bundler-audit 0.3.0 → 0.3.1

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml

@@ -0,0 +1,15 @@
+---
+gem: nokogiri
+cve: 2013-6461
+osvdb: 101458
+url: http://www.osvdb.org/show/osvdb/101458
+title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS 
+date: 2013-12-14
+description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
+  The issue is due to an incorrectly configured XML parser accepting XML external entities from
+  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
+  loop and crash the program.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml

@@ -11,7 +11,7 @@ description: |
   to execute arbitrary code. This vulnerability has to do with type casting
   during parsing, and is related to CVE-2013-0156.
 
-cvss_v2: 10.0
+cvss_v2: 7.5
 
 patched_versions:
   - ~> 1.0.3

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml

@@ -0,0 +1,22 @@
+---
+gem: omniauth-facebook
+cve: 2013-4562
+osvdb: 99693
+url: http://www.osvdb.org/show/osvdb/99693
+title: omniauth-facebook Gem for Ruby Unspecified CSRF 
+date: 2013-11-12
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
+  require multiple steps, explicit confirmation, or a unique token when
+  performing certain sensitive actions. By tricking a user into following
+  a specially crafted link, a context-dependent attacker can perform a
+  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
+  perform an unspecified action.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.0"
+unaffected_versions:
+  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml

@@ -0,0 +1,17 @@
+---
+gem: omniauth-facebook
+cve: 2013-4593
+osvdb: 99888
+url: http://www.osvdb.org/show/osvdb/99888
+title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass 
+date: 2013-11-14
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
+  supporting passing the access token via the URL. This may allow a remote
+  attacker to bypass authentication and authenticate as another user.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml

@@ -0,0 +1,13 @@
+---
+gem: paperclip
+osvdb: 103151
+url: http://osvdb.org/show/osvdb/103151
+title: Paperclip Gem for Ruby contains a flaw
+date: 2014-01-31
+description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
+  validate the file extension, instead only validating the Content-Type header during file uploads.
+  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
+  spoofing the content-type.
+cvss_v2:
+patched_versions:
+  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml

@@ -0,0 +1,12 @@
+---
+gem: paratrooper-newrelic
+cve: 2014-1234
+osvdb: 101839
+url: http://www.osvdb.org/show/osvdb/101839
+title: Paratrooper-newrelic Gem for Ruby contains a flaw
+date: 2014-01-08
+description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
+  The issue is triggered when the script exposes the API key, allowing a local attacker to
+  gain access to it by monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml

@@ -0,0 +1,13 @@
+---
+gem: paratrooper-pingdom
+cve: 2014-1233
+osvdb: 101847
+url: http://www.osvdb.org/show/osvdb/101847
+title: Paratrooper-pingdom Gem for Ruby contains a flaw
+date: 2013-12-26
+description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
+  The issue is triggered when the script exposes API login credentials, allowing a local
+  attacker to gain access to the API key, username, and password for the API login by
+  monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml

@@ -14,7 +14,7 @@ description: |
   code. This attack is more practical against 'cloud' users as intra-cloud
   latencies are sufficiently low to make the attack viable.
 
-cvss_v2: 7.6
+cvss_v2: 5.1
 patched_versions: 
 - ~> 1.1.6
 - ~> 1.2.8

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml

@@ -0,0 +1,20 @@
+---
+gem: rbovirt
+cve: 2014-0036
+osvdb: 104080
+url: http://osvdb.org/show/osvdb/104080
+title: rbovirt Gem for Ruby contains a flaw
+date: 2014-03-05
+
+description: |
+  rbovirt Gem for Ruby contains a flaw related to certificate validation.
+  The issue is due to the program failing to validate SSL certificates. This may
+  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
+  poisoning) to spoof the SSL server via an arbitrary certificate that appears
+  valid. Such an attack would allow for the interception of sensitive traffic,
+  and potentially allow for the injection of content into the SSL stream.
+
+cvss_v2:
+
+patched_versions:
+  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -1,6 +1,7 @@
 --- 
 gem: rgpg
 osvdb: 95948
+cve: 2013-4203
 url: http://www.osvdb.org/show/osvdb/95948
 title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
 date: 2013-08-02
@@ -8,6 +9,6 @@ description: |
   rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
   The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
   This may allow a remote attacker to execute arbitrary commands.
-cvss_v2:
+cvss_v2: 7.5
 patched_versions: 
   - ">= 0.2.3"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml

@@ -0,0 +1,13 @@
+---
+gem: sfpagent
+cve:
+osvdb: 105971
+url: http://www.osvdb.org/show/osvdb/105971
+title: sfpagent Gem for Ruby Remote Command Injection
+date: 2014-04-16
+description: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
+  input is not properly sanitized when handling module names with shell metacharacters.
+  This may allow a context-dependent attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions:
+  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91216
@@ -7,4 +7,5 @@ title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrar
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91217
@@ -7,4 +7,5 @@ title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91218
@@ -7,4 +7,5 @@ title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby O
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91219
@@ -7,4 +7,5 @@ title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml

