bundler-audit 0.3.1 → 0.7.0

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml

@@ -1,13 +0,0 @@
----
-gem: paperclip
-osvdb: 103151
-url: http://osvdb.org/show/osvdb/103151
-title: Paperclip Gem for Ruby contains a flaw
-date: 2014-01-31
-description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
-  validate the file extension, instead only validating the Content-Type header during file uploads.
-  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
-  spoofing the content-type.
-cvss_v2:
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml

@@ -1,12 +0,0 @@
----
-gem: paratrooper-newrelic
-cve: 2014-1234
-osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
-title: Paratrooper-newrelic Gem for Ruby contains a flaw
-date: 2014-01-08
-description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
-  The issue is triggered when the script exposes the API key, allowing a local attacker to
-  gain access to it by monitoring the process tree.
-cvss_v2: 2.1
-patched_versions: 

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml

@@ -1,13 +0,0 @@
----
-gem: paratrooper-pingdom
-cve: 2014-1233
-osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
-title: Paratrooper-pingdom Gem for Ruby contains a flaw
-date: 2013-12-26
-description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
-  The issue is triggered when the script exposes API login credentials, allowing a local
-  attacker to gain access to the API key, username, and password for the API login by
-  monitoring the process tree.
-cvss_v2: 2.1
-patched_versions: 

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml

@@ -1,11 +0,0 @@
---- 
-gem: pdfkit
-cve: 2013-1607
-osvdb: 90867
-url: http://osvdb.org/show/osvdb/90867
-title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
-date: 2013-02-21
-description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
-cvss_v2: 
-patched_versions: 
-  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml

@@ -1,18 +0,0 @@
---- 
-gem: rack-cache
-cve: 2012-2671
-osvdb: 83077
-url: http://osvdb.org/83077
-title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
-date: 2012-06-06
-
-description: |
-  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
-  sensitive HTTP headers. This will result in a weakness that may make it
-  easier for an attacker to gain access to a user's session via a specially
-  crafted header.
-
-cvss_v2: 7.5
-
-patched_versions: 
-  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml

@@ -1,23 +0,0 @@
---- 
-gem: rack
-cve: 2013-0263
-osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
-title: |
-  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 
-date: 2009-12-01
-
-description: |
-  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
-  function. Users of the Marshal session cookie encoding (the default), are
-  subject to a timing attack that may lead an attacker to execute arbitrary
-  code. This attack is more practical against 'cloud' users as intra-cloud
-  latencies are sufficiently low to make the attack viable.
-
-cvss_v2: 5.1
-patched_versions: 
-- ~> 1.1.6
-- ~> 1.2.8
-- ~> 1.3.10
-- ~> 1.4.5
-- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml

@@ -1,20 +0,0 @@
----
-gem: rbovirt
-cve: 2014-0036
-osvdb: 104080
-url: http://osvdb.org/show/osvdb/104080
-title: rbovirt Gem for Ruby contains a flaw
-date: 2014-03-05
-
-description: |
-  rbovirt Gem for Ruby contains a flaw related to certificate validation.
-  The issue is due to the program failing to validate SSL certificates. This may
-  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
-  poisoning) to spoof the SSL server via an arbitrary certificate that appears
-  valid. Such an attack would allow for the interception of sensitive traffic,
-  and potentially allow for the injection of content into the SSL stream.
-
-cvss_v2:
-
-patched_versions:
-  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: http://www.osvdb.org/show/osvdb/90004
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-
-cvss_v2: 4.3
-
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml

@@ -1,16 +0,0 @@
---- 
-gem: redis-namespace
-osvdb: 96425
-url: http://www.osvdb.org/show/osvdb/96425
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-cvss_v2:
-patched_versions: 
-  - ">= 1.3.1"
-  - ">= 1.2.2"
-  - ">= 1.1.1"
-  - ">= 1.0.4"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -1,14 +0,0 @@
---- 
-gem: rgpg
-osvdb: 95948
-cve: 2013-4203
-url: http://www.osvdb.org/show/osvdb/95948
-title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
-date: 2013-08-02
-description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
-  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
-  This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions: 
-  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml

@@ -1,11 +0,0 @@
---- 
-gem: ruby_parser
-cve: 2013-0162
-osvdb: 90561
-url: http://osvdb.org/show/osvdb/90561
-title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
-date: 2013-02-21
-description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions: 
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml

