RubyGems - bundler-audit - Versions diffs - 0.3.0 → 0.3.1 - Mend

bundler-audit 0.3.0 → 0.3.1

Files changed (59) hide show

checksums.yaml +4 -4
data/.gitignore +3 -0
data/.travis.yml +1 -0
data/ChangeLog.md +10 -0
data/README.md +5 -1
data/Rakefile +8 -0
data/data/ruby-advisory-db.ts +1 -0
data/data/ruby-advisory-db/CONTRIBUTORS.md +9 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +20 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +21 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +27 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +24 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +22 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +24 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +22 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +23 -0
data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml +15 -0
data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +2 -2
data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +1 -1
data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +1 -1
data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +11 -0
data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +10 -0
data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +14 -0
data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +3 -8
data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +17 -0
data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +12 -0
data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +15 -0
data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +1 -1
data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +22 -0
data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +17 -0
data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +13 -0
data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +12 -0
data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +13 -0
data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +1 -1
data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +20 -0
data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +2 -1
data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +13 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +3 -2
data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +14 -0
data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +11 -0
data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +15 -0
data/data/ruby-advisory-db/spec/advisory_example.rb +3 -3
data/data/ruby-advisory-db/spec/gems_spec.rb +3 -4
data/gemspec.yml +1 -0
data/lib/bundler/audit.rb +1 -1
data/lib/bundler/audit/advisory.rb +1 -1
data/lib/bundler/audit/cli.rb +5 -4
data/lib/bundler/audit/database.rb +6 -3
data/lib/bundler/audit/version.rb +2 -2
data/spec/advisory_spec.rb +27 -2
data/spec/bundle/secure/Gemfile +1 -1
data/spec/database_spec.rb +58 -1
data/spec/fixtures/not_a_hash.yml +2 -0
data/spec/integration_spec.rb +10 -69
data/spec/spec_helper.rb +40 -0
metadata +44 -3

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
-gem 'rails', '3.2.15'
+gem 'rails', '~> 3.2.17'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

data/spec/database_spec.rb CHANGED

@@ -3,12 +3,52 @@ require 'bundler/audit/database'
 require 'tmpdir'
 describe Bundler::Audit::Database do
+  let(:vendored_advisories) do
+    Dir[File.join(Bundler::Audit::Database::VENDORED_PATH, '**/*.yml')].sort
+  end
   describe "path" do
     subject { described_class.path }
     it "it should be a directory" do
       File.directory?(subject).should be_true
     end
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Audit::Database.update!
+      Dir.chdir(Bundler::Audit::Database::USER_PATH) do
+        puts "Timestamp:"
+        system 'git log --pretty="%cd" -1'
+      end
+      # As up to date...
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+      roll_user_repo_back(20)
+      expect(Bundler::Audit::Database.path).to eq Bundler::Audit::Database::VENDORED_PATH
+    end
+  end
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+      expect_update_to_update_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
   end
   describe "#initialize" do
@@ -70,7 +110,18 @@ describe Bundler::Audit::Database do
   end
   describe "#size" do
-    it { subject.size.should > 0 }
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Audit::Database.new.
+        advisories.
+        map(&:path).
+        sort
+      expect(actual_advisories).to eq vendored_advisories
+    end
   end
   describe "#to_s" do
@@ -78,4 +129,10 @@ describe Bundler::Audit::Database do
       subject.to_s.should == subject.path
     end
   end
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
+    end
+  end
 end

data/spec/fixtures/not_a_hash.yml ADDED

	@@ -0,0 +1,2 @@
1	+ ---
2	+ "Just a string."

