bundler-audit 0.5.0 → 0.6.0

data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml

@@ -0,0 +1,16 @@
+---
+gem: minitar
+cve: 2016-10173
+url: https://github.com/halostatue/minitar/issues/16
+title: Minitar Directory Traversal Vulnerability
+date: 2016-08-22
+description: |
+  Minitar allows attackers to overwrite arbitrary files during archive
+  extraction via a .. (dot dot) in an extracted filename. Analogous
+  vulnerabilities for unzip and tar:
+  https://www.cvedetails.com/cve/CVE-2001-1268/ and
+  http://www.cvedetails.com/cve/CVE-2001-1267/
+
+  Credit: ecneladis
+patched_versions:
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml

@@ -0,0 +1,42 @@
+---
+gem: nokogiri
+cve: 2015-8806
+url: https://github.com/sparklemotion/nokogiri/issues/1473
+title: Denial of service or RCE from libxml2 and libxslt
+date: 2016-06-07
+description: |
+  Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
+  which are libraries Nokogiri depends on. It was discovered that libxml2 and
+  libxslt incorrectly handled certain malformed documents, which can allow
+  malicious users to cause issues ranging from denial of service to remote code
+  execution attacks.
+
+  For more information, the Ubuntu Security Notice is a good start: 
+  http://www.ubuntu.com/usn/usn-2994-1/
+
+patched_versions:
+  - ">= 1.6.8"
+unaffected_versions:
+  - "< 1.6.0"
+related:
+  cve:
+    - 2016-1762
+    - 2016-1833
+    - 2016-1834
+    - 2016-1835
+    - 2016-1836
+    - 2016-1837
+    - 2016-1838
+    - 2016-1839
+    - 2016-1840
+    - 2016-2073
+    - 2016-3627
+    - 2016-3705
+    - 2016-4447
+    - 2016-4449
+    - 2016-4483
+  url:
+    - https://github.com/sparklemotion/nokogiri/issues/1473
+    - https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028
+    - https://mail.gnome.org/archives/xml/2016-May/msg00023.html
+    - http://www.ubuntu.com/usn/usn-2994-1/

data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml

@@ -0,0 +1,32 @@
+---
+gem: nokogiri
+cve: 2016-4658
+url: https://github.com/sparklemotion/nokogiri/issues/1615
+title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
+date: 2017-03-11
+description: |
+  Nokogiri version 1.7.1 has been released, pulling in several upstream
+  patches to the vendored libxml2 to address the following CVEs:
+
+  CVE-2016-4658
+  CVSS v3 Base Score: 9.8 (Critical)
+  libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
+  watchOS before 3 allows remote attackers to execute arbitrary code or cause
+  a denial of service (memory corruption) via a crafted XML document.
+
+  CVE-2016-5131
+  CVSS v3 Base Score: 8.8 (HIGH)
+  Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google
+  Chrome before 52.0.2743.82, allows remote attackers to cause a denial of
+  service or possibly have unspecified other impact via vectors related to
+  the XPointer range-to function.
+
+cvss_v3: 9.8
+
+patched_versions:
+  - ">= 1.7.1"
+related:
+  cve:
+    - 2016-5131
+  url:
+    - https://github.com/sparklemotion/nokogiri/issues/1615

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml

@@ -0,0 +1,44 @@
+---
+gem: nokogiri
+cve: 2017-5029
+url: https://github.com/sparklemotion/nokogiri/issues/1634
+title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
+date: 2017-05-09
+description: |
+    nokogiri version 1.7.2 has been released.
+
+    This is a security update based on 1.7.1, addressing two upstream
+    libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical 
+    and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.
+
+    These patches only apply when using Nokogiri's vendored libxslt
+    package. If you're using your distro's system libraries, there's no
+    need to upgrade from 1.7.0.1 or 1.7.1 at this time.
+
+    Full details are available at the github issue linked to in the
+    changelog below.
+
+    -----
+
+    # 1.7.2 / 2017-05-09
+
+    ## Security Notes
+
+    [MRI] Upstream libxslt patches are applied to the vendored libxslt
+    1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
+
+    For more information:
+
+    * https://github.com/sparklemotion/nokogiri/issues/1634
+    * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
+    * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
+
+patched_versions:
+  - ">= 1.7.2"
+related:
+  cve:
+    - 2016-4738
+    - 2017-5029
+  url:
+    - http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
+    - http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml

@@ -0,0 +1,16 @@
+---
+gem: passenger
+cve: 2016-10345
+url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
+title:  Predictable tmp File Path Vulnerability in Phusion Passenger
+date: 2017-04-18
+
+description: >-
+  In Phusion Passenger before 5.1.0, a known /tmp filename was used during
+  passenger-install-nginx-module execution, which could allow local attackers
+  to gain the privileges of the passenger user.
+
+cvss_v3: 5.5
+
+patched_versions:
+  - ">= 5.1.0"

data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml

@@ -0,0 +1,17 @@
+---
+gem: rack-mini-profiler
+cve: 2016-4442
+url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c
+title: rack-mini-profiler may disclose information to unauthorized users
+date: 2016-05-18
+description: >-
+  Carefully crafted requests can expose information about
+  strings and objects allocated during the request for unauthorised
+  users.
+
+patched_versions:
+  - ">= 0.10.1"
+
+related:
+  url:
+    - http://seclists.org/oss-sec/2016/q2/516

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml

@@ -0,0 +1,17 @@
+---
+gem: ruby-saml
+cve: 2016-5697
+url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
+title: XML signature wrapping attack
+date: 2016-06-24
+description: |
+  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
+  in the specific scenario where there was a signature that referenced at the same time
+  2 elements (but past the scheme validator process since 1 of the element was inside
+  the encrypted assertion).
+
+  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
+  mitigate this kind of attack.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml

@@ -0,0 +1,14 @@
+---
+gem: rubyzip
+cve: 2017-5946
+url: https://github.com/rubyzip/rubyzip/issues/315
+title: Directory traversal vulnerability in rubyzip
+date: 2017-02-27
+description: |
+  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
+  traversal vulnerability. If a site allows uploading of .zip files, an attacker
+  can upload a malicious file that uses "../" pathname substrings to write arbitrary
+  files to the filesystem.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml

@@ -0,0 +1,13 @@
+---
+gem: safemode
+cve: 2016-3693
+title: Safemode Gem for Ruby is vulnerable to information disclosure
+date: 2016-04-20
+url: http://seclists.org/oss-sec/2016/q2/119
+description: |
+  Safemode is initialised with an optional 'delegate' object.
+  If the delegated object is a Rails controller, 'inspect' could
+  be called which then exposes all informations about the App,
+  including routes, secret tokens, caches and so on.
+patched_versions:
+  - ">= 1.2.4"

data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml

@@ -0,0 +1,16 @@
+---
+gem: spina
+cve: 2015-4619
+title: Cross-site request forgery (CSRF) vulnerability in Spina gem
+date: 2015-06-16
+url: http://www.openwall.com/lists/oss-security/2015/06/16/11
+
+description: >-
+  `Spina::ApplicationController` actions didn't have CSRF
+  protection. This causes a CSRF vulnerability across the
+  entire engine which includes administrative functionality
+  such as creating users, changing passwords,
+  and media management.
+
+patched_versions:
+  - ">= 0.6.29"

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml

@@ -3,7 +3,7 @@ gem: twitter-bootstrap-rails
 framework: rails
 cve: 2014-4920
 osvdb: 109206
-url: http://blog.nvisium.com/2014/03/reflected-xss-vulnerability-in-twitter.html
+url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/
 title: Reflective XSS Vulnerability in twitter-bootstrap-rails
 date: 2014-03-25
 

data/data/ruby-advisory-db/rubies/ruby/CVE-2015-1855.yml

@@ -0,0 +1,17 @@
+---
+engine: ruby
+cve: 2015-1855
+url: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
+title: Ruby OpenSSL Hostname Verification
+date: 2015-04-13
+description: |
+  After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching
+  hostnames and particularly wildcard certificates.
+  Ruby’s OpenSSL extension will now provide a string-based matching algorithm which
+  follows more strict behavior, as recommended by these RFCs. In particular,
+  matching of more than one wildcard per subject/SAN is no-longer allowed. As well,
+  comparison of these values is now case-insensitive.
+patched_versions:
+  - ~> 2.0.0.645
+  - ~> 2.1.6
+  - ">= 2.2.2"

data/data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml

@@ -0,0 +1,19 @@
+---
+engine: ruby
+cve: 2015-9096
+url: https://hackerone.com/reports/137631
+title: SMTP command injection
+date: 2015-12-09
+description: |
+  Net::SMTP is vulnerable to SMTP command injection via CRLF sequences
+  in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences
+  immediately before and after a DATA substring.
+
+  Applications that validate email address format are not affected by this
+  vulnerability.
+
+  The injection attack is described in Terada, Takeshi. "SMTP Injection via
+  Recipient Email Addresses." 2015. The attacks described in the paper
+  (Terada, p. 4) can be applied to without any modification.
+patched_versions:
+  - ">= 2.4.0"

