bundler-audit 0.1.2 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +1 -1
- data/ChangeLog.md +22 -0
- data/Gemfile +1 -1
- data/README.md +76 -33
- data/Rakefile +18 -2
- data/data/ruby-advisory-db/.gitignore +1 -0
- data/data/ruby-advisory-db/CONTRIBUTING.md +6 -0
- data/data/ruby-advisory-db/CONTRIBUTORS.md +14 -0
- data/data/ruby-advisory-db/Gemfile +3 -0
- data/data/ruby-advisory-db/LICENSE.txt +5 -0
- data/data/ruby-advisory-db/README.md +29 -11
- data/data/ruby-advisory-db/Rakefile +27 -0
- data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml +17 -0
- data/data/ruby-advisory-db/gems/actionpack/{2012-1099.yml → OSVDB-79727.yml} +3 -0
- data/data/ruby-advisory-db/gems/actionpack/{2012-3424.yml → OSVDB-84243.yml} +7 -0
- data/data/ruby-advisory-db/gems/actionpack/{2012-3465.yml → OSVDB-84513.yml} +3 -0
- data/data/ruby-advisory-db/gems/actionpack/{2012-3463.yml → OSVDB-84515.yml} +6 -0
- data/data/ruby-advisory-db/gems/actionpack/{2013-0156.yml → OSVDB-89026.yml} +3 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml +20 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml +23 -0
- data/data/ruby-advisory-db/gems/activerecord/{2012-2661.yml → OSVDB-82403.yml} +6 -0
- data/data/ruby-advisory-db/gems/activerecord/{2012-2660.yml → OSVDB-82610.yml} +3 -0
- data/data/ruby-advisory-db/gems/activerecord/{2013-0155.yml → OSVDB-89025.yml} +3 -0
- data/data/ruby-advisory-db/gems/activerecord/{2013-0276.yml → OSVDB-90072.yml} +3 -0
- data/data/ruby-advisory-db/gems/activerecord/{2013-0277.yml → OSVDB-90073.yml} +3 -0
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml +26 -0
- data/data/ruby-advisory-db/gems/activesupport/{2012-1098.yml → OSVDB-79726.yml} +6 -0
- data/data/ruby-advisory-db/gems/activesupport/{2012-3464.yml → OSVDB-84516.yml} +3 -0
- data/data/ruby-advisory-db/gems/activesupport/{2013-0333.yml → OSVDB-89594.yml} +3 -0
- data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml +28 -0
- data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +15 -0
- data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml +10 -0
- data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +17 -0
- data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml +11 -0
- data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +12 -0
- data/data/ruby-advisory-db/gems/devise/{2013-0233.yml → OSVDB-89642.yml} +2 -0
- data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml +19 -0
- data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml +9 -0
- data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml +18 -0
- data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml +12 -0
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml +10 -0
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml +10 -0
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml +10 -0
- data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml +9 -0
- data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml +13 -0
- data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml +18 -0
- data/data/ruby-advisory-db/gems/gtk2/{2007-6183.yml → OSVDB-40774.yml} +2 -0
- data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +19 -0
- data/data/ruby-advisory-db/gems/json/{2013-0269.yml → OSVDB-90074.yml} +4 -2
- data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml +10 -0
- data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml +10 -0
- data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml +10 -0
- data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml +21 -0
- data/data/ruby-advisory-db/gems/mail/{2011-0739.yml → OSVDB-70667.yml} +2 -0
- data/data/ruby-advisory-db/gems/mail/{2012-2139.yml → OSVDB-81631.yml} +3 -0
- data/data/ruby-advisory-db/gems/mail/{2012-2140.yml → OSVDB-81632.yml} +7 -2
- data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml +10 -0
- data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml +15 -0
- data/data/ruby-advisory-db/gems/multi_xml/{2013-0175.yml → OSVDB-89148.yml} +2 -0
- data/data/ruby-advisory-db/gems/newrelic_rpm/{2013-0284.yml → OSVDB-90189.yml} +4 -2
