bundler-audit 0.1.1 → 0.1.2

data/.gitignore

@@ -1,2 +1,5 @@
+Gemfile.lock
 doc/
 pkg/
+spec/bundle/*/Gemfile.lock
+vendor/cache/*.gem

data/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "data/ruby-advisory-db"]
+	path = data/ruby-advisory-db
+	url = https://github.com/rubysec/ruby-advisory-db.git

data/.travis.yml

@@ -0,0 +1,4 @@
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3

data/ChangeLog.md

@@ -1,3 +1,15 @@
+### 0.1.2 / 2013-02-17
+
+* Require [bundler] ~> 1.2.
+* Vendor a full copy of the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#path} for debugging purposes.
+* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
+
+#### CLI
+
+* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
+* Exit with non-zero status on failure (@grosser).
+
 ### 0.1.1 / 2013-02-12
 
 * Fixed a Ruby 1.8 syntax error.
@@ -40,4 +52,5 @@
 * [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
 
+[bundler]: http://gembundler.com/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -0,0 +1,12 @@
+source :rubygems
+
+gemspec
+
+group :development do
+  gem 'rake',           '~> 10.0'
+  gem 'kramdown',       '~> 0.14'
+
+  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rspec',          '~> 2.4'
+  gem 'yard',           '~> 0.8'
+end

data/README.md

@@ -4,6 +4,8 @@
 * [Issues](https://github.com/postmodern/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
 * [Email](mailto:postmodern.mod3 at gmail.com)
+* [![Build Status](https://travis-ci.org/postmodern/bundler-audit.png)](https://travis-ci.org/postmodern/bundler-audit)
+
 
 ## Description
 
@@ -65,48 +67,12 @@ Audit a projects `Gemfile.lock`:
 
 ## Requirements
 
-* [bundler] ~> 1.0
+* [bundler] ~> 1.2
 
 ## Install
 
     $ gem install bundler-audit
 
-## Contributing Advisories
-
-For an advisory to be added to the Database, it must match the following
-format:
-
-* Must be a YAML file.
-* Must be placed in the `data/bundler/audit/$gem/` directory.
-* Must be named after the CVE number (`2013-0156.yml`):
-  * Must contain a URL to the [OSVDB] advisory.
-  * Must contain the `title` and `description`.
-  * Must contain the `title` and `description`.
-  * Must contain the CVSSv2 Score.
-  * Must contain the patched versions ranges.
-
-### Example
-
-    ---
-    url: http://osvdb.org/show/osvdb/89026
-    title: |
-      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution 
-    
-    description: |
-      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
-      The issue is triggered when a type casting error occurs during the parsing
-      of parameters. This may allow a remote attacker to potentially execute
-      arbitrary code.
-    
-    cvss_v2: 10.0
-
-    patched_versions:
-      - "~> 2.3.15"
-      - "~> 3.0.19"
-      - "~> 3.1.10"
-      - ">= 3.2.11"
-
 ## License
 
 Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)

data/Rakefile

@@ -1,72 +1,43 @@
 # encoding: utf-8
 
 require 'rubygems'
-require 'rake'
 
 begin
-  gem 'rubygems-tasks', '~> 0.2'
-  require 'rubygems/tasks'
-
-  Gem::Tasks.new
+  require 'bundler'
 rescue LoadError => e
   warn e.message
-  warn "Run `gem install rubygems-tasks` to install Gem::Tasks."
+  warn "Run `gem install bundler` to install Bundler."
+  exit -1
 end
 
 begin
-  gem 'rspec', '~> 2.4'
-  require 'rspec/core/rake_task'
-
-  RSpec::Core::RakeTask.new
-rescue LoadError => e
-  task :spec do
-    abort "Please run `gem install rspec` to install RSpec."
-  end
+  Bundler.setup(:development)
+rescue Bundler::BundlerError => e
+  warn e.message
+  warn "Run `bundle install` to install missing gems."
+  exit e.status_code
 end
 
