RubyGems - bundler-audit - Versions diffs - 0.1.2 → 0.2.0 - Mend

bundler-audit 0.1.2 → 0.2.0

Files changed (84) hide show

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: kelredd-pruview
+cve: 2013-1947
+osvdb: 92228
+url: http://osvdb.org/show/osvdb/92228
+title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-04
+description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+cvss_v2: 9.3
+patched_versions:

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: ldoce
+cve: 2013-1911
+osvdb: 91870
+url: http://osvdb.org/show/osvdb/91870
+title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-01
+description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
+cvss_v2: 6.8
+patched_versions:

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: loofah
+osvdb: 90945
+url: http://www.osvdb.org/show/osvdb/90945
+title: Loofah HTML and XSS injection vulnerability
+date: 2012-09-08
+description: |
+  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because the
+  Loofah::HTML::Document\#text function passes properly sanitized
+  user-supplied input to the Loofah::XssFoliate and
+  Loofah::Helpers\#strip_tags functions which convert input back to
+  text. This may allow an attacker to create a specially crafted
+  request that would execute arbitrary script code in a user's browser
+  within the trust relationship between their browser and the server.
+cvss_v2: 5.0
+patched_versions:
+  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/mail/{2011-0739.yml → OSVDB-70667.yml} RENAMED

@@ -1,10 +1,12 @@
 ---
 gem: mail
 cve: 2011-0739
+osvdb: 70667
 url: http://www.osvdb.org/show/osvdb/70667
 title: >
   Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
   Address Arbitrary Shell Command Injection
+date: 2011-01-25
 description: |
   Mail Gem for Ruby contains a flaw related to the failure to properly sanitise

data/data/ruby-advisory-db/gems/mail/{2012-2139.yml → OSVDB-81631.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: mail
 cve: 2012-2139
+osvdb: 81631
 url: http://www.osvdb.org/show/osvdb/81631
 title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
+date: 2012-03-14
 description: |
   Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.

data/data/ruby-advisory-db/gems/mail/{2012-2140.yml → OSVDB-81632.yml} RENAMED

@@ -1,10 +1,15 @@
 ---
 gem: mail
 cve: 2012-2140
+osvdb: 81632
 url: http://www.osvdb.org/show/osvdb/81632
-title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
+title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
+date: 2012-03-14
 description: |
-  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim delivery methods, which may allow an attacker to execute arbitrary shell commands..
+  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
+  delivery methods, which may allow an attacker to execute arbitrary shell
+  commands..
 cvss_v2: 7.5
 patched_versions:

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: md2pdf
+cve: 2013-1948
+osvdb: 92290
+url: http://osvdb.org/show/osvdb/92290
+title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-13
+description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 10.0
+patched_versions:

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: mini_magick
+cve: 2013-2616
+osvdb: 91231
+url: http://osvdb.org/show/osvdb/91231
+title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-12
+description: MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+cvss_v2: 9.3
+patched_versions:
+  - ">= 3.6.0"

data/data/ruby-advisory-db/gems/multi_xml/{2013-0175.yml → OSVDB-89148.yml} RENAMED

@@ -1,8 +1,10 @@
 ---
 gem: multi_xml
 cve: 2013-0175
+osvdb: 89148
 url: http://osvdb.org/show/osvdb/89148
 title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
+date: 2013-01-11
 description: |
   The multi_xml Gem for Ruby contains a flaw that is triggered when an error

data/data/ruby-advisory-db/gems/newrelic_rpm/{2013-0284.yml → OSVDB-90189.yml} RENAMED

@@ -1,15 +1,17 @@
 ---
 gem: newrelic_rpm
 cve: 2013-0284
-url: https://newrelic.com/docs/ruby/ruby-agent-security-notification
+osvdb: 90189
+url: http://osvdb.org/show/osvdb/90189
 title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
+date: 2012-12-06
 description: |
   A bug in the Ruby agent causes database connection information and raw SQL
   statements to be transmitted to New Relic servers. The database connection
   information includes the database IP address, username, and password
-cvss_v2:
+cvss_v2: 5.0
 patched_versions:
   - ">= 3.5.3.25"

data/data/ruby-advisory-db/gems/nori/{2013-0285.yml → OSVDB-90196.yml} RENAMED

@@ -1,15 +1,17 @@
 ---
 gem: nori
 cve: 2013-0285
-url: https://github.com/savonrb/nori/commit/818f5263b1d597b603d46cbe1702cd2717259e32
+osvdb: 90196
+url: http://osvdb.org/show/osvdb/90196
 title: Ruby Gem nori Parameter Parsing Remote Code Execution
+date: 2013-01-10
 description: |
   The Ruby Gem nori has a parameter parsing error that may allow an attacker
   to execute arbitrary code. This vulnerability has to do with type casting
   during parsing, and is related to CVE-2013-0156.
-cvss_v2:
+cvss_v2: 10.0
 patched_versions:
   - ~> 1.0.3

data/data/ruby-advisory-db/gems/omniauth-oauth2/{2012-6134.yml → OSVDB-90264.yml} RENAMED