- data/data/ruby-advisory-db/gems/nori/{2013-0285.yml → OSVDB-90196.yml} +4 -2
- data/data/ruby-advisory-db/gems/omniauth-oauth2/{2012-6134.yml → OSVDB-90264.yml} +4 -2
- data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml +11 -0
- data/data/ruby-advisory-db/gems/rack-cache/{2012-267.yml → OSVDB-83077.yml} +3 -1
- data/data/ruby-advisory-db/gems/rack/{2013-0263.yml → OSVDB-89939.yml} +2 -0
- data/data/ruby-advisory-db/gems/rdoc/{2013-0256.yml → OSVDB-90004.yml} +2 -0
- data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml +16 -0
- data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +13 -0
- data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml +11 -0
- data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml +13 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +10 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +10 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +10 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +10 -0
- data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml +10 -0
- data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml +14 -0
- data/data/ruby-advisory-db/lib/scrape.rb +87 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +97 -12
- data/gemspec.yml +3 -1
- data/lib/bundler/audit/advisory.rb +45 -15
- data/lib/bundler/audit/cli.rb +31 -19
- data/lib/bundler/audit/database.rb +52 -5
- data/lib/bundler/audit/scanner.rb +97 -0
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/advisory_spec.rb +67 -7
- data/spec/bundle/insecure_sources/Gemfile +39 -0
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/bundle/{vuln → unpatched_gems}/Gemfile +0 -0
- data/spec/database_spec.rb +4 -4
- data/spec/integration_spec.rb +83 -6
- data/spec/scanner_spec.rb +74 -0
- metadata +84 -40
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 679e11f046f11e432067d55398791fdbf03536b3
|
4
|
+
data.tar.gz: ad6bb67d40dae3ee0346ffe18caa11ee19e142e6
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 48e2f1e83c0122d4629e4ddd02d448f90578527b40a1a0fccf331903413fbb2f3df7952399723914c0e0450f6682187af4301404b98bacc61ad794b5633a3023
|
7
|
+
data.tar.gz: 2c868a8106f74e45ffe9bcf02d1578d7326c4bea0a12baddf79ab7bd9dc059b599b39e0a41d167a0bc6d0bbbf01a8dc7e5f28a53849fea88a7214da400f5b52a
|
data/.gitignore
CHANGED
data/ChangeLog.md
CHANGED
@@ -1,3 +1,25 @@
|
|
1
|
+
### 0.3.0 / 2013-10-31
|
2
|
+
|
3
|
+
* Added {Bundler::Audit::Database.update!} which uses `git` to download
|
4
|
+
[ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
|
5
|
+
* {Bundler::Audit::Database.path} now returns the path to either
|
6
|
+
`~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
|
7
|
+
is more recent.
|
8
|
+
|
9
|
+
#### CLI
|
10
|
+
|
11
|
+
* Added the `bundle-audit update` sub-command.
|
12
|
+
|
13
|
+
### 0.2.0 / 2013-03-05
|
14
|
+
|
15
|
+
* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
|
16
|
+
parse approximate version requirements (`~> 1.2.3`).
|
17
|
+
* Updated the [ruby-advisory-db].
|
18
|
+
* Added {Bundler::Audit::Advisory#unaffected_versions}.
|
19
|
+
* Added {Bundler::Audit::Advisory#unaffected?}.
|
20
|
+
* Added {Bundler::Audit::Advisory#patched?}.
|
21
|
+
* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
|
22
|
+
|
1
23
|
### 0.1.2 / 2013-02-17
|
2
24
|
|
3
25
|
* Require [bundler] ~> 1.2.
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
# bundler-audit
|
2
2
|
|
3
|
-
* [Homepage](https://github.com/
|
4
|
-
* [Issues](https://github.com/
|
3
|
+
* [Homepage](https://github.com/rubysec/bundler-audit#readme)
|
4
|
+
* [Issues](https://github.com/rubysec/bundler-audit/issues)
|
5
5
|
* [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
|
6
|
-
* [Email](mailto:
|
7
|
-
* [![Build Status](https://travis-ci.org/
|
8
|
-
|
6
|
+
* [Email](mailto:rubysec.mod3 at gmail.com)
|
7
|
+
* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
|
8
|
+
* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
|
9
9
|
|
10
10
|
## Description
|
11
11
|
|
@@ -14,6 +14,8 @@ Patch-level verification for [Bundler][bundler].
|
|
14
14
|
## Features
|
15
15
|
|
16
16
|
* Checks for vulnerable versions of gems in `Gemfile.lock`.
