bundler-audit 0.1.0 → 0.1.1

data/.document

@@ -1,3 +1,3 @@
 - 
 ChangeLog.md
-LICENSE.txt
+COPYING.txt

data/ChangeLog.md

@@ -1,3 +1,28 @@
+### 0.1.1 / 2013-02-12
+
+* Fixed a Ruby 1.8 syntax error.
+
+### Advisories
+
+* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
+  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
+  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
+  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
+  * [CVE-2012-267](http://osvdb.org/83077)
+  * [CVE-2012-1098](http://osvdb.org/79726)
+  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
+  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
+  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
+  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
+  * [CVE-2012-3463](http://osvdb.org/84515)
+  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
+  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
+
+### CLI
+
+* If the advisory has no `patched_versions`, recommend removing or disabling
+  the gem until a patch is made available.
+
 ### 0.1.0 / 2013-02-11
 
 * Initial release:
@@ -14,3 +39,5 @@
 * [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
 * [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
+
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Rakefile

@@ -24,6 +24,38 @@ rescue LoadError => e
   end
 end
 
+namespace :spec do
+  task :validate do
+    validate = lambda do |path,data,field,type|
+      value = data[field]
+
+      case value
+      when type
+        # no-op
+      when NilClass
+        warn "#{path}: #{field} is missing"
+      else
+        warn "#{path}: expected #{field} to be #{type} but was #{value.class}"
+      end
+    end
+
+    Dir.glob('data/bundler/audit/*/*.yml') do |path|
+      begin
+        data = YAML.load_file(path)
+
+        validate[path, data, 'url', String]
+        validate[path, data, 'title', String]
+        validate[path, data, 'description', String]
+        validate[path, data, 'cvss_v2', Float]
+        validate[path, data, 'patched_versions', Array]
+      rescue ArgumentError => error
+        warn "#{path}: #{error.message}"
+      end
+    end
+  end
+end
+task :spec => 'spec:validate'
+
 task :test    => :spec
 task :default => :spec
 

data/bin/bundle-audit

@@ -2,18 +2,8 @@
 
 require 'rubygems'
 
-root = File.expand_path(File.join(File.dirname(__FILE__),'..'))
-if File.directory?(File.join(root,'.git'))
-  Dir.chdir(root) do
-    begin
-      require 'bundler/setup'
-    rescue LoadError => e
-      warn e.message
-      warn "Run `gem install bundler` to install Bundler"
-      exit -1
-    end
-  end
-end
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
 
 require 'bundler/audit/cli'
 

data/data/bundler/audit/mail/2011-0739.yml

@@ -0,0 +1,17 @@
+---
+url: http://www.osvdb.org/show/osvdb/70667
+title: |
+  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
+  Address Arbitrary Shell Command Injection 
+
+description: > 
+  Mail Gem for Ruby contains a flaw related to the failure to properly
+  sanitise input passed from an email from address in the 'deliver()'
+  function in 'lib/mail/network/delivery_methods/sendmail.rb' before
+  being used as a command line argument. This may allow a remote
+  attacker to inject arbitrary shell commands.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 2.2.15"

data/data/bundler/audit/mail/2012-2139.yml

@@ -0,0 +1,16 @@
+---
+url: http://www.osvdb.org/show/osvdb/81631
+title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation 
+
+description: > 
+  Mail Gem for Ruby contains a flaw that allows a remote
+  attacker to traverse outside of a restricted path. The issue is due
+  to the program not properly sanitizing user input, specifically
+  directory traversal style attacks (e.g., ../../) supplied via the
+  'to' parameter within the delivery method. This directory traversal
+  attack would allow the attacker to modify arbitrary files.
+
+cvss_v2: 5.0
+
+patched_versions:
+  - ">= 2.4.4"

data/data/bundler/audit/mail/2012-2140.yml

@@ -0,0 +1,13 @@
+---
+url: http://www.osvdb.org/show/osvdb/81632
+title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
+
+description: > 
+  Mail Gem for Ruby contains a flaw that occurs within
+  the sendmail and exim delivery methods, which may allow an attacker
+  to execute arbitrary shell commands..
+
+cvss_v2: 7.5
+
+patched_versions:
+  - ">= 2.4.4"