@@ -1,14 +1,16 @@
 ---
 gem: omniauth-oauth2
 cve: 2012-6134
-url: https://github.com/intridea/omniauth-oauth2/pull/25
+osvdb: 90264
+url: http://www.osvdb.org/show/osvdb/90264
 title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
+date: 2012-09-08
 description: |
   The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
   inject values into a user's session through a CSRF attack.
-cvss_v2:
+cvss_v2: 6.8
 patched_versions:
   - ">= 1.1.1"

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: pdfkit
+cve: 2013-1607
+osvdb: 90867
+url: http://osvdb.org/show/osvdb/90867
+title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
+date: 2013-02-21
+description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
+cvss_v2:
+patched_versions:
+  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/rack-cache/{2012-267.yml → OSVDB-83077.yml} RENAMED

@@ -1,8 +1,10 @@
 ---
 gem: rack-cache
-cve: 2012-267
+cve: 2012-2671
+osvdb: 83077
 url: http://osvdb.org/83077
 title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
+date: 2012-06-06
 description: |
   Rack::Cache (rack-cache) contains a flaw related to the rubygem caching

data/data/ruby-advisory-db/gems/rack/{2013-0263.yml → OSVDB-89939.yml} RENAMED

@@ -1,9 +1,11 @@
 ---
 gem: rack
 cve: 2013-0263
+osvdb: 89939
 url: http://osvdb.org/show/osvdb/89939
 title: |
   Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
+date: 2009-12-01
 description: |
   Rack contains a flaw that is due to an error in the Rack::Session::Cookie

data/data/ruby-advisory-db/gems/rdoc/{2013-0256.yml → OSVDB-90004.yml} RENAMED

@@ -1,8 +1,10 @@
 ---
 gem: rdoc
 cve: 2013-0256
+osvdb: 90004
 url: http://www.osvdb.org/show/osvdb/90004
 title: RDoc 2.3.0 through 3.12 XSS Exploit
+date: 2013-02-06
 description: |
   Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: rgpg
+osvdb: 95948
+url: http://www.osvdb.org/show/osvdb/95948
+title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
+date: 2013-08-02
+description: |
+  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
+  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
+  This may allow a remote attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions:
+  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: ruby_parser
+cve: 2013-0162
+osvdb: 90561
+url: http://osvdb.org/show/osvdb/90561
+title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
+date: 2013-02-21
+description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2: 2.1
+patched_versions:
+  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: spree
+cve: 2013-1656
+osvdb: 91216
+url: http://osvdb.org/show/osvdb/91216
+title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: spree
+cve: 2013-1656
+osvdb: 91217
+url: http://osvdb.org/show/osvdb/91217
+title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: spree
+cve: 2013-1656
+osvdb: 91218
+url: http://osvdb.org/show/osvdb/91218
+title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: spree
+cve: 2013-1656
+osvdb: 91219
+url: http://osvdb.org/show/osvdb/91219
+title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: thumbshooter
+cve: 2013-1898
+osvdb: 91839
+url: http://osvdb.org/show/osvdb/91839
+title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-03-26
+description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/lib/scrape.rb ADDED