|
17
|
+
* Checks for insecure gem sources (`http://`).
|
18
|
+
* Allows ignoring certain advisories that have been manually worked around.
|
17
19
|
* Prints advisory information.
|
18
20
|
* Does not require a network connection.
|
19
21
|
|
@@ -22,49 +24,90 @@ Patch-level verification for [Bundler][bundler].
|
|
22
24
|
Audit a projects `Gemfile.lock`:
|
23
25
|
|
24
26
|
$ bundle-audit
|
25
|
-
Name:
|
26
|
-
Version:
|
27
|
-
|
28
|
-
Criticality:
|
29
|
-
URL: http://osvdb.org/show/osvdb/
|
30
|
-
Title:
|
31
|
-
|
27
|
+
Name: actionpack
|
28
|
+
Version: 3.2.10
|
29
|
+
Advisory: OSVDB-91452
|
30
|
+
Criticality: Medium
|
31
|
+
URL: http://www.osvdb.org/show/osvdb/91452
|
32
|
+
Title: XSS vulnerability in sanitize_css in Action Pack
|
33
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
32
34
|
|
33
|
-
Name:
|
34
|
-
Version:
|
35
|
-
|
36
|
-
Criticality:
|
37
|
-
URL: http://
|
38
|
-
Title:
|
39
|
-
|
35
|
+
Name: actionpack
|
36
|
+
Version: 3.2.10
|
37
|
+
Advisory: OSVDB-91454
|
38
|
+
Criticality: Medium
|
39
|
+
URL: http://osvdb.org/show/osvdb/91454
|
40
|
+
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
|
41
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
40
42
|
|
41
|
-
Name:
|
43
|
+
Name: actionpack
|
42
44
|
Version: 3.2.10
|
43
|
-
|
45
|
+
Advisory: OSVDB-89026
|
44
46
|
Criticality: High
|
45
|
-
URL: http://osvdb.org/show/osvdb/
|
46
|
-
Title: Ruby on Rails
|
47
|
-
|
47
|
+
URL: http://osvdb.org/show/osvdb/89026
|
48
|
+
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
|
49
|
+
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
48
50
|
|
49
|
-
Name:
|
51
|
+
Name: activerecord
|
50
52
|
Version: 3.2.10
|
51
|
-
|
53
|
+
Advisory: OSVDB-91453
|
52
54
|
Criticality: High
|
53
|
-
URL: http://osvdb.org/show/osvdb/
|
54
|
-
Title:
|
55
|
-
|
56
|
-
Patched Versions: ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
55
|
+
URL: http://osvdb.org/show/osvdb/91453
|
56
|
+
Title: Symbol DoS vulnerability in Active Record
|
57
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
57
58
|
|
58
|
-
Name:
|
59
|
+
Name: activerecord
|
59
60
|
Version: 3.2.10
|
60
|
-
|
61
|
+
Advisory: OSVDB-90072
|
61
62
|
Criticality: Medium
|
62
63
|
URL: http://direct.osvdb.org/show/osvdb/90072
|
63
64
|
Title: Ruby on Rails Active Record attr_protected Method Bypass
|
64
|
-
|
65
|
+
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
|
66
|
+
|
67
|
+
Name: activerecord
|
68
|
+
Version: 3.2.10
|
69
|
+
Advisory: OSVDB-89025
|
70
|
+
Criticality: High
|
71
|
+
URL: http://osvdb.org/show/osvdb/89025
|
72
|
+
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
73
|
+
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
74
|
+
|
75
|
+
Name: activesupport
|
76
|
+
Version: 3.2.10
|
77
|
+
Advisory: OSVDB-91451
|
78
|
+
Criticality: High
|
79
|
+
URL: http://www.osvdb.org/show/osvdb/91451
|
80
|
+
Title: XML Parsing Vulnerability affecting JRuby users
|
81
|
+
Solution: upgrade to ~> 3.1.12, >= 3.2.13
|
65
82
|
|
66
83
|
Unpatched versions found!
|
67
84
|
|
85
|
+
Update the [ruby-advisory-db] that `bundle-audit` uses:
|
86
|
+
|
87
|
+
$ bundle-audit update
|
88
|
+
Updating ruby-advisory-db ...