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -59,8 +59,8 @@ shared_examples_for 'Advisory' do |path|
     describe "osvdb" do
       subject { advisory['osvdb'] }
 
-      it "may be nil or a Fixnum" do
-        expect(subject).to be_kind_of(Fixnum).or(be_nil)
+      it "may be nil or a Integer" do
+        expect(subject).to be_kind_of(Integer).or(be_nil)
       end
 
        it "should be id in filename if filename is OSVDB-XXX" do
@@ -112,6 +112,21 @@ shared_examples_for 'Advisory' do |path|
       end
     end
 
+    describe "cvss_v3" do
+      subject { advisory['cvss_v3'] }
+
+      it "may be nil or a Float" do
+        expect(subject).to be_kind_of(Float).or(be_nil)
+      end
+
+      case advisory['cvss_v3']
+      when Float
+        context "when a Float" do
+          it { expect((0.0)..(10.0)).to include(subject) }
+        end
+      end
+    end
+
     describe "patched_versions" do
       subject { advisory['patched_versions'] }
 
@@ -124,7 +139,7 @@ shared_examples_for 'Advisory' do |path|
           advisory['patched_versions'].each do |version|
             describe version do
               subject { version.split(', ') }
-              
+
               it "should contain valid RubyGem version requirements" do
                 expect {
                 Gem::Requirement.new(*subject)
@@ -148,7 +163,7 @@ shared_examples_for 'Advisory' do |path|
         advisory['unaffected_versions'].each do |version|
           describe version do
             subject { version.split(', ') }
-            
+
             it "should contain valid RubyGem version requirements" do
               expect {
                 Gem::Requirement.new(*subject)

data/gemspec.yml

@@ -1,7 +1,7 @@
 name: bundler-audit
 summary: Patch-level verification for Bundler
 description: bundler-audit provides patch-level verification for Bundled apps.
-license: GPLv3
+license: GPL-3.0+
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme

data/lib/bundler/audit/cli.rb

@@ -30,6 +30,7 @@ module Bundler
       map '--version' => :version
 
       desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
       method_option :verbose, :type => :boolean, :aliases => '-v'
       method_option :ignore, :type => :array, :aliases => '-i'
       method_option :update, :type => :boolean, :aliases => '-u'
@@ -55,17 +56,19 @@ module Bundler
           say "Vulnerabilities found!", :red
           exit 1
         else
-          say "No vulnerabilities found", :green
+          say("No vulnerabilities found", :green) unless options.quiet?
         end
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+
       def update
-        say "Updating ruby-advisory-db ..."
+        say("Updating ruby-advisory-db ...") unless options.quiet?
 
-        case Database.update!
+        case Database.update!(quiet: options.quiet?)
         when true
-          say "Updated ruby-advisory-db", :green
+          say("Updated ruby-advisory-db", :green) unless options.quiet?
         when false
           say "Failed updating ruby-advisory-db!", :red
           exit 1
@@ -73,7 +76,9 @@ module Bundler
           say "Skipping update", :yellow
         end
 
-        puts "ruby-advisory-db: #{Database.new.size} advisories"
+        unless options.quiet?
+          puts("ruby-advisory-db: #{Database.new.size} advisories")
+        end
       end
 
       desc 'version', 'Prints the bundler-audit version'

data/lib/bundler/audit/database.rb

@@ -82,6 +82,9 @@ module Bundler
       #
       # Updates the ruby-advisory-db.
       #
+      # @param [Boolean, quiet]
+      #   Specify whether `git` should be `--quiet`.
+      #
       # @return [Boolean, nil]
       #   Specifies whether the update was successful.
       #   A `nil` indicates no update was performed.
@@ -91,15 +94,22 @@ module Bundler
       #
       # @since 0.3.0
       #
-      def self.update!
+      def self.update!(options={})
+        raise "Invalid option(s)" unless (options.keys - [:quiet]).empty?
         if File.directory?(USER_PATH)
           if File.directory?(File.join(USER_PATH, ".git"))
             Dir.chdir(USER_PATH) do
-              system 'git', 'pull', 'origin', 'master'
+              command = %w(git pull)
+              command << '--quiet' if options[:quiet]
+              command << 'origin' << 'master'
+              system *command
             end
           end
         else
-          system 'git', 'clone', URL, USER_PATH
+          command = %w(git clone)
+          command << '--quiet' if options[:quiet]
+          command << URL << USER_PATH
+          system *command
         end
       end
 

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.5.0'
+    VERSION = '0.6.0'
   end
 end

data/spec/bundle/secure/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '~> 3.2.17'
+gem 'rails', '~> 4.2.7.1'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'