data/data/bundler/audit/rack-cache/2012-267.yml

@@ -0,0 +1,14 @@
+---
+url: http://osvdb.org/83077
+title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness 
+
+description: | 
+  Rack::Cache (rack-cache) contains a flaw related to the
+  rubygem caching sensitive HTTP headers. This will result in a
+  weakness that may make it easier for an attacker to gain access to a
+  user's session via a specially crafted header.
+
+cvss_v2: 7.5
+
+patched_versions:
+  - ">= 1.2"

data/data/bundler/audit/rails/2012-1098.yml

@@ -0,0 +1,19 @@
+---
+url: http://osvdb.org/79726
+title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS 
+
+description: >
+  Ruby on Rails contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because athe application
+  does not validate direct manipulations of SafeBuffer objects via
+  '[]' and other methods. This may allow a user to create a specially
+  crafted request that would execute arbitrary script code in a user's
+  browser within the trust relationship between their browser and the
+  server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/bundler/audit/rails/2012-1099.yml

@@ -0,0 +1,19 @@
+---
+url: http://www.osvdb.org/show/osvdb/79727
+title: Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS
+
+description: >
+  Ruby on Rails contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because the application does
+  not validate manually generated 'select tag options' upon submission
+  to actionpack/lib/action_view/helpers/form_options_helper.rb. This may
+  allow a user to create a specially crafted request that would execute
+  arbitrary script code in a user's browser within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/bundler/audit/rails/2012-2660.yml

@@ -0,0 +1,17 @@
+---
+url: http://www.osvdb.org/show/osvdb/82610
+title: Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection 
+
+description: >
+  Ruby on Rails contains a flaw related to the way ActiveRecord handles
+  parameters in conjunction with the way Rack parses query parameters.
+  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses
+  in to application SQL queries. This may also allow an attacker to have
+  the SQL query check for NULL in arbitrary places.
+
+cvss_v2: 7.5
+
+patched_versions:
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/bundler/audit/rails/2012-2661.yml

@@ -0,0 +1,18 @@
+---
+url: http://www.osvdb.org/show/osvdb/82403
+title: Ruby on Rails where Method ActiveRecord Class SQL Injection 
+
+description: > 
+  Ruby on Rails (RoR) contains a flaw that may allow an attacker to
+  carry out an SQL injection attack. The issue is due to the
+  ActiveRecord class not properly sanitizing user-supplied input to
+  the 'where' method. This may allow an attacker to inject or
+  manipulate SQL queries in an application built on RoR, allowing for
+  the manipulation or disclosure of arbitrary data.
+
+cvss_v2: 5.0
+
+patched_versions:
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/bundler/audit/rails/2012-3424.yml

@@ -0,0 +1,17 @@
+---
+url: http://www.osvdb.org/show/osvdb/84243
+title: Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS 
+
+description: >
+  Ruby on Rails contains a flaw that may allow a remote denial of
+  service. The issue is triggered when an error occurs in
+  actionpack/lib/action_controller/metal/http_authentication.rb when the
+  with_http_digest helper method is being used. This may allow a remote
+  attacker to cause a loss of availability for the program.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.16
+  - ~> 3.1.7
+  - ">= 3.2.7"

data/data/bundler/audit/rails/2012-3463.yml

@@ -0,0 +1,19 @@
+---
+url: http://osvdb.org/84515
+title: Ruby on Rails select_tag Helper Method prompt Value XSS 
+
+description: >
+  Ruby on Rails contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because input passed via the
+  prompt value is not properly sanitized by the select_tag helper method
+  before returning it to the user. This may allow a user to create a
+  specially crafted request that would execute arbitrary script code in
+  a user's browser within the trust relationship between their browser
+  and the server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/bundler/audit/rails/2012-3464.yml

@@ -0,0 +1,18 @@
+---
+url: http://www.osvdb.org/show/osvdb/84516
+title: Ruby on Rails HTML Escaping Code XSS 
+
+description: > 
+  Ruby on Rails contains a flaw that allows a remote
+  cross-site scripting (XSS) attack. This flaw exists because the HTML
+  escaping code functionality does not properly escape a single quote
+  character. This may allow a user to create a specially crafted
+  request that would execute arbitrary script code in a user's browser
+  within the trust relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/bundler/audit/rails/2012-3465.yml

