bundler-audit 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. data/.gitignore +3 -0
  2. data/.gitmodules +3 -0
  3. data/.travis.yml +4 -0
  4. data/ChangeLog.md +13 -0
  5. data/Gemfile +12 -0
  6. data/README.md +3 -37
  7. data/Rakefile +20 -49
  8. data/bundler-audit.gemspec +7 -0
  9. data/data/ruby-advisory-db/.rspec +1 -0
  10. data/data/ruby-advisory-db/README.md +64 -0
  11. data/data/ruby-advisory-db/gems/actionpack/2012-1099.yml +23 -0
  12. data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2012-3424.yml +10 -6
  13. data/data/ruby-advisory-db/gems/actionpack/2012-3463.yml +20 -0
  14. data/data/ruby-advisory-db/gems/actionpack/2012-3465.yml +20 -0
  15. data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2013-0156.yml +5 -3
  16. data/data/ruby-advisory-db/gems/activerecord/2012-2660.yml +21 -0
  17. data/data/ruby-advisory-db/gems/activerecord/2012-2661.yml +19 -0
  18. data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0155.yml +6 -4
  19. data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0276.yml +5 -3
  20. data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0277.yml +5 -3
  21. data/data/ruby-advisory-db/gems/activesupport/2012-1098.yml +20 -0
  22. data/data/ruby-advisory-db/gems/activesupport/2012-3464.yml +20 -0
  23. data/data/{bundler/audit/rails → ruby-advisory-db/gems/activesupport}/2013-0333.yml +5 -3
  24. data/data/ruby-advisory-db/gems/devise/2013-0233.yml +18 -0
  25. data/data/ruby-advisory-db/gems/gtk2/2007-6183.yml +18 -0
  26. data/data/{bundler/audit → ruby-advisory-db/gems}/json/2013-0269.yml +4 -2
  27. data/data/ruby-advisory-db/gems/mail/2011-0739.yml +19 -0
  28. data/data/ruby-advisory-db/gems/mail/2012-2139.yml +11 -0
  29. data/data/ruby-advisory-db/gems/mail/2012-2140.yml +11 -0
  30. data/data/ruby-advisory-db/gems/multi_xml/2013-0175.yml +14 -0
  31. data/data/ruby-advisory-db/gems/newrelic_rpm/2013-0284.yml +15 -0
  32. data/data/ruby-advisory-db/gems/nori/2013-0285.yml +17 -0
  33. data/data/ruby-advisory-db/gems/omniauth-oauth2/2012-6134.yml +14 -0
  34. data/data/ruby-advisory-db/gems/rack-cache/2012-267.yml +16 -0
  35. data/data/{bundler/audit → ruby-advisory-db/gems}/rack/2013-0263.yml +9 -8
  36. data/data/ruby-advisory-db/gems/rdoc/2013-0256.yml +25 -0
  37. data/data/ruby-advisory-db/spec/advisory_example.rb +80 -0
  38. data/data/ruby-advisory-db/spec/gems_spec.rb +8 -0
  39. data/data/ruby-advisory-db/spec/spec_helper.rb +1 -0
  40. data/gemspec.yml +1 -6
  41. data/lib/bundler/audit/advisory.rb +13 -1
  42. data/lib/bundler/audit/cli.rb +17 -6
  43. data/lib/bundler/audit/database.rb +1 -30
  44. data/lib/bundler/audit/version.rb +1 -1
  45. data/spec/advisory_spec.rb +1 -1
  46. data/spec/bundle/secure/Gemfile +38 -0
  47. data/spec/bundle/{Gemfile → vuln/Gemfile} +0 -0
  48. data/spec/database_spec.rb +1 -32
  49. data/spec/integration_spec.rb +63 -0
  50. data/spec/spec_helper.rb +14 -1
  51. metadata +68 -112
  52. data/data/bundler/audit/mail/2011-0739.yml +0 -17
  53. data/data/bundler/audit/mail/2012-2139.yml +0 -16
  54. data/data/bundler/audit/mail/2012-2140.yml +0 -13
  55. data/data/bundler/audit/rack-cache/2012-267.yml +0 -14
  56. data/data/bundler/audit/rails/2012-1098.yml +0 -19
  57. data/data/bundler/audit/rails/2012-1099.yml +0 -19
  58. data/data/bundler/audit/rails/2012-2660.yml +0 -17
  59. data/data/bundler/audit/rails/2012-2661.yml +0 -18
  60. data/data/bundler/audit/rails/2012-3463.yml +0 -19
  61. data/data/bundler/audit/rails/2012-3464.yml +0 -18
  62. data/data/bundler/audit/rails/2012-3465.yml +0 -19
  63. data/spec/bundle/Gemfile.lock +0 -92
@@ -1,7 +1,8 @@
1
- ---
1
+ ---
2
+ gem: activerecord
3
+ cve: 2013-0155
2
4
  url: http://osvdb.org/show/osvdb/89025
3
- title: |
4
- Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
5
+ title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
5
6
 