@@ -1,13 +0,0 @@
----
-gem: sfpagent
-cve:
-osvdb: 105971
-url: http://www.osvdb.org/show/osvdb/105971
-title: sfpagent Gem for Ruby Remote Command Injection
-date: 2014-04-16
-description: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
-  input is not properly sanitized when handling module names with shell metacharacters.
-  This may allow a context-dependent attacker to execute arbitrary commands.
-cvss_v2:
-patched_versions:
-  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml

@@ -1,13 +0,0 @@
----
-gem: sounder
-cve: 2013-5647
-osvdb: 96278
-url: http://www.osvdb.org/show/osvdb/96278
-title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
-date: 2013-08-14
-description: Sounder Gem for Ruby contains a flaw that is triggered during the handling
-  of file names. This may allow a context-dependent attacker to execute arbitrary
-  commands.
-cvss_v2: 7.5
-patched_versions: 
-- '>= 1.0.2'

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -1,11 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91216
-url: http://osvdb.org/show/osvdb/91216
-title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -1,11 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91217
-url: http://osvdb.org/show/osvdb/91217
-title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -1,11 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91218
-url: http://osvdb.org/show/osvdb/91218
-title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -1,11 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91219
-url: http://osvdb.org/show/osvdb/91219
-title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml

@@ -1,14 +0,0 @@
----
-gem: sprout
-cve: 2013-6421
-osvdb: 100598
-url: http://www.osvdb.org/show/osvdb/100598
-title: Sprout Gem for Ruby contains a flaw
-date: 2013-12-02
-description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
-  The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
-  'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
-cvss_v2: 7.5
-patched_versions: 
-unaffected_versions:
-  - '< 0.7.246'

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml

@@ -1,10 +0,0 @@
---- 
-gem: thumbshooter
-cve: 2013-1898
-osvdb: 91839
-url: http://osvdb.org/show/osvdb/91839
-title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-03-26
-description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions: 

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml

@@ -1,11 +0,0 @@
----
-gem: webbynode
-osvdb: 100920
-url: http://osvdb.org/show/osvdb/100920
-title: Webbynode Gem for Ruby contains a flaw
-date: 2013-12-12
-description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
-  when handling a specially crafted growlnotify message. This may allow a
-  context-dependent attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:

data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml

@@ -1,14 +0,0 @@
----
-gem: wicked
-cve: 2013-4413
-osvdb: 98270
-url: http://www.osvdb.org/show/osvdb/98270
-title: Wicked Gem for Ruby contains a flaw
-date: 2013-10-08
-description: Wicked Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the 'the_step' parameter
-  upon submission to the render_redirect.rb script.
-  This may allow a remote attacker to gain access to arbitrary files.
-cvss_v2:
-patched_versions: 
-  - '>= 1.0.1'

data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml

@@ -1,15 +0,0 @@
----
-gem: will_paginate
-osvdb: 101138
-cve: 2013-6459
-url: http://osvdb.org/show/osvdb/101138
-title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
-date: 2013-09-19
-description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
-  This flaw exists because the application does not validate certain unspecified input related to
-  generated pagination links before returning it to the user. This may allow an attacker to create
-  a specially crafted request that would execute arbitrary script code in a users browser within the
-  trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 3.0.5"

data/data/ruby-advisory-db/lib/scrape.rb

@@ -1,87 +0,0 @@
-require 'rubygems'
-require 'bundler/setup'
-
-require 'pry'
-require 'mechanize'
-require 'yaml'
-require 'date'
-
-class OSVDB
-  attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
-  def initialize(url)
-    self.url = url
-    parse!
-  end
-
-  def parse!
-    mech = Mechanize.new
-    self.page = mech.get(url)
-
-    page.search(".show_vuln_table").search("td ul li").each do |li|
-      case li.children[0].text.strip
-      when "CVE ID:"
-        self.cve = li.children[1].text
-      when "Vendor URL:"
-        self.set_gem(li.children[1].text)
-      end
-    end
-
-    self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
-    self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
-    self.title = page.search("title").text.gsub(/\d+: /, "")
-    self.osvdb = page.search("title").text.match(/\d+/)[0]
-    if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
-      self.set_cvss(cvss_p.children[0].text)
-    end
-  end
-
-  def set_gem(vendortext)
-    ["https://rubygems.org/gems/", "http://rubygems.org/gems/"].each do |str|
-      if vendortext.match(str)
-        self.gem = vendortext.gsub(str,"")
-      end
-    end
-  end
-
-  def set_cvss(text)
-    self.cvss_v2 = text.strip.gsub("CVSSv2 Base Score = ", "")
-  end
-
-  def date
-    Date.parse(@date)
-  end
-
-  def cvss_v2
-    @cvss_v2.nil? ? nil : @cvss_v2.to_f
-  end
-
-  def gem
-    @gem.nil? ? "unknown" : @gem
-  end
-
-  def to_yaml
-    { 'gem' => gem,
-      'cve' => cve,
-      'osvdb' => osvdb.to_i,
-      'url' => url,
-      'title' => title,
-      'date' => date,
-      'description' => description,
-      'cvss_v2' => cvss_v2,
-      'patched_versions' => patched_versions }.to_yaml
-  end
-
-  def filename
-    "OSVDB-#{osvdb}.yml"
-  end
-
-  def to_advisory!
-    gems_path = File.join(File.dirname(__FILE__), "..", "gems")
-    adv_path = File.absolute_path(File.join(gems_path, self.gem))
-
-    FileUtils.mkdir(adv_path) unless File.exists?(adv_path)
-    File.open(File.join(adv_path, filename), "w") do |io|
-      io.puts self.to_yaml
-    end
-  end
-end

