bundler-audit 0.3.0 → 0.4.0

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -1,6 +1,7 @@
 --- 
 gem: rgpg
 osvdb: 95948
+cve: 2013-4203
 url: http://www.osvdb.org/show/osvdb/95948
 title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
 date: 2013-08-02
@@ -8,6 +9,6 @@ description: |
   rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
   The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
   This may allow a remote attacker to execute arbitrary commands.
-cvss_v2:
+cvss_v2: 7.5
 patched_versions: 
   - ">= 0.2.3"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml

@@ -0,0 +1,13 @@
+---
+gem: sfpagent
+cve:
+osvdb: 105971
+url: http://www.osvdb.org/show/osvdb/105971
+title: sfpagent Gem for Ruby Remote Command Injection
+date: 2014-04-16
+description: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
+  input is not properly sanitized when handling module names with shell metacharacters.
+  This may allow a context-dependent attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions:
+  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91216
@@ -7,4 +7,5 @@ title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrar
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91217
@@ -7,4 +7,5 @@ title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91218
@@ -7,4 +7,5 @@ title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby O
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91219
@@ -7,4 +7,5 @@ title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml

@@ -0,0 +1,14 @@
+---
+gem: sprout
+cve: 2013-6421
+osvdb: 100598
+url: http://www.osvdb.org/show/osvdb/100598
+title: Sprout Gem for Ruby contains a flaw
+date: 2013-12-02
+description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
+  The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
+  'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
+cvss_v2: 7.5
+patched_versions: 
+unaffected_versions:
+  - '< 0.7.246'

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml

@@ -0,0 +1,11 @@
+---
+gem: webbynode
+osvdb: 100920
+url: http://osvdb.org/show/osvdb/100920
+title: Webbynode Gem for Ruby contains a flaw
+date: 2013-12-12
+description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
+  when handling a specially crafted growlnotify message. This may allow a
+  context-dependent attacker to execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml

@@ -0,0 +1,15 @@
+---
+gem: will_paginate
+osvdb: 101138
+cve: 2013-6459
+url: http://osvdb.org/show/osvdb/101138
+title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
+date: 2013-09-19
+description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the application does not validate certain unspecified input related to
+  generated pagination links before returning it to the user. This may allow an attacker to create
+  a specially crafted request that would execute arbitrary script code in a users browser within the
+  trust relationship between their browser and the server.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 3.0.5"

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
 require 'yaml'
 
 shared_examples_for 'Advisory' do |path|
@@ -131,7 +131,7 @@ shared_examples_for 'Advisory' do |path|
               it "should contain valid RubyGem version requirements" do
                 lambda {
                 Gem::Requirement.new(*subject)
-                }.should_not raise_error(ArgumentError)
+                }.should_not raise_error
               end
             end
           end
@@ -155,7 +155,7 @@ shared_examples_for 'Advisory' do |path|
             it "should contain valid RubyGem version requirements" do
               lambda {
                 Gem::Requirement.new(*subject)
-              }.should_not raise_error(ArgumentError)
+              }.should_not raise_error
             end
           end
         end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -1,8 +1,7 @@
-require 'spec_helper'
-require 'advisory_example'
-
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+load File.join(File.dirname(__FILE__), 'advisory_example.rb')
 describe "gems" do
-  Dir.glob('gems/*/*.yml') do |path|
+  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*.yml')) do |path|
     include_examples 'Advisory', path
   end
 end

data/data/ruby-advisory-db.ts

@@ -0,0 +1 @@
+2014-02-11 00:45:58 UTC

data/gemspec.yml

@@ -6,7 +6,9 @@ authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
+required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
+  thor: ~> 0.18
   bundler: ~> 1.2

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,6 +25,8 @@ module Bundler
                                 :title,
                                 :description,
                                 :cvss_v2,
+                                :cve,
+                                :osvdb,
                                 :unaffected_versions,
                                 :patched_versions)
 
@@ -59,6 +61,8 @@ module Bundler
           data['title'],
           data['description'],
           data['cvss_v2'],
+          data['cve'],
+          data['osvdb'],
           parse_versions[data['unaffected_versions']],
           parse_versions[data['patched_versions']]
         )

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,12 +18,13 @@
 require 'bundler/audit/scanner'
 require 'bundler/audit/version'
 
+require 'thor'
 require 'bundler'
 require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
-    class CLI < Thor
+    class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
@@ -48,10 +49,10 @@ module Bundler
         end
 
         if vulnerable
-          say "Unpatched versions found!", :red
+          say "Vulnerabilities found!", :red
           exit 1
         else
-          say "No unpatched versions found", :green
+          say "No vulnerabilities found", :green
         end
       end
 