6
7
  description: |
7
8
  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
@@ -13,7 +14,8 @@ description: |
13
14
 
14
15
  cvss_v2: 10.0
15
16
 
16
- patched_versions:
17
+ patched_versions:
18
+ - ~> 2.3.16
17
19
  - ~> 3.0.19
18
20
  - ~> 3.1.10
19
21
  - ">= 3.2.11"
@@ -1,6 +1,8 @@
1
- ---
1
+ ---
2
+ gem: activerecord
3
+ cve: 2013-0276
2
4
  url: http://direct.osvdb.org/show/osvdb/90072
3
- title: Ruby on Rails Active Record attr_protected Method Bypass
5
+ title: Ruby on Rails Active Record attr_protected Method Bypass
4
6
 
5
7
  description: |
6
8
  Ruby on Rails contains a flaw in the attr_protected method of the
@@ -10,7 +12,7 @@ description: |
10
12
 
11
13
  cvss_v2: 5.0
12
14
 
13
- patched_versions:
15
+ patched_versions:
14
16
  - ~> 2.3.17
15
17
  - ~> 3.1.11
16
18
  - ">= 3.2.12"
@@ -1,6 +1,8 @@
1
- ---
1
+ ---
2
+ gem: activerecord
3
+ cve: 2013-0277
2
4
  url: http://direct.osvdb.org/show/osvdb/90073
3
- title: |
5
+ title:
4
6
  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
5
7
  Code Execution
6
8
 
@@ -13,6 +15,6 @@ description: |
13
15
 
14
16
  cvss_v2: 10.0
15
17
 
16
- patched_versions:
18
+ patched_versions:
17
19
  - ~> 2.3.17
18
20
  - ">= 3.1.0"
@@ -0,0 +1,20 @@
1
+ ---
2
+ gem: activesupport
3
+ cve: 2012-1098
4
+ url: http://osvdb.org/79726
5
+ title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
6
+
7
+ description: |
8
+ Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
9
+ attack. This flaw exists because athe application does not validate direct
10
+ manipulations of SafeBuffer objects via '[]' and other methods. This may
11
+ allow a user to create a specially crafted request that would execute
12
+ arbitrary script code in a user's browser within the trust relationship
13
+ between their browser and the server.
14
+
15
+ cvss_v2: 4.3
16
+
17
+ patched_versions:
18
+ - ~> 3.0.12
19
+ - ~> 3.1.4
20
+ - ">= 3.2.2"
@@ -0,0 +1,20 @@
1
+ ---
2
+ gem: activesupport
3
+ cve: 2012-3464
4
+ url: http://www.osvdb.org/show/osvdb/84516
5
+ title: Ruby on Rails HTML Escaping Code XSS
6
+
7
+ description: |
8
+ Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
9
+ attack. This flaw exists because the HTML escaping code functionality does
10
+ not properly escape a single quote character. This may allow a user to create
11
+ a specially crafted request that would execute arbitrary script code in a
12
+ user's browser within the trust relationship between their browser and the
13
+ server.
14
+
15
+ cvss_v2: 4.3
16
+
17
+ patched_versions:
18
+ - ~> 3.0.17
19
+ - ~> 3.1.8
20
+ - ">= 3.2.8"
@@ -1,6 +1,8 @@
1
- ---
1
+ ---
2
+ gem: activesupport
3
+ cve: 2013-0333
2
4
  url: http://osvdb.org/show/osvdb/89594
3
- title: |
5
+ title:
4
6
  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
5
7
  Execution
6
8
 
