bundler-audit 0.1.0 → 0.2.0

data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml

@@ -0,0 +1,14 @@
+--- 
+gem: mail
+cve: 2012-2139
+osvdb: 81631
+url: http://www.osvdb.org/show/osvdb/81631
+title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
+date: 2012-03-14
+
+description: |
+  Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
+
+cvss_v2: 5.0
+patched_versions: 
+- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml

@@ -0,0 +1,16 @@
+--- 
+gem: mail
+cve: 2012-2140
+osvdb: 81632
+url: http://www.osvdb.org/show/osvdb/81632
+title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
+date: 2012-03-14
+
+description: |
+  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
+  delivery methods, which may allow an attacker to execute arbitrary shell
+  commands..
+
+cvss_v2: 7.5
+patched_versions: 
+- ">= 2.4.4"

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml

@@ -0,0 +1,10 @@
+--- 
+gem: md2pdf
+cve: 2013-1948
+osvdb: 92290
+url: http://osvdb.org/show/osvdb/92290
+title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-13
+description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 10.0
+patched_versions: 

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml

@@ -0,0 +1,15 @@
+---
+gem: mini_magick
+cve: 2013-2616
+osvdb: 91231
+url: http://osvdb.org/show/osvdb/91231
+title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-12
+
+description: MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 3.6.0"
+

data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml

@@ -0,0 +1,16 @@
+---
+gem: multi_xml
+cve: 2013-0175
+osvdb: 89148
+url: http://osvdb.org/show/osvdb/89148
+title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution 
+date: 2013-01-11
+
+description: |
+  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
+  occurs during the parsing of the 'XML' parameter. With a crafted request
+  containing arbitrary symbol and yaml types, a remote attacker can execute
+  arbitrary commands.
+
+patched_versions:
+  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml

@@ -0,0 +1,17 @@
+---
+gem: newrelic_rpm
+cve: 2013-0284
+osvdb: 90189
+url: http://osvdb.org/show/osvdb/90189
+title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
+date: 2012-12-06
+
+description: |
+  A bug in the Ruby agent causes database connection information and raw SQL
+  statements to be transmitted to New Relic servers. The database connection
+  information includes the database IP address, username, and password
+
+cvss_v2: 5.0
+
+patched_versions: 
+  - ">= 3.5.3.25"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml

@@ -0,0 +1,19 @@
+---
+gem: nori
+cve: 2013-0285
+osvdb: 90196
+url: http://osvdb.org/show/osvdb/90196
+title: Ruby Gem nori Parameter Parsing Remote Code Execution
+date: 2013-01-10
+
+description: |
+  The Ruby Gem nori has a parameter parsing error that may allow an attacker
+  to execute arbitrary code. This vulnerability has to do with type casting
+  during parsing, and is related to CVE-2013-0156.
+
+cvss_v2: 10.0
+
+patched_versions:
+  - ~> 1.0.3
+  - ~> 1.1.4
+  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml

@@ -0,0 +1,16 @@
+---
+gem: omniauth-oauth2
+cve: 2012-6134
+osvdb: 90264
+url: http://www.osvdb.org/show/osvdb/90264
+title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
+date: 2012-09-08
+
+description: |
+  The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
+  inject values into a user's session through a CSRF attack.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.1.1"

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml

@@ -0,0 +1,11 @@
+--- 
+gem: pdfkit
+cve: 2013-1607
+osvdb: 90867
+url: http://osvdb.org/show/osvdb/90867
+title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
+date: 2013-02-21
+description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
+cvss_v2: 
+patched_versions: 
+  - ">= 0.5.3"

data/data/{bundler/audit/rack/2013-0263.yml → ruby-advisory-db/gems/rack/OSVDB-89939.yml}

@@ -1,7 +1,11 @@
----
+--- 
+gem: rack
+cve: 2013-0263
+osvdb: 89939
 url: http://osvdb.org/show/osvdb/89939
 title: |
   Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 
+date: 2009-12-01
 
 description: |
   Rack contains a flaw that is due to an error in the Rack::Session::Cookie
@@ -11,10 +15,9 @@ description: |
   latencies are sufficiently low to make the attack viable.
 