@@ -72,9 +73,9 @@ module Bundler
 
       protected
 
-      def say(string="", color=nil)
+      def say(message="", color=nil)
         color = nil unless $stdout.tty?
-        super(string, color)
+        super(message.to_s, color)
       end
 
       def print_warning(message)
@@ -89,7 +90,12 @@ module Bundler
         say gem.version
 
         say "Advisory: ", :red
-        say advisory.id
+
+        if advisory.cve
+          say "CVE-#{advisory.cve}"
+        elsif advisory.osvdb
+          say advisory.osvdb
+        end
 
         say "Criticality: ", :red
         case advisory.criticality

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -34,8 +34,11 @@ module Bundler
       # Default path to the ruby-advisory-db
       VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
 
+      # Timestamp for when the database was last updated
+      VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
+
       # Path to the user's copy of the ruby-advisory-db
-      USER_PATH = File.join(Gem.user_home,'.local','share','ruby-advisory-db')
+      USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-advisory-db'))
 
       # The path to the advisory database
       attr_reader :path
@@ -65,8 +68,8 @@ module Bundler
       #
       def self.path
         if File.directory?(USER_PATH)
-          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
-          t2 = File.ctime(VENDORED_PATH)
+          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
+          t2 = VENDORED_TIMESTAMP
 
           if t1 >= t2 then USER_PATH
           else             VENDORED_PATH

data/lib/bundler/audit/scanner.rb

@@ -2,7 +2,10 @@ require 'bundler'
 require 'bundler/audit/database'
 require 'bundler/lockfile_parser'
 
+require 'ipaddr'
+require 'resolv'
 require 'set'
+require 'uri'
 
 module Bundler
   module Audit
@@ -59,17 +62,46 @@ module Bundler
       # @return [Enumerator]
       #   If no block is given, an Enumerator will be returned.
       #
-      def scan(options={})
-        return enum_for(__method__,options) unless block_given?
+      def scan(options={},&block)
+        return enum_for(__method__,options) unless block
 
         ignore = Set[]
         ignore += options[:ignore] if options[:ignore]
 
+        scan_sources(options,&block)
+        scan_specs(options,&block)
+
+        return self
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_sources(options={})
+        return enum_for(__method__,options) unless block_given?
+
         @lockfile.sources.map do |source|
           case source
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
+              next if internal_host?(source.uri)
               yield InsecureSource.new(source.uri)
             end
           when Source::Rubygems
@@ -80,6 +112,35 @@ module Bundler
             end
           end
         end
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_specs(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
@@ -88,10 +149,47 @@ module Bundler
             end
           end
         end
+      end
 
-        return self
+      private
+
+      #
+      # Determines whether a URI is internal.
+      #
+      # @param [String] uri
+      #   The source URI.
+      #
+      # @return [Boolean]
+      #
+      def internal_host?(uri)
+        return unless host = URI.parse(uri).host
+        Resolv.getaddresses(host).all? { |ip| internal_ip?(ip) }
+      rescue URI::Error
+        false
       end
 
+      # List of internal IP address ranges.
+      #
+      # @see https://tools.ietf.org/html/rfc1918#section-3
+      # @see https://tools.ietf.org/html/rfc4193#section-8
+      INTERNAL_SUBNETS = %w[
+        10.0.0.0/8
+        172.16.0.0/12
+        192.168.0.0/16
+        fc00::/7
+      ].map(&IPAddr.method(:new))
+
+      #
+      # Determines whether an IP is internal.
+      #
+      # @param [String] ip
+      #   The IPv4/IPv6 address.
+      #
+      # @return [Boolean]
+      #
+      def internal_ip?(ip)
+        INTERNAL_SUBNETS.any? { |subnet| subnet.include?(ip) }
+      end
     end
   end
 end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.0'
+    VERSION = '0.4.0'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/spec/advisory_spec.rb