|
89
|
+
remote: Counting objects: 44, done.
|
90
|
+
remote: Compressing objects: 100% (24/24), done.
|
91
|
+
remote: Total 39 (delta 19), reused 29 (delta 10)
|
92
|
+
Unpacking objects: 100% (39/39), done.
|
93
|
+
From https://github.com/rubysec/ruby-advisory-db
|
94
|
+
* branch master -> FETCH_HEAD
|
95
|
+
Updating 5f8225e..328ca86
|
96
|
+
Fast-forward
|
97
|
+
CONTRIBUTORS.md | 1 +
|
98
|
+
gems/actionmailer/OSVDB-98629.yml | 17 +++++++++++++++++
|
99
|
+
gems/cocaine/OSVDB-98835.yml | 15 +++++++++++++++
|
100
|
+
gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
|
101
|
+
gems/sounder/OSVDB-96278.yml | 13 +++++++++++++
|
102
|
+
gems/wicked/OSVDB-98270.yml | 14 ++++++++++++++
|
103
|
+
6 files changed, 73 insertions(+)
|
104
|
+
create mode 100644 gems/actionmailer/OSVDB-98629.yml
|
105
|
+
create mode 100644 gems/cocaine/OSVDB-98835.yml
|
106
|
+
create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
|
107
|
+
create mode 100644 gems/sounder/OSVDB-96278.yml
|
108
|
+
create mode 100644 gems/wicked/OSVDB-98270.yml
|
109
|
+
ruby-advisory-db: 64 advisories
|
110
|
+
|
68
111
|
## Requirements
|
69
112
|
|
70
113
|
* [bundler] ~> 1.2
|
data/Rakefile
CHANGED
@@ -23,13 +23,29 @@ require 'rake'
|
|
23
23
|
require 'rubygems/tasks'
|
24
24
|
Gem::Tasks.new
|
25
25
|
|
26
|
+
namespace :db do
|
27
|
+
desc 'Updates data/ruby-advisory-db'
|
28
|
+
task :update do
|
29
|
+
chdir 'data/ruby-advisory-db' do
|
30
|
+
sh 'git', 'pull', 'origin', 'master'
|
31
|
+
end
|
32
|
+
|
33
|
+
sh 'git', 'commit', 'data/ruby-advisory-db',
|
34
|
+
'-m', 'Updated ruby-advisory-db'
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
26
38
|
require 'rspec/core/rake_task'
|
27
39
|
RSpec::Core::RakeTask.new
|
28
40
|
|
29
41
|
namespace :spec do
|
30
42
|
task :bundle do
|
31
|
-
|
32
|
-
|
43
|
+
root = 'spec/bundle'
|
44
|
+
|
45
|
+
%w[secure unpatched_gems insecure_sources].each do |bundle|
|
46
|
+
chdir(File.join(root,bundle)) do
|
47
|
+
sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
|
48
|
+
end
|
33
49
|
end
|
34
50
|
end
|
35
51
|
end
|
@@ -0,0 +1 @@
|
|
1
|
+
Gemfile.lock
|
@@ -0,0 +1,14 @@
|
|
1
|
+
### Acknowledgements
|
2
|
+
|
3
|
+
This database would not be possible without volunteers willing to submit pull requests.
|
4
|
+
|
5
|
+
Thanks,
|
6
|
+
* [Postmodern](https://github.com/postmodern/)
|
7
|
+
* [Max Veytsman](https://twitter.com/mveytsman)
|
8
|
+
* [Pietro Monteiro](https://github.com/pietro)
|
9
|
+
* [Eric Hodel](https://github.com/drbrain)
|
10
|
+
* [Brendon Murphy](https://github.com/bemurphy)
|
11
|
+
* [Oliver Legg](https://github.com/olly)
|
12
|
+
* [Larry W. Cashdollar](http://vapid.dhs.org/)
|
13
|
+
* [Michael Grosser](https://github.com/grosser)
|
14
|
+
* [Sascha Korth](https://github.com/skorth)
|
@@ -0,0 +1,5 @@
|
|
1
|
+
If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
|
2
|
+
|
3
|
+
However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
|
4
|
+
|
5
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@@ -1,26 +1,35 @@
|
|
1
1
|
# Ruby Advisory Database
|
2
2
|
|
3
|
-
The Ruby
|
3
|
+
The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.