-namespace :spec do
-  task :validate do
-    validate = lambda do |path,data,field,type|
-      value = data[field]
+require 'rake'
 
-      case value
-      when type
-        # no-op
-      when NilClass
-        warn "#{path}: #{field} is missing"
-      else
-        warn "#{path}: expected #{field} to be #{type} but was #{value.class}"
-      end
-    end
+require 'rubygems/tasks'
+Gem::Tasks.new
 
-    Dir.glob('data/bundler/audit/*/*.yml') do |path|
-      begin
-        data = YAML.load_file(path)
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
 
-        validate[path, data, 'url', String]
-        validate[path, data, 'title', String]
-        validate[path, data, 'description', String]
-        validate[path, data, 'cvss_v2', Float]
-        validate[path, data, 'patched_versions', Array]
-      rescue ArgumentError => error
-        warn "#{path}: #{error.message}"
-      end
+namespace :spec do
+  task :bundle do
+    %w[spec/bundle/vuln spec/bundle/secure].each do |path|
+      chdir(path) { sh 'bundle', 'install', '--quiet' }
     end
   end
 end
-task :spec => 'spec:validate'
+task :spec => 'spec:bundle'
 
 task :test    => :spec
 task :default => :spec
 
-begin
-  gem 'yard', '~> 0.8'
-  require 'yard'
-
-  YARD::Rake::YardocTask.new  
-rescue LoadError => e
-  task :yard do
-    abort "Please run `gem install yard` to install YARD."
-  end
-end
+require 'yard'
+YARD::Rake::YardocTask.new  
 task :doc => :yard

data/bundler-audit.gemspec

@@ -26,6 +26,13 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.files = glob[gemspec['files']] if gemspec['files']
 
+  # add paths from data/ruby-advisory-db/
+  gem.files += Dir.chdir('data/ruby-advisory-db') do
+    `git ls-files`.split($/).map do |sub_path|
+      File.join('data','ruby-advisory-db',sub_path)
+    end
+  end
+
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }
   end

data/data/ruby-advisory-db/.rspec

@@ -0,0 +1 @@
+--colour

data/data/ruby-advisory-db/README.md

@@ -0,0 +1,64 @@
+# Ruby Advisory Database
+
+The Ruby advisory database seeks to compile all advisories relevant to Ruby libraries.
+
+## Directory Structure
+
+The database is a list of directories that match the names of Ruby libraries on
+[rubygems.org]. Within each directory are one or more advisory files
+for the Ruby library. These advisory files are typically named using
+the advisories [CVE] identifier number.
+
+    gems/:
+      rails/:
+        2012-1098.yml  2012-2660.yml  2012-2661.yml  2012-3463.yml
+
+If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
+## Format
+
+Each advisory file contains the advisory information in [YAML] format:
+
+    ---
+    gem: rails
+    cve: 2013-0156
+    url: http://osvdb.org/show/osvdb/89026
+    title: |
+      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+      Remote Code Execution 
+    
+    description: |
+      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
+      The issue is triggered when a type casting error occurs during the parsing
+      of parameters. This may allow a remote attacker to potentially execute
+      arbitrary code.
+    
+    cvss_v2: 10.0
+    
+    patched_versions:
+      - ~> 2.3.15
+      - ~> 3.0.19
+      - ~> 3.1.10
+      - ">= 3.2.11"
+
+### Schema
+
+* `gem` \[String\]: Name of the affected gem.
+* `cve` \[String\]: CVE id
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory.
+* `description` \[String\]: Multi-paragraph description of the vulnerability.
+* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
+
+## Credits
+
+* [Postmodern](https://github.com/postmodern/)
+* [Max Veytsman](https://twitter.com/mveytsman)
+
+[rubygems.org]: https://rubygems.org/
+[CVE]: http://cve.mitre.org/
+[CVSSv2]: http://www.first.org/cvss/cvss-guide.html
+[YAML]: http://www.yaml.org/
+
+[1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

data/data/ruby-advisory-db/gems/actionpack/2012-1099.yml

@@ -0,0 +1,23 @@
+--- 
+gem: actionpack
+cve: 2012-1099
+url: http://www.osvdb.org/show/osvdb/79727
+title:
+  Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
+  Manually Generated Select Tag Options XSS
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) 
+  attack. This flaw exists because the application does not validate manually
+  generated 'select tag options' upon submission to
+  actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a
+  user to create a specially crafted request that would execute arbitrary
+  script code in a user's browser within the trust relationship between their
+  browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2012-3424.yml