 cvss_v2: 7.6
-
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.8
-  - ~> 1.3.10
-  - ~> 1.4.5
-  - ">= 1.5.2"
+patched_versions: 
+- ~> 1.1.6
+- ~> 1.2.8
+- ~> 1.3.10
+- ~> 1.4.5
+- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml

@@ -0,0 +1,18 @@
+--- 
+gem: rack-cache
+cve: 2012-2671
+osvdb: 83077
+url: http://osvdb.org/83077
+title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
+date: 2012-06-06
+
+description: |
+  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
+  sensitive HTTP headers. This will result in a weakness that may make it
+  easier for an attacker to gain access to a user's session via a specially
+  crafted header.
+
+cvss_v2: 7.5
+
+patched_versions: 
+  - ">= 1.2"

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml

@@ -0,0 +1,27 @@
+---
+gem: rdoc
+cve: 2013-0256
+osvdb: 90004
+url: http://www.osvdb.org/show/osvdb/90004
+title: RDoc 2.3.0 through 3.12 XSS Exploit
+date: 2013-02-06
+
+description: |
+  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
+  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
+  may lead to cookie disclosure to third parties.
+  
+  The exploit exists in darkfish.js which is copied from the RDoc install
+  location to the generated documentation.
+  
+  RDoc is a static documentation generation tool. Patching the library itself
+  is insufficient to correct this exploit.
+  
+  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.9.5
+  - ~> 3.12.1
+  - ">= 4.0"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -0,0 +1,13 @@
+--- 
+gem: rgpg
+osvdb: 95948
+url: http://www.osvdb.org/show/osvdb/95948
+title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
+date: 2013-08-02
+description: |
+  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
+  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
+  This may allow a remote attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml

@@ -0,0 +1,11 @@
+--- 
+gem: ruby_parser
+cve: 2013-0162
+osvdb: 90561
+url: http://osvdb.org/show/osvdb/90561
+title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
+date: 2013-02-21
+description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2: 2.1
+patched_versions: 
+  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91216
+url: http://osvdb.org/show/osvdb/91216
+title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91217
+url: http://osvdb.org/show/osvdb/91217
+title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91218
+url: http://osvdb.org/show/osvdb/91218
+title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91219
+url: http://osvdb.org/show/osvdb/91219
+title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml

@@ -0,0 +1,10 @@
+--- 
+gem: thumbshooter
+cve: 2013-1898
+osvdb: 91839
+url: http://osvdb.org/show/osvdb/91839
+title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-03-26
+description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions: 

data/data/ruby-advisory-db/lib/scrape.rb

@@ -0,0 +1,87 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'pry'
+require 'mechanize'
+require 'yaml'
+require 'date'
+
+class OSVDB
+  attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
+  def initialize(url)
+    self.url = url
+    parse!
+  end
+
+  def parse!
+    mech = Mechanize.new
+    self.page = mech.get(url)
+
+    page.search(".show_vuln_table").search("td ul li").each do |li|
+      case li.children[0].text.strip
+      when "CVE ID:"
+        self.cve = li.children[1].text
+      when "Vendor URL:"
+        self.set_gem(li.children[1].text)
+      end
+    end
+
+    self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
+    self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
+    self.title = page.search("title").text.gsub(/\d+: /, "")
+    self.osvdb = page.search("title").text.match(/\d+/)[0]
+    if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
+      self.set_cvss(cvss_p.children[0].text)
+    end
+  end
+
+  def set_gem(vendortext)
+    ["https://rubygems.org/gems/", "http://rubygems.org/gems/"].each do |str|
+      if vendortext.match(str)
+        self.gem = vendortext.gsub(str,"")
+      end
+    end
+  end
+
+  def set_cvss(text)
+    self.cvss_v2 = text.strip.gsub("CVSSv2 Base Score = ", "")
+  end
+
+  def date
+    Date.parse(@date)
+  end
+
+  def cvss_v2
+    @cvss_v2.nil? ? nil : @cvss_v2.to_f
+  end
+
+  def gem
+    @gem.nil? ? "unknown" : @gem
+  end
+
+  def to_yaml
+    { 'gem' => gem,
+      'cve' => cve,
+      'osvdb' => osvdb.to_i,
+      'url' => url,
+      'title' => title,
+      'date' => date,
+      'description' => description,
+      'cvss_v2' => cvss_v2,
+      'patched_versions' => patched_versions }.to_yaml
+  end
+
+  def filename
+    "OSVDB-#{osvdb}.yml"
+  end
+
+  def to_advisory!
+    gems_path = File.join(File.dirname(__FILE__), "..", "gems")
+    adv_path = File.absolute_path(File.join(gems_path, self.gem))
+
+    FileUtils.mkdir(adv_path) unless File.exists?(adv_path)
+    File.open(File.join(adv_path, filename), "w") do |io|
+      io.puts self.to_yaml
+    end
+  end
+end