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -1,165 +0,0 @@
-load File.join(File.dirname(__FILE__), 'spec_helper.rb')
-require 'yaml'
-
-shared_examples_for 'Advisory' do |path|
-  advisory = YAML.load_file(path)
-
-  describe path do
-    let(:gem) { File.basename(File.dirname(path)) }
-    let(:filename_cve) do
-      if File.basename(path).start_with?('CVE-')
-        File.basename(path).gsub('CVE-','').chomp('.yml')
-      else
-        nil
-      end
-    end
-    let(:filename_osvdb) do
-      if File.basename(path).start_with?('OSVDB-')
-        File.basename(path).gsub('OSVDB-','').chomp('.yml')
-      else
-        nil
-      end
-    end
-
-    it "should have CVE or OSVDB" do
-      (advisory['cve'] || advisory['osvdb']).should_not be_nil
-    end
-
-    describe "gem" do
-      subject { advisory['gem'] }
-
-      it { should be_kind_of(String) }
-      it { should == gem }
-    end
-
-    describe "framework" do
-      subject { advisory['framework'] }
-
-      it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
-      end
-    end
-
-    describe "platform" do
-      subject { advisory['platform'] }
-
-      it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
-      end
-    end
-
-    describe "cve" do
-      subject { advisory['cve'] }
-
-      it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
-      end
-      it "should be id in filename if filename is CVE-XXX" do
-        if filename_cve
-          should == filename_cve
-        end
-      end
-    end
-
-    describe "osvdb" do
-      subject { advisory['osvdb'] }
-      it "may be nil or a Fixnum" do
-        [NilClass, Fixnum].should include(subject.class)
-      end
-       it "should be id in filename if filename is OSVDB-XXX" do
-        if filename_osvdb
-          should == filename_osvdb.to_i
-        end
-      end
-    end
-
-    describe "url" do
-      subject { advisory['url'] }
-
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
-    end
-
-    describe "title" do
-      subject { advisory['title'] }
-
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
-    end
-
-    describe "date" do
-      subject { advisory['date'] }
-
-      it { should be_kind_of(Date) }
-    end
-
-    describe "description" do
-      subject { advisory['description'] }
-
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
-    end
-
-    describe "cvss_v2" do
-      subject { advisory['cvss_v2'] }
-
-      it "may be nil or a Float" do
-        [NilClass, Float].should include(subject.class)
-      end
-
-      case advisory['cvss_v2']
-      when Float
-        context "when a Float" do
-          it { ((0.0)..(10.0)).should include(subject) }
-        end
-      end
-    end
-
-    describe "patched_versions" do
-      subject { advisory['patched_versions'] }
-
-      it "may be nil or an Array" do
-        [NilClass, Array].should include(subject.class)
-      end
-
-      describe "each patched version" do
-        if advisory['patched_versions']
-          advisory['patched_versions'].each do |version|
-            describe version do
-              subject { version.split(', ') }
-              
-              it "should contain valid RubyGem version requirements" do
-                lambda {
-                Gem::Requirement.new(*subject)
-                }.should_not raise_error
-              end
-            end
-          end
-        end
-      end
-    end
-
-    describe "unaffected_versions" do
-      subject { advisory['unaffected_versions'] }
-
-      it "may be nil or an Array" do
-        [NilClass, Array].should include(subject.class)
-      end
-
-      case advisory['unaffected_versions']
-      when Array
-        advisory['unaffected_versions'].each do |version|
-          describe version do
-            subject { version.split(', ') }
-            
-            it "should contain valid RubyGem version requirements" do
-              lambda {
-                Gem::Requirement.new(*subject)
-              }.should_not raise_error
-            end
-          end
-        end
-      end
-    end
-  end
-end