@@ -0,0 +1,14 @@
+---
+gem: sprout
+cve: 2013-6421
+osvdb: 100598
+url: http://www.osvdb.org/show/osvdb/100598
+title: Sprout Gem for Ruby contains a flaw
+date: 2013-12-02
+description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
+  The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
+  'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
+cvss_v2: 7.5
+patched_versions: 
+unaffected_versions:
+  - '< 0.7.246'

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml

@@ -0,0 +1,11 @@
+---
+gem: webbynode
+osvdb: 100920
+url: http://osvdb.org/show/osvdb/100920
+title: Webbynode Gem for Ruby contains a flaw
+date: 2013-12-12
+description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
+  when handling a specially crafted growlnotify message. This may allow a
+  context-dependent attacker to execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml

@@ -0,0 +1,15 @@
+---
+gem: will_paginate
+osvdb: 101138
+cve: 2013-6459
+url: http://osvdb.org/show/osvdb/101138
+title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
+date: 2013-09-19
+description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the application does not validate certain unspecified input related to
+  generated pagination links before returning it to the user. This may allow an attacker to create
+  a specially crafted request that would execute arbitrary script code in a users browser within the
+  trust relationship between their browser and the server.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 3.0.5"

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
 require 'yaml'
 
 shared_examples_for 'Advisory' do |path|
@@ -131,7 +131,7 @@ shared_examples_for 'Advisory' do |path|
               it "should contain valid RubyGem version requirements" do
                 lambda {
                 Gem::Requirement.new(*subject)
-                }.should_not raise_error(ArgumentError)
+                }.should_not raise_error
               end
             end
           end
@@ -155,7 +155,7 @@ shared_examples_for 'Advisory' do |path|
             it "should contain valid RubyGem version requirements" do
               lambda {
                 Gem::Requirement.new(*subject)
-              }.should_not raise_error(ArgumentError)
+              }.should_not raise_error
             end
           end
         end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -1,8 +1,7 @@
-require 'spec_helper'
-require 'advisory_example'
-
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+load File.join(File.dirname(__FILE__), 'advisory_example.rb')
 describe "gems" do
-  Dir.glob('gems/*/*.yml') do |path|
+  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*.yml')) do |path|
     include_examples 'Advisory', path
   end
 end

data/gemspec.yml

@@ -9,4 +9,5 @@ homepage: https://github.com/rubysec/bundler-audit#readme
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
+  thor: ~> 0.18
   bundler: ~> 1.2

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,12 +18,13 @@
 require 'bundler/audit/scanner'
 require 'bundler/audit/version'
 
+require 'thor'
 require 'bundler'
 require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
-    class CLI < Thor
+    class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
@@ -72,9 +73,9 @@ module Bundler
 
       protected
 
-      def say(string="", color=nil)
+      def say(message="", color=nil)
         color = nil unless $stdout.tty?
-        super(string, color)
+        super(message.to_s, color)
       end
 
       def print_warning(message)

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -34,8 +34,11 @@ module Bundler
       # Default path to the ruby-advisory-db
       VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
 
+      # Timestamp for when the database was last updated
+      VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
+
       # Path to the user's copy of the ruby-advisory-db
-      USER_PATH = File.join(Gem.user_home,'.local','share','ruby-advisory-db')
+      USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-advisory-db'))
 
       # The path to the advisory database
       attr_reader :path
@@ -66,7 +69,7 @@ module Bundler
       def self.path
         if File.directory?(USER_PATH)
           t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
-          t2 = File.ctime(VENDORED_PATH)
+          t2 = VENDORED_TIMESTAMP
 
           if t1 >= t2 then USER_PATH
           else             VENDORED_PATH

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.0'
+    VERSION = '0.3.1'
   end
 end

data/spec/advisory_spec.rb

@@ -7,6 +7,22 @@ describe Bundler::Audit::Advisory do
   let(:gem)  { 'actionpack' }
   let(:id)   { 'OSVDB-84243' }
   let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
+  let(:an_unaffected_version) do
+    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
 
   describe "load" do
     let(:data) { YAML.load_file(path) }
@@ -19,6 +35,15 @@ describe Bundler::Audit::Advisory do
     its(:cvss_v2)     { should == data['cvss_v2']     }
     its(:description) { should == data['description'] }
 
+    context "YAML data not representing a hash" do
+      it "should raise an exception" do
+        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
+        expect {
+          Advisory.load(path)
+        }.to raise_exception("advisory data in #{path.dump} was not a Hash")
+      end
+    end
+
     describe "#patched_versions" do
       subject { described_class.load(path).patched_versions }
 
@@ -58,7 +83,7 @@ describe Bundler::Audit::Advisory do
     subject { described_class.load(path) }
 
     context "when passed a version that matches one unaffected version" do
-      let(:version) { Gem::Version.new('2.3.10') }
+      let(:version) { Gem::Version.new(an_unaffected_version) }
 
       it "should return true" do
         subject.unaffected?(version).should be_true
@@ -116,7 +141,7 @@ describe Bundler::Audit::Advisory do
         subject { described_class.load(path) }
      
         context "when passed a version that matches one unaffected version" do
-          let(:version) { Gem::Version.new('2.3.12') }
+          let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
             subject.vulnerable?(version).should be_false