@@ -0,0 +1,87 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'pry'
+require 'mechanize'
+require 'yaml'
+require 'date'
+class OSVDB
+  attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
+  def initialize(url)
+    self.url = url
+    parse!
+  end
+  def parse!
+    mech = Mechanize.new
+    self.page = mech.get(url)
+    page.search(".show_vuln_table").search("td ul li").each do |li|
+      case li.children[0].text.strip
+      when "CVE ID:"
+        self.cve = li.children[1].text
+      when "Vendor URL:"
+        self.set_gem(li.children[1].text)
+      end
+    end
+    self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
+    self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
+    self.title = page.search("title").text.gsub(/\d+: /, "")
+    self.osvdb = page.search("title").text.match(/\d+/)[0]
+    if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
+      self.set_cvss(cvss_p.children[0].text)
+    end
+  end
+  def set_gem(vendortext)
+    ["https://rubygems.org/gems/", "http://rubygems.org/gems/"].each do |str|
+      if vendortext.match(str)
+        self.gem = vendortext.gsub(str,"")
+      end
+    end
+  end
+  def set_cvss(text)
+    self.cvss_v2 = text.strip.gsub("CVSSv2 Base Score = ", "")
+  end
+  def date
+    Date.parse(@date)
+  end
+  def cvss_v2
+    @cvss_v2.nil? ? nil : @cvss_v2.to_f
+  end
+  def gem
+    @gem.nil? ? "unknown" : @gem
+  end
+  def to_yaml
+    { 'gem' => gem,
+      'cve' => cve,
+      'osvdb' => osvdb.to_i,
+      'url' => url,
+      'title' => title,
+      'date' => date,
+      'description' => description,
+      'cvss_v2' => cvss_v2,
+      'patched_versions' => patched_versions }.to_yaml
+  end
+  def filename
+    "OSVDB-#{osvdb}.yml"
+  end
+  def to_advisory!
+    gems_path = File.join(File.dirname(__FILE__), "..", "gems")
+    adv_path = File.absolute_path(File.join(gems_path, self.gem))
+    FileUtils.mkdir(adv_path) unless File.exists?(adv_path)
+    File.open(File.join(adv_path, filename), "w") do |io|
+      io.puts self.to_yaml
+    end
+  end
+end

data/data/ruby-advisory-db/spec/advisory_example.rb CHANGED

@@ -6,7 +6,24 @@ shared_examples_for 'Advisory' do |path|
   describe path do
     let(:gem) { File.basename(File.dirname(path)) }
-    let(:cve) { File.basename(path).chomp('.yml') }
+    let(:filename_cve) do
+      if File.basename(path).start_with?('CVE-')
+        File.basename(path).gsub('CVE-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+    let(:filename_osvdb) do
+      if File.basename(path).start_with?('OSVDB-')
+        File.basename(path).gsub('OSVDB-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+    it "should have CVE or OSVDB" do
+      (advisory['cve'] || advisory['osvdb']).should_not be_nil
+    end
     describe "gem" do
       subject { advisory['gem'] }
@@ -15,11 +32,45 @@ shared_examples_for 'Advisory' do |path|
       it { should == gem }
     end
+    describe "framework" do
+      subject { advisory['framework'] }
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
+    describe "platform" do
+      subject { advisory['platform'] }
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
     describe "cve" do
       subject { advisory['cve'] }
-      it { should be_kind_of(String) }
-      it { should == cve }
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+      it "should be id in filename if filename is CVE-XXX" do
+        if filename_cve
+          should == filename_cve
+        end
+      end
+    end
+    describe "osvdb" do
+      subject { advisory['osvdb'] }
+      it "may be nil or a Fixnum" do
+        [NilClass, Fixnum].should include(subject.class)
+      end
+       it "should be id in filename if filename is OSVDB-XXX" do
+        if filename_osvdb
+          should == filename_osvdb.to_i
+        end
+      end
     end
     describe "url" do
@@ -36,6 +87,12 @@ shared_examples_for 'Advisory' do |path|
       it { should_not be_empty }
     end
+    describe "date" do
+      subject { advisory['date'] }
+      it { should be_kind_of(Date) }
+    end
     describe "description" do
       subject { advisory['description'] }
@@ -61,17 +118,45 @@ shared_examples_for 'Advisory' do |path|
     describe "patched_versions" do
       subject { advisory['patched_versions'] }
-      it { should be_kind_of(Array) }
-      it { should_not be_empty }
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
+      describe "each patched version" do
+        if advisory['patched_versions']
+          advisory['patched_versions'].each do |version|
+            describe version do
+              subject { version.split(', ') }
+              it "should contain valid RubyGem version requirements" do
+                lambda {
+                Gem::Requirement.new(*subject)
+                }.should_not raise_error(ArgumentError)
+              end
+            end
+          end
+        end
+      end
+    end
-      advisory['patched_versions'].each do |version|
-        describe version do
-          subject { version.split(', ') }
+    describe "unaffected_versions" do
+      subject { advisory['unaffected_versions'] }
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
-          it "should contain valid RubyGem version requirements" do
-            lambda {
-              Gem::Requirement.new(version)
-            }.should_not raise_error(ArgumentError)
+      case advisory['unaffected_versions']
+      when Array
+        advisory['unaffected_versions'].each do |version|
+          describe version do
+            subject { version.split(', ') }
+            it "should contain valid RubyGem version requirements" do
+              lambda {
+                Gem::Requirement.new(*subject)
+              }.should_not raise_error(ArgumentError)
+            end
           end
         end
       end