@@ -7,50 +7,101 @@ describe Bundler::Audit::Advisory do
   let(:gem)  { 'actionpack' }
   let(:id)   { 'OSVDB-84243' }
   let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
+  let(:an_unaffected_version) do
+    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
 
   describe "load" do
     let(:data) { YAML.load_file(path) }
 
     subject { described_class.load(path) }
 
-    its(:id)          { should == id                  }
-    its(:url)         { should == data['url']         }
-    its(:title)       { should == data['title']       }
-    its(:cvss_v2)     { should == data['cvss_v2']     }
-    its(:description) { should == data['description'] }
+    describe '#id' do
+      subject { super().id }
+      it { is_expected.to eq(id)                  }
+    end
+
+    describe '#url' do
+      subject { super().url }
+      it { is_expected.to eq(data['url'])         }
+    end
+
+    describe '#title' do
+      subject { super().title }
+      it { is_expected.to eq(data['title'])       }
+    end
+
+    describe '#cvss_v2' do
+      subject { super().cvss_v2 }
+      it { is_expected.to eq(data['cvss_v2'])     }
+    end
+
+    describe '#description' do
+      subject { super().description }
+      it { is_expected.to eq(data['description']) }
+    end
+
+    context "YAML data not representing a hash" do
+      it "should raise an exception" do
+        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
+        expect {
+          Advisory.load(path)
+        }.to raise_exception("advisory data in #{path.dump} was not a Hash")
+      end
+    end
 
     describe "#patched_versions" do
       subject { described_class.load(path).patched_versions }
 
       it "should all be Gem::Requirement objects" do
-        subject.all? { |version|
-          version.should be_kind_of(Gem::Requirement)
-        }.should be_true
+        expect(subject.all? { |version|
+          expect(version).to be_kind_of(Gem::Requirement)
+        }).to be_truthy
       end
 
       it "should parse the versions" do
-        subject.map(&:to_s).should == data['patched_versions']
+        expect(subject.map(&:to_s)).to eq(data['patched_versions'])
       end
     end
   end
 
   describe "#criticality" do
     context "when cvss_v2 is between 0.0 and 3.3" do
-      before { subject.stub(:cvss_v2).and_return(3.3) }
-
-      its(:criticality) { should == :low }
+      before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 3.3
+      }
+      it { expect(@advisory.criticality).to eq(:low) }
     end
 
     context "when cvss_v2 is between 3.3 and 6.6" do
-      before { subject.stub(:cvss_v2).and_return(6.6) }
+      before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 6.6
+      }
+      it { expect(@advisory.criticality).to eq(:medium) }
 
-      its(:criticality) { should == :medium }
     end
 
     context "when cvss_v2 is between 6.6 and 10.0" do
-      before { subject.stub(:cvss_v2).and_return(10.0) }
-
-      its(:criticality) { should == :high }
+     before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 10.0
+      }
+      it { expect(@advisory.criticality).to eq(:high) }
     end
   end
 
@@ -58,10 +109,10 @@ describe Bundler::Audit::Advisory do
     subject { described_class.load(path) }
 
     context "when passed a version that matches one unaffected version" do
-      let(:version) { Gem::Version.new('2.3.10') }
+      let(:version) { Gem::Version.new(an_unaffected_version) }
 
       it "should return true" do
-        subject.unaffected?(version).should be_true
+        expect(subject.unaffected?(version)).to be_truthy
       end
     end
 
@@ -69,7 +120,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.0.9') }
 
       it "should return false" do
-        subject.unaffected?(version).should be_false
+        expect(subject.unaffected?(version)).to be_falsey
       end
     end
   end
@@ -81,7 +132,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return true" do
-        subject.patched?(version).should be_true
+        expect(subject.patched?(version)).to be_truthy
       end
     end
 
@@ -89,7 +140,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return false" do
-        subject.patched?(version).should be_false
+        expect(subject.patched?(version)).to be_falsey
       end
     end
   end
@@ -101,7 +152,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return false" do
-        subject.vulnerable?(version).should be_false
+        expect(subject.vulnerable?(version)).to be_falsey
       end
     end
 
@@ -109,17 +160,17 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
-        subject.vulnerable?(version).should be_true
+        expect(subject.vulnerable?(version)).to be_truthy
       end
 
       context "when unaffected_versions is not empty" do
         subject { described_class.load(path) }
      
         context "when passed a version that matches one unaffected version" do
-          let(:version) { Gem::Version.new('2.3.12') }
+          let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
-            subject.vulnerable?(version).should be_false
+            expect(subject.vulnerable?(version)).to be_falsey
           end
         end
 
@@ -127,7 +178,7 @@ describe Bundler::Audit::Advisory do
           let(:version) { Gem::Version.new('1.2.3') }
 
           it "should return true" do
-            subject.vulnerable?(version).should be_true
+            expect(subject.vulnerable?(version)).to be_truthy
           end
         end
       end

data/spec/audit_spec.rb

@@ -3,6 +3,6 @@ require 'bundler/audit'
 
 describe Bundler::Audit do
   it "should have a VERSION constant" do
-    subject.const_get('VERSION').should_not be_empty
+    expect(subject.const_get('VERSION')).not_to be_empty
   end
 end