@@ -15,6 +17,6 @@ description: |
15
17
 
16
18
  cvss_v2: 9.3
17
19
 
18
- patched_versions:
20
+ patched_versions:
19
21
  - ~> 2.3.16
20
22
  - ">= 3.0.20"
@@ -0,0 +1,18 @@
1
+ ---
2
+ gem: devise
3
+ cve: 2013-0233
4
+ url: http://osvdb.org/show/osvdb/89642
5
+ title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
6
+
7
+ description: |
8
+ Devise contains a flaw that is triggered during when a type conversion error
9
+ occurs during the parsing of a malformed request. With a specially crafted
10
+ request, a remote attacker can bypass security restrictions.
11
+
12
+ cvss_v2: 10.0
13
+
14
+ patched_versions:
15
+ - ~> 1.5.4
16
+ - ~> 2.0.5
17
+ - ~> 2.1.3
18
+ - ">= 2.2.3"
@@ -0,0 +1,18 @@
1
+ ---
2
+ gem: gtk2
3
+ cve: 2007-6183
4
+ url: http://osvdb.org/show/osvdb/40774
5
+ title:
6
+ Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
7
+ Format String
8
+
9
+ description: |
10
+ Format string vulnerability in the mdiag_initialize function in
11
+ gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
12
+ SVN versions before 20071127, allows context-dependent attackers to execute
13
+ arbitrary code via format string specifiers in the message parameter.
14
+
15
+ cvss_v2: 6.8
16
+
17
+ patched_versions:
18
+ - "> 0.16.0"
@@ -1,4 +1,6 @@
1
- ---
1
+ ---
2
+ gem: json
3
+ cve: 2013-0269
2
4
  url: http://direct.osvdb.org/show/osvdb/90074
3
5
  title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
4
6
 
@@ -13,7 +15,7 @@ description: |
13
15
 
14
16
  cvss_v2: 9.0
15
17
 
16
- patched_versions:
18
+ patched_versions:
17
19
  - ~> 1.5.4
18
20
  - ~> 1.6.7
19
21
  - ">= 1.7.7"
@@ -0,0 +1,19 @@
1
+ ---
2
+ gem: mail
3
+ cve: 2011-0739
4
+ url: http://www.osvdb.org/show/osvdb/70667
5
+ title: >
6
+ Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
7
+ Address Arbitrary Shell Command Injection
8
+
9
+ description: |
10
+ Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
11
+ input passed from an email from address in the 'deliver()' function in
12
+ 'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
13
+ command line argument. This may allow a remote attacker to inject arbitrary
14
+ shell commands.
15
+
16
+ cvss_v2: 6.8
17
+
18
+ patched_versions:
19
+ - ">= 2.2.15"
@@ -0,0 +1,11 @@
1
+ ---
2
+ gem: mail
3
+ cve: 2012-2139
4
+ url: http://www.osvdb.org/show/osvdb/81631
5
+ title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
6
+ description: |
7
+ Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
8
+
9
+ cvss_v2: 5.0
10
+ patched_versions:
11
+ - ">= 2.4.4"
@@ -0,0 +1,11 @@
1
+ ---
2
+ gem: mail
3
+ cve: 2012-2140
4
+ url: http://www.osvdb.org/show/osvdb/81632
5
+ title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
6
+ description: |
7
+ Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim delivery methods, which may allow an attacker to execute arbitrary shell commands..
8
+
9
+ cvss_v2: 7.5
10
+ patched_versions:
11
+ - ">= 2.4.4"
@@ -0,0 +1,14 @@
1
+ ---
2
+ gem: multi_xml
3
+ cve: 2013-0175
4
+ url: http://osvdb.org/show/osvdb/89148
5
+ title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
6
+
7
+ description: |
8
+ The multi_xml Gem for Ruby contains a flaw that is triggered when an error
9
+ occurs during the parsing of the 'XML' parameter. With a crafted request
10
+ containing arbitrary symbol and yaml types, a remote attacker can execute
11
+ arbitrary commands.
12
+
13
+ patched_versions:
14
+ - ">= 0.5.2"
@@ -0,0 +1,15 @@
1
+ ---
2
+ gem: newrelic_rpm
3
+ cve: 2013-0284
4
+ url: https://newrelic.com/docs/ruby/ruby-agent-security-notification
5
+ title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
6
+
7
+ description: |
8
+ A bug in the Ruby agent causes database connection information and raw SQL
9
+ statements to be transmitted to New Relic servers. The database connection
10
+ information includes the database IP address, username, and password
11
+
12
+ cvss_v2:
13
+
14
+ patched_versions:
15
+ - ">= 3.5.3.25"
@@ -0,0 +1,17 @@
1
+ ---
2
+ gem: nori
3
+ cve: 2013-0285
4
+ url: https://github.com/savonrb/nori/commit/818f5263b1d597b603d46cbe1702cd2717259e32
5
+ title: Ruby Gem nori Parameter Parsing Remote Code Execution
6
+
7
+ description: |
8
+ The Ruby Gem nori has a parameter parsing error that may allow an attacker
9
+ to execute arbitrary code. This vulnerability has to do with type casting
10
+ during parsing, and is related to CVE-2013-0156.
11
+
12
+ cvss_v2:
13
+
14
+ patched_versions:
15
+ - ~> 1.0.3
16
+ - ~> 1.1.4
17
+ - ">= 2.0.2"
@@ -0,0 +1,14 @@
1
+ ---
2
+ gem: omniauth-oauth2
3
+ cve: 2012-6134
4
+ url: https://github.com/intridea/omniauth-oauth2/pull/25
5
+ title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
6
+
7
+ description: |
8
+ The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
9
+ inject values into a user's session through a CSRF attack.
10
+
11
+ cvss_v2:
12
+
13
+ patched_versions:
14
+ - ">= 1.1.1"
@@ -0,0 +1,16 @@
1
+ ---
2
+ gem: rack-cache
3
+ cve: 2012-267
4
+ url: http://osvdb.org/83077
5
+ title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
6
+
7
+ description: |
8
+ Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
9
+ sensitive HTTP headers. This will result in a weakness that may make it
10
+ easier for an attacker to gain access to a user's session via a specially
11
+ crafted header.
12
+
13
+ cvss_v2: 7.5
14
+
15
+ patched_versions:
16
+ - ">= 1.2"
@@ -1,4 +1,6 @@
1
- ---
1
+ ---
2
+ gem: rack
3
+ cve: 2013-0263
2
4
  url: http://osvdb.org/show/osvdb/89939
3
5
  title: |
4
6
  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
@@ -11,10 +13,9 @@ description: |
11
13
  latencies are sufficiently low to make the attack viable.
12
14
 