@@ -0,0 +1,19 @@
+---
+url: http://www.osvdb.org/show/osvdb/84513
+title: Ruby on Rails strip_tags Helper Method XSS 
+
+description: >
+  Ruby on Rails contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because the application
+  does not validate input passed via the 'strip_tags' helper method
+  before returning it to the user. This may allow a user to create a
+  specially crafted request that would execute arbitrary script code
+  in a user's browser within the trust relationship between their
+  browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/lib/bundler/audit/advisory.rb

@@ -52,7 +52,7 @@ module Bundler
           data['cvss_v2'],
           Array(data['patched_versions']).map { |version|
             Gem::Requirement.new(*version.split(', '))
-          },
+          }
         )
       end
 

data/lib/bundler/audit/cli.rb

@@ -91,8 +91,14 @@ module Bundler
           say advisory.title
         end
 
-        say "Patched Versions: ", :red
-        say advisory.patched_versions.join(', ')
+        unless advisory.patched_versions.empty?
+          say "Solution: upgrade to ", :red
+          say advisory.patched_versions.join(', ')
+        else
+          say "Solution: ", :red
+          say "remove or disable this gem until a patch is available!", [:red, :bold]
+        end
+
         say
       end
 

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = "0.1.0"
+    VERSION = "0.1.1"
   end
 end

metadata

@@ -1,104 +1,117 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: bundler-audit
-version: !ruby/object:Gem::Version
-  version: 0.1.0
+version: !ruby/object:Gem::Version 
+  hash: 25
   prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 1
+  version: 0.1.1
 platform: ruby
-authors:
+authors: 
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-12 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-02-12 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: bundler
-  requirement: !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 0
+        version: "1.0"
   type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: yard
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 8
+        version: "0.8"
   type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: rubygems-tasks
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.2'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.2'
-- !ruby/object:Gem::Dependency
-  name: yard
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.8'
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 0
+        - 2
+        version: "0.2"
   type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.8'
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 4
+        version: "2.4"
+  type: :development
+  version_requirements: *id004
 description: bundler-audit provides patch-level verification for Bundled apps.
 email: postmodern.mod3@gmail.com
-executables:
+executables: 
 - bundle-audit
 extensions: []
-extra_rdoc_files:
+
+extra_rdoc_files: 
 - COPYING.txt
 - ChangeLog.md
-- LICENSE.txt
 - README.md
-files:
+files: 
 - .document
 - .gitignore
 - .rspec
 - .yardopts
 - COPYING.txt
 - ChangeLog.md
-- LICENSE.txt
 - README.md
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
 - data/bundler/audit/json/2013-0269.yml
+- data/bundler/audit/mail/2011-0739.yml
+- data/bundler/audit/mail/2012-2139.yml
+- data/bundler/audit/mail/2012-2140.yml
+- data/bundler/audit/rack-cache/2012-267.yml
 - data/bundler/audit/rack/2013-0263.yml
+- data/bundler/audit/rails/2012-1098.yml
+- data/bundler/audit/rails/2012-1099.yml
+- data/bundler/audit/rails/2012-2660.yml
+- data/bundler/audit/rails/2012-2661.yml
+- data/bundler/audit/rails/2012-3424.yml
+- data/bundler/audit/rails/2012-3463.yml
+- data/bundler/audit/rails/2012-3464.yml
+- data/bundler/audit/rails/2012-3465.yml
 - data/bundler/audit/rails/2013-0155.yml
 - data/bundler/audit/rails/2013-0156.yml
 - data/bundler/audit/rails/2013-0276.yml
@@ -117,28 +130,37 @@ files:
 - spec/database_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/postmodern/bundler-audit#readme
-licenses:
+licenses: 
 - GPLv3
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Patch-level verification for Bundler
 test_files: []
+

data/LICENSE.txt

@@ -1,20 +0,0 @@
-Copyright (c) 2013 Hal Brodigan
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.