|
4
|
+
|
5
|
+
## Goals
|
6
|
+
|
7
|
+
1. Provide advisory **metadata** in a **simple** yet **structured** [YAML]
|
8
|
+
schema for automated tools to consume.
|
9
|
+
2. Avoid reinventing [CVE]s.
|
10
|
+
3. Avoid duplicating the efforts of the [OSVDB].
|
4
11
|
|
5
12
|
## Directory Structure
|
6
13
|
|
7
14
|
The database is a list of directories that match the names of Ruby libraries on
|
8
15
|
[rubygems.org]. Within each directory are one or more advisory files
|
9
16
|
for the Ruby library. These advisory files are typically named using
|
10
|
-
the advisories [
|
17
|
+
the advisories [OSVDB] identifier number.
|
11
18
|
|
12
19
|
gems/:
|
13
|
-
|
14
|
-
|
20
|
+
actionpack/:
|
21
|
+
OSVDB-79727.yml OSVDB-84513.yml OSVDB-89026.yml OSVDB-91454.yml
|
22
|
+
OSVDB-84243.yml OSVDB-84515.yml OSVDB-91452.yml
|
15
23
|
|
16
|
-
If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
|
17
24
|
## Format
|
18
25
|
|
19
26
|
Each advisory file contains the advisory information in [YAML] format:
|
20
27
|
|
21
28
|
---
|
22
|
-
gem:
|
29
|
+
gem: actionpack
|
30
|
+
framework: rails
|
23
31
|
cve: 2013-0156
|
32
|
+
osvdb: 89026
|
24
33
|
url: http://osvdb.org/show/osvdb/89026
|
25
34
|
title: |
|
26
35
|
Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
|
@@ -43,22 +52,31 @@ Each advisory file contains the advisory information in [YAML] format:
|
|
43
52
|
### Schema
|
44
53
|
|
45
54
|
* `gem` \[String\]: Name of the affected gem.
|
46
|
-
* `
|
55
|
+
* `framework` \[String\] (optional): Name of framework gem belongs to.
|
56
|
+
* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
|
57
|
+
* `cve` \[String\]: CVE id.
|
58
|
+
* `osvdb` \[Fixnum\]: OSVDB id.
|
47
59
|
* `url` \[String\]: The URL to the full advisory.
|
48
60
|
* `title` \[String\]: The title of the advisory.
|
61
|
+
* `date` \[Date\]: Disclosure date of the advisory.
|
49
62
|
* `description` \[String\]: Multi-paragraph description of the vulnerability.
|
50
63
|
* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
|
64
|
+
* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
|
65
|
+
unaffected versions of the Ruby library.
|
51
66
|
* `patched_versions` \[Array\<String\>\]: The version requirements for the
|
52
67
|
patched versions of the Ruby library.
|
53
68
|
|
54
69
|
## Credits
|
55
70
|
|
56
|
-
|
57
|
-
|
71
|
+
Please see [CONTRIBUTORS.md].
|
72
|
+
|
73
|
+
This database also includes data from the [Open Source Vulnerability Database][OSVDB]
|
74
|
+
developed by the Open Security Foundation (OSF) and its contributors.
|
58
75
|
|
59
76
|
[rubygems.org]: https://rubygems.org/
|
60
77
|
[CVE]: http://cve.mitre.org/
|
78
|
+
[OSVDB]: http://www.osvdb.org/
|
61
79
|
[CVSSv2]: http://www.first.org/cvss/cvss-guide.html
|
80
|
+
[OSVDB]: http://www.osvdb.org/
|
62
81
|
[YAML]: http://www.yaml.org/
|
63
|
-
|
64
|
-
[1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
|
82
|
+
[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md
|
@@ -0,0 +1,27 @@
|
|
1
|
+
require 'yaml'
|
2
|
+
|
3
|
+
namespace :lint do
|
4
|
+
begin
|
5
|
+
gem 'rspec', '~> 2.4'
|
6
|
+
require 'rspec/core/rake_task'
|
7
|
+
|
8
|
+
RSpec::Core::RakeTask.new(:yaml)
|
9
|
+
rescue LoadError => e
|
10
|
+
task :spec do
|
11
|
+
abort "Please run `gem install rspec` to install RSpec."