@@ -1,17 +1,21 @@
----
+--- 
+gem: actionpack
+cve: 2012-3424
 url: http://www.osvdb.org/show/osvdb/84243
-title: Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS 
+title: 
+  Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
+  with_http_digest Helper Method Remote DoS
 
-description: >
-  Ruby on Rails contains a flaw that may allow a remote denial of
-  service. The issue is triggered when an error occurs in
+description: |
+  Ruby on Rails contains a flaw that may allow a remote denial of service.
+  The issue is triggered when an error occurs in
   actionpack/lib/action_controller/metal/http_authentication.rb when the
   with_http_digest helper method is being used. This may allow a remote
   attacker to cause a loss of availability for the program.
 
 cvss_v2: 4.3
 
-patched_versions:
+patched_versions: 
   - ~> 3.0.16
   - ~> 3.1.7
   - ">= 3.2.7"

data/data/ruby-advisory-db/gems/actionpack/2012-3463.yml

@@ -0,0 +1,20 @@
+--- 
+gem: actionpack
+cve: 2012-3463
+url: http://osvdb.org/84515
+title: Ruby on Rails select_tag Helper Method prompt Value XSS
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because input passed via the prompt value is not
+  properly sanitized by the select_tag helper method before returning it to
+  the user. This may allow a user to create a specially crafted request that
+  would execute arbitrary script code in a user's browser within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/actionpack/2012-3465.yml

@@ -0,0 +1,20 @@
+--- 
+gem: actionpack
+cve: 2012-3465
+url: http://www.osvdb.org/show/osvdb/84513
+title: Ruby on Rails strip_tags Helper Method XSS
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because the application does not validate input
+  passed via the 'strip_tags' helper method before returning it to the user.
+  This may allow a user to create a specially crafted request that would
+  execute arbitrary script code in a user's browser within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2013-0156.yml

@@ -1,6 +1,8 @@
----
+--- 
+gem: actionpack
+cve: 2013-0156
 url: http://osvdb.org/show/osvdb/89026
-title: |
+title:
   Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
   Remote Code Execution 
 
@@ -12,7 +14,7 @@ description: |
 
 cvss_v2: 10.0
 
-patched_versions:
+patched_versions: 
   - ~> 2.3.15
   - ~> 3.0.19
   - ~> 3.1.10

data/data/ruby-advisory-db/gems/activerecord/2012-2660.yml

@@ -0,0 +1,21 @@
+--- 
+gem: activerecord
+cve: 2012-2660
+url: http://www.osvdb.org/show/osvdb/82610
+title:
+  Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
+  Arbitrary IS NULL Clause Injection
+
+description: |
+  Ruby on Rails contains a flaw related to the way ActiveRecord handles
+  parameters in conjunction with the way Rack parses query parameters.
+  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses in
+  to application SQL queries. This may also allow an attacker to have the
+  SQL query check for NULL in arbitrary places.
+
+cvss_v2: 7.5
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/2012-2661.yml

@@ -0,0 +1,19 @@
+--- 
+gem: activerecord
+cve: 2012-2661
+url: http://www.osvdb.org/show/osvdb/82403
+title: Ruby on Rails where Method ActiveRecord Class SQL Injection
+
+description: |
+  Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
+  an SQL injection attack. The issue is due to the ActiveRecord class not
+  properly sanitizing user-supplied input to the 'where' method. This may
+  allow an attacker to inject or manipulate SQL queries in an application
+  built on RoR, allowing for the manipulation or disclosure of arbitrary data.
+
+cvss_v2: 5.0
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"