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -0,0 +1,165 @@
+require 'spec_helper'
+require 'yaml'
+
+shared_examples_for 'Advisory' do |path|
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:gem) { File.basename(File.dirname(path)) }
+    let(:filename_cve) do
+      if File.basename(path).start_with?('CVE-')
+        File.basename(path).gsub('CVE-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+    let(:filename_osvdb) do
+      if File.basename(path).start_with?('OSVDB-')
+        File.basename(path).gsub('OSVDB-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+
+    it "should have CVE or OSVDB" do
+      (advisory['cve'] || advisory['osvdb']).should_not be_nil
+    end
+
+    describe "gem" do
+      subject { advisory['gem'] }
+
+      it { should be_kind_of(String) }
+      it { should == gem }
+    end
+
+    describe "framework" do
+      subject { advisory['framework'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
+
+    describe "platform" do
+      subject { advisory['platform'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
+
+    describe "cve" do
+      subject { advisory['cve'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+      it "should be id in filename if filename is CVE-XXX" do
+        if filename_cve
+          should == filename_cve
+        end
+      end
+    end
+
+    describe "osvdb" do
+      subject { advisory['osvdb'] }
+      it "may be nil or a Fixnum" do
+        [NilClass, Fixnum].should include(subject.class)
+      end
+       it "should be id in filename if filename is OSVDB-XXX" do
+        if filename_osvdb
+          should == filename_osvdb.to_i
+        end
+      end
+    end
+
+    describe "url" do
+      subject { advisory['url'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "title" do
+      subject { advisory['title'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "date" do
+      subject { advisory['date'] }
+
+      it { should be_kind_of(Date) }
+    end
+
+    describe "description" do
+      subject { advisory['description'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "cvss_v2" do
+      subject { advisory['cvss_v2'] }
+
+      it "may be nil or a Float" do
+        [NilClass, Float].should include(subject.class)
+      end
+
+      case advisory['cvss_v2']
+      when Float
+        context "when a Float" do
+          it { ((0.0)..(10.0)).should include(subject) }
+        end
+      end
+    end
+
+    describe "patched_versions" do
+      subject { advisory['patched_versions'] }
+
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
+
+      describe "each patched version" do
+        if advisory['patched_versions']
+          advisory['patched_versions'].each do |version|
+            describe version do
+              subject { version.split(', ') }
+              
+              it "should contain valid RubyGem version requirements" do
+                lambda {
+                Gem::Requirement.new(*subject)
+                }.should_not raise_error(ArgumentError)
+              end
+            end
+          end
+        end
+      end
+    end
+
+    describe "unaffected_versions" do
+      subject { advisory['unaffected_versions'] }
+
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
+
+      case advisory['unaffected_versions']
+      when Array
+        advisory['unaffected_versions'].each do |version|
+          describe version do
+            subject { version.split(', ') }
+            
+            it "should contain valid RubyGem version requirements" do
+              lambda {
+                Gem::Requirement.new(*subject)
+              }.should_not raise_error(ArgumentError)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'advisory_example'
+
+describe "gems" do
+  Dir.glob('gems/*/*.yml') do |path|
+    include_examples 'Advisory', path
+  end
+end

data/data/ruby-advisory-db/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'rspec'

data/gemspec.yml

@@ -4,12 +4,9 @@ description: bundler-audit provides patch-level verification for Bundled apps.
 license: GPLv3
 authors: Postmodern
 email: postmodern.mod3@gmail.com
-homepage: https://github.com/postmodern/bundler-audit#readme
+homepage: https://github.com/rubysec/bundler-audit#readme
 
-dependencies:
-  bundler: ~> 1.0
+required_rubygems_version: ">= 1.8.0"
 
-development_dependencies:
-  rspec: ~> 2.4
-  rubygems-tasks: ~> 0.2
-  yard: ~> 0.8
+dependencies:
+  bundler: ~> 1.2