13
15
  cvss_v2: 7.6
14
-
15
- patched_versions:
16
- - ~> 1.1.6
17
- - ~> 1.2.8
18
- - ~> 1.3.10
19
- - ~> 1.4.5
20
- - ">= 1.5.2"
16
+ patched_versions:
17
+ - ~> 1.1.6
18
+ - ~> 1.2.8
19
+ - ~> 1.3.10
20
+ - ~> 1.4.5
21
+ - ">= 1.5.2"
@@ -0,0 +1,25 @@
1
+ ---
2
+ gem: rdoc
3
+ cve: 2013-0256
4
+ url: http://www.osvdb.org/show/osvdb/90004
5
+ title: RDoc 2.3.0 through 3.12 XSS Exploit
6
+
7
+ description: |
8
+ Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
9
+ up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
10
+ may lead to cookie disclosure to third parties.
11
+
12
+ The exploit exists in darkfish.js which is copied from the RDoc install
13
+ location to the generated documentation.
14
+
15
+ RDoc is a static documentation generation tool. Patching the library itself
16
+ is insufficient to correct this exploit.
17
+
18
+ This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
19
+
20
+ cvss_v2: 4.3
21
+
22
+ patched_versions:
23
+ - ~> 3.9.5
24
+ - ~> 3.12.1
25
+ - ">= 4.0"
@@ -0,0 +1,80 @@
1
+ require 'spec_helper'
2
+ require 'yaml'
3
+
4
+ shared_examples_for 'Advisory' do |path|
5
+ advisory = YAML.load_file(path)
6
+
7
+ describe path do
8
+ let(:gem) { File.basename(File.dirname(path)) }
9
+ let(:cve) { File.basename(path).chomp('.yml') }
10
+
11
+ describe "gem" do
12
+ subject { advisory['gem'] }
13
+
14
+ it { should be_kind_of(String) }
15
+ it { should == gem }
16
+ end
17
+
18
+ describe "cve" do
19
+ subject { advisory['cve'] }
20
+
21
+ it { should be_kind_of(String) }
22
+ it { should == cve }
23
+ end
24
+
25
+ describe "url" do
26
+ subject { advisory['url'] }
27
+
28
+ it { should be_kind_of(String) }
29
+ it { should_not be_empty }
30
+ end
31
+
32
+ describe "title" do
33
+ subject { advisory['title'] }
34
+
35
+ it { should be_kind_of(String) }
36
+ it { should_not be_empty }
37
+ end
38
+
39
+ describe "description" do
40
+ subject { advisory['description'] }
41
+
42
+ it { should be_kind_of(String) }
43
+ it { should_not be_empty }
44
+ end
45
+
46
+ describe "cvss_v2" do
47
+ subject { advisory['cvss_v2'] }
48
+
49
+ it "may be nil or a Float" do
50
+ [NilClass, Float].should include(subject.class)
51
+ end
52
+
53
+ case advisory['cvss_v2']
54
+ when Float
55
+ context "when a Float" do
56
+ it { ((0.0)..(10.0)).should include(subject) }
57
+ end
58
+ end
59
+ end
60
+
61
+ describe "patched_versions" do
62
+ subject { advisory['patched_versions'] }
63
+
64
+ it { should be_kind_of(Array) }
65
+ it { should_not be_empty }
66
+
67
+ advisory['patched_versions'].each do |version|
68
+ describe version do
69
+ subject { version.split(', ') }
70
+
71
+ it "should contain valid RubyGem version requirements" do
72
+ lambda {
73
+ Gem::Requirement.new(version)
74
+ }.should_not raise_error(ArgumentError)
75
+ end
76
+ end
77
+ end
78
+ end
79
+ end
80
+ end