 +130,37 @@ files:
117
130
  - spec/database_spec.rb
118
131
  - spec/spec_helper.rb
119
132
  homepage: https://github.com/postmodern/bundler-audit#readme
120
- licenses:
133
+ licenses:
121
134
  - GPLv3
122
135
  post_install_message:
123
136
  rdoc_options: []
124
- require_paths:
137
+
138
+ require_paths:
125
139
  - lib
126
- required_ruby_version: !ruby/object:Gem::Requirement
140
+ required_ruby_version: !ruby/object:Gem::Requirement
127
141
  none: false
128
- requirements:
129
- - - ! '>='
130
- - !ruby/object:Gem::Version
131
- version: '0'
132
- required_rubygems_version: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - ">="
144
+ - !ruby/object:Gem::Version
145
+ hash: 3
146
+ segments:
147
+ - 0
148
+ version: "0"
149
+ required_rubygems_version: !ruby/object:Gem::Requirement
133
150
  none: false
134
- requirements:
135
- - - ! '>='
136
- - !ruby/object:Gem::Version
137
- version: '0'
151
+ requirements:
152
+ - - ">="
153
+ - !ruby/object:Gem::Version
154
+ hash: 3
155
+ segments:
156
+ - 0
157
+ version: "0"
138
158
  requirements: []
159
+
139
160
  rubyforge_project:
140
161
  rubygems_version: 1.8.24
141
162
  signing_key:
142
163
  specification_version: 3
143
164
  summary: Patch-level verification for Bundler
144
165
  test_files: []
166
+
data/LICENSE.txt DELETED
@@ -1,20 +0,0 @@
1
- Copyright (c) 2013 Hal Brodigan
2
-
3
- Permission is hereby granted, free of charge, to any person obtaining
4
- a copy of this software and associated documentation files (the
5
- "Software"), to deal in the Software without restriction, including
6
- without limitation the rights to use, copy, modify, merge, publish,
7
- distribute, sublicense, and/or sell copies of the Software, and to
8
- permit persons to whom the Software is furnished to do so, subject to
9
- the following conditions:
10
-
11
- The above copyright notice and this permission notice shall be
12
- included in all copies or substantial portions of the Software.
13
-
14
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
- OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
- WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.