data/spec/integration_spec.rb CHANGED

@@ -20,75 +20,16 @@ describe "CLI" do
     end
     it "should print advisory information for the vulnerable gems" do
-      expect = %{
-Name: actionmailer
-Version: 3.2.10
-Advisory: OSVDB-98629
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/98629
-Title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
-Solution: upgrade to >= 3.2.15
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91452
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/91452
-Title: XSS vulnerability in sanitize_css in Action Pack
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91454
-Criticality: Medium
-URL: http://osvdb.org/show/osvdb/91454
-Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-89026
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89026
-Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-91453
-Criticality: High
-URL: http://osvdb.org/show/osvdb/91453
-Title: Symbol DoS vulnerability in Active Record
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-90072
-Criticality: Medium
-URL: http://direct.osvdb.org/show/osvdb/90072
-Title: Ruby on Rails Active Record attr_protected Method Bypass
-Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-89025
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89025
-Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-Name: activesupport
-Version: 3.2.10
-Advisory: OSVDB-91451
-Criticality: High
-URL: http://www.osvdb.org/show/osvdb/91451
-Title: XML Parsing Vulnerability affecting JRuby users
-Solution: upgrade to ~> 3.1.12, >= 3.2.13
-Unpatched versions found!
-      }.strip.split "\n\n"
-      subject.strip.split("\n\n").should =~ expect
+      advisory_pattern = /(Name: [^\n]+
+Version: \d+.\d+.\d+
+Advisory: OSVDB-\d+
+Criticality: (High|Medium)
+URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
+Title: [^\n]*?
+Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Unpatched versions found!")
     end
   end

data/spec/spec_helper.rb CHANGED

@@ -13,6 +13,46 @@ module Helpers
   def decolorize(string)
     string.gsub(/\e\[\d+m/, "")
   end
+  def mocked_user_path
+    File.expand_path('../../tmp/ruby-advisory-db', __FILE__)
+  end
+  def expect_update_to_clone_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+  def expect_update_to_update_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'pull', 'origin', 'master').
+      and_call_original
+  end
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
+    end
+  end
 end
 include Bundler::Audit
+RSpec.configure do |config|
+  include Helpers
+  config.before(:each) do
+    stub_const("Bundler::Audit::Database::URL", Bundler::Audit::Database::VENDORED_PATH)
+    stub_const("Bundler::Audit::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf(mocked_user_path) if File.exist?(mocked_user_path)
+  end
+end

metadata CHANGED

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Postmodern
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-11-01 00:00:00.000000000 Z
+date: 2014-04-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.18'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -47,6 +61,7 @@ files:
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
+- data/ruby-advisory-db.ts
 - gemspec.yml
 - lib/bundler/audit.rb
 - lib/bundler/audit/advisory.rb
@@ -60,6 +75,7 @@ files:
 - spec/bundle/secure/Gemfile
 - spec/bundle/unpatched_gems/Gemfile
 - spec/database_spec.rb
+- spec/fixtures/not_a_hash.yml
 - spec/integration_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb
@@ -72,6 +88,13 @@ files:
 - data/ruby-advisory-db/README.md
 - data/ruby-advisory-db/Rakefile
 - data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
@@ -79,6 +102,7 @@ files:
 - data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
@@ -89,6 +113,7 @@ files:
 - data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml
 - data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml
 - data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
 - data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
@@ -96,6 +121,8 @@ files:
 - data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
 - data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
 - data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102129.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102130.yml
 - data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
 - data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
 - data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
@@ -105,8 +132,10 @@ files:
 - data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
 - data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml
 - data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml
 - data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
 - data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml
 - data/ruby-advisory-db/gems/json/OSVDB-90074.yml
 - data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
 - data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
@@ -119,22 +148,34 @@ files:
 - data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
 - data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
 - data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml
 - data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml
 - data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml
+- data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml
+- data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml
 - data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
 - data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
 - data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml
 - data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
 - data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml
 - data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
 - data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml
 - data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml
 - data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml
 - data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml
+- data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml
 - data/ruby-advisory-db/lib/scrape.rb
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
@@ -159,7 +200,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.0
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.12
+rubygems_version: 2.0.14
 signing_key:
 specification_version: 4
 summary: Patch-level verification for Bundler