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
task :cve do
|
16
|
+
Dir.glob('gems/*/*.yml') do |path|
|
17
|
+
advisory = YAML.load_file(path)
|
18
|
+
|
19
|
+
unless advisory['cve']
|
20
|
+
puts "Missing CVE: #{path}"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
task :lint => ['lint:yaml', 'lint:cve']
|
27
|
+
task :default => :lint
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
gem: actionmailer
|
3
|
+
cve: 2013-4389
|
4
|
+
osvdb: 98629
|
5
|
+
url: http://www.osvdb.org/show/osvdb/98629
|
6
|
+
title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
|
7
|
+
date: 2013-10-16
|
8
|
+
description: Action Mailer Gem for Ruby contains a format string flaw in
|
9
|
+
the Log Subscriber component. The issue is triggered as format string
|
10
|
+
specifiers (e.g. %s and %x) are not properly sanitized in user-supplied
|
11
|
+
input when handling email addresses. This may allow a remote attacker
|
12
|
+
to cause a denial of service
|
13
|
+
cvss_v2: 4.3
|
14
|
+
unaffected_versions:
|
15
|
+
- ~> 2.3.2
|
16
|
+
patched_versions:
|
17
|
+
- '>= 3.2.15'
|
@@ -1,10 +1,13 @@
|
|
1
1
|
---
|
2
2
|
gem: actionpack
|
3
|
+
framework: rails
|
3
4
|
cve: 2012-1099
|
5
|
+
osvdb: 79727
|
4
6
|
url: http://www.osvdb.org/show/osvdb/79727
|
5
7
|
title:
|
6
8
|
Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
|
7
9
|
Manually Generated Select Tag Options XSS
|
10
|
+
date: 2012-03-01
|
8
11
|
|
9
12
|
description: |
|
10
13
|
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
@@ -1,10 +1,13 @@
|
|
1
1
|
---
|
2
2
|
gem: actionpack
|
3
|
+
framework: rails
|
3
4
|
cve: 2012-3424
|
5
|
+
osvdb: 84243
|
4
6
|
url: http://www.osvdb.org/show/osvdb/84243
|
5
7
|
title:
|
6
8
|
Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
|
7
9
|
with_http_digest Helper Method Remote DoS
|
10
|
+
date: 2012-07-26
|
8
11
|
|
9
12
|
description: |
|
10
13
|
Ruby on Rails contains a flaw that may allow a remote denial of service.
|
@@ -15,7 +18,11 @@ description: |
|
|
15
18
|
|
16
19
|
cvss_v2: 4.3
|
17
20
|
|
21
|
+
unaffected_versions:
|
22
|
+
- ">= 2.3.5, <= 2.3.14"
|
23
|
+
|
18
24
|
patched_versions:
|
19
25
|
- ~> 3.0.16
|
20
26
|
- ~> 3.1.7
|
21
27
|
- ">= 3.2.7"
|
28
|
+
|
@@ -1,8 +1,11 @@
|
|
1
1
|
---
|
2
2
|
gem: actionpack
|
3
|
+
framework: rails
|
3
4
|
cve: 2012-3465
|
5
|
+
osvdb: 84513
|
4
6
|
url: http://www.osvdb.org/show/osvdb/84513
|
5
7
|
title: Ruby on Rails strip_tags Helper Method XSS
|
8
|
+
date: 2012-08-09
|
6
9
|
|
7
10
|
description: |
|
8
11
|
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
@@ -1,8 +1,11 @@
|
|
1
1
|
---
|
2
2
|
gem: actionpack
|
3
|
+
framework: rails
|
3
4
|
cve: 2012-3463
|
5
|
+
osvdb: 84515
|
4
6
|
url: http://osvdb.org/84515
|
5
7
|
title: Ruby on Rails select_tag Helper Method prompt Value XSS
|
8
|
+
date: 2012-08-09
|
6
9
|
|
7
10
|
description: |
|
8
11
|
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
@@ -14,6 +17,9 @@ description: |
|
|
14
17
|
|
15
18
|
cvss_v2: 4.3
|
16
19
|
|
20
|
+
unaffected_versions:
|
21
|
+
- ~> 2.3.0
|
22
|
+
|
17
23
|
patched_versions:
|
18
24
|
- ~> 3.0.17
|
19
25
|
- ~> 3.1.8
|