RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/.gitignore DELETED

	@@ -1 +0,0 @@
1	- _site

data/data/ruby-advisory-db/.rspec DELETED

	@@ -1 +0,0 @@
1	- --colour

data/data/ruby-advisory-db/.travis.yml DELETED

@@ -1,12 +0,0 @@
-language: ruby
-sudo: false
-cache: bundler
-notifications:
-  irc: chat.freenode.net#rubysec
-env:
-  global:
-  - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU=

data/data/ruby-advisory-db/CONTRIBUTING.md DELETED

@@ -1,69 +0,0 @@
-# Contributing Guidelines
-* All text must be within 80 columns.
-* YAML must be indented by 2 spaces.
-* Have any questions? Feel free to open an issue.
-* Prior to submitting a pull request, run the tests:
-```
-bundle install
-bundle exec rspec
-```
-* Follow the schema. Here is an example advisory:
-```yaml
-    ---
-    gem: examplegem
-    cve: 2013-0156
-    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
-    title: |
-      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution
-    description: |
-      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
-      The issue is triggered when a type casting error occurs during the parsing
-      of parameters. This may allow a remote attacker to potentially execute
-      arbitrary code.
-    cvss_v2: 10.0
-    patched_versions:
-      - ~> 2.3.15
-      - ~> 3.0.19
-      - ~> 3.1.10
-      - ">= 3.2.11"
-    unaffected_versions:
-      - ~> 2.4.3
-    related:
-      cve:
-        - 2013-1234567
-        - 2013-1234568
-      url:
-        - https://github.com/rubysec/ruby-advisory-db/issues/123457
-```
-### Schema
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Integer\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
-* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
-  unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
-  patched versions of the Ruby library.
-* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
-[CVSSv2]: https://www.first.org/cvss/v2/guide
-[CVSSv3]: https://www.first.org/cvss/user-guide

data/data/ruby-advisory-db/CONTRIBUTORS.md DELETED

@@ -1,40 +0,0 @@
-### Acknowledgements
-This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank:
-* [Postmodern](https://github.com/postmodern/)
-* [Max Veytsman](https://twitter.com/mveytsman)
-* [Pietro Monteiro](https://github.com/pietro)
-* [Eric Hodel](https://github.com/drbrain)
-* [Brendon Murphy](https://github.com/bemurphy)
-* [Oliver Legg](https://github.com/olly)
-* [Larry W. Cashdollar](http://vapid.dhs.org/)
-* [Michael Grosser](https://github.com/grosser)
-* [Sascha Korth](https://github.com/skorth)
-* [David Radcliffe](https://github.com/dwradcliffe)
-* [Jörg Schiller](https://github.com/joergschiller)
-* [Derek Prior](https://github.com/derekprior)
-* [Joel Chippindale](https://github.com/mocoso)
-* [Josef Šimánek](https://github.com/simi)
-* [Amiel Martin](https://github.com/amiel)
-* [Jeremy Olliver](https://github.com/jeremyolliver)
-* [Vasily Vasinov](https://github.com/vasinov)
-* [Phill MV](https://twitter.com/phillmv)
-* [Jon Kessler](https://github.com/jonkessler)
-* [James Harton](https://github.com/jamesotron)
-* [Justin Collins](https://github.com/presidentbeef)
-* [Andy Brody](https://github.com/ab)
-* [Alexey Zapparov](https://github.com/ixti)
-* [Toni Reina](https://github.com/areina)
-* [Bernard Lambeau](https://github.com/blambeau)
-* [Don Morrison](https://github.com/elskwid)
-* [John Poulin](https://github.com/forced-request)
-* [Neal Harris](https://github.com/nealharris)
-* [Justin Bull](https://github.com/f3ndot)
-* [Andrew Selder](https://github.com/aselder)
-* [Vanessa Henderson](https://github.com/VanessaHenderson)
-* [Reed Loden](https://github.com/reedloden)
-* [ecneladis](https://github.com/ecneladis)
-* [Brendan Coles](https://github.com/bcoles)
-The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-advisory-db/Gemfile DELETED

@@ -1,9 +0,0 @@
-source 'https://rubygems.org'
-gem 'rspec'
-gem 'rake'
-group :development do
-  gem 'pry'
-  gem 'nokogiri'
-end

data/data/ruby-advisory-db/LICENSE.txt DELETED

@@ -1,5 +0,0 @@
-If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
-However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-advisory-db/README.md DELETED

@@ -1,99 +0,0 @@
-# Ruby Advisory Database
-The Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.
-You can check your own Gemfile.locks against this database by using [bundler-audit](https://github.com/rubysec/bundler-audit).
-## Support Ruby security!
-Do you know about a vulnerability that isn't listed in this database? Open an issue, submit a PR, or [use this form](https://rubysec.com/advisories/new) which will email the maintainers.
-## Directory Structure
-The database is a list of directories that match the names of Ruby libraries on
-[rubygems.org]. Within each directory are one or more advisory files
-for the Ruby library. These advisory files are named using
-the advisories' [CVE] identifier number.
-    gems/:
-      actionpack/:
-        CVE-2014-0130.yml  CVE-2014-7818.yml  CVE-2014-7829.yml  CVE-2015-7576.yml
-        CVE-2015-7581.yml  CVE-2016-0751.yml  CVE-2016-0752.yml
-## Format
-Each advisory file contains the advisory information in [YAML] format:
-    ---
-    gem: examplegem
-    cve: 2013-0156
-    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
-    title: |
-      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution
-    description: |
-      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
-      The issue is triggered when a type casting error occurs during the parsing
-      of parameters. This may allow a remote attacker to potentially execute
-      arbitrary code.
-    cvss_v2: 10.0
-    patched_versions:
-      - ~> 2.3.15
-      - ~> 3.0.19
-      - ~> 3.1.10
-      - ">= 3.2.11"
-    unaffected_versions:
-      - ~> 2.4.3
-    related:
-      cve:
-        - 2013-1234567
-        - 2013-1234568
-      url:
-        - https://github.com/rubysec/ruby-advisory-db/issues/123457
-### Schema
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Integer\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
-* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
-  unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
-  patched versions of the Ruby library.
-* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
-### Tests
-Prior to submitting a pull request, run the tests:
-```
-bundle install
-bundle exec rspec
-```
-## Credits
-Please see [CONTRIBUTORS.md].
-This database also includes data from the [Open Source Vulnerability Database][OSVDB]
-developed by the Open Security Foundation (OSF) and its contributors.
-[rubygems.org]: https://rubygems.org/
-[CVE]: http://cve.mitre.org/
-[OSVDB]: http://www.osvdb.org/
-[CVSSv2]: https://www.first.org/cvss/v2/guide
-[CVSSv3]: https://www.first.org/cvss/user-guide
-[YAML]: http://www.yaml.org/
-[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md

data/data/ruby-advisory-db/Rakefile DELETED

@@ -1,26 +0,0 @@
-require 'yaml'
-namespace :lint do
-  begin
-    require 'rspec/core/rake_task'
-    RSpec::Core::RakeTask.new(:yaml)
-  rescue LoadError => e
-    task :spec do
-      abort "Please run `gem install rspec` to install RSpec."
-    end
-  end
-  task :cve do
-    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
-      advisory = YAML.load_file(path)
-      unless advisory['cve']
-        puts "Missing CVE: #{path}"
-      end
-    end
-  end
-end
-task :lint    => ['lint:yaml', 'lint:cve']
-task :default => :lint

data/data/ruby-advisory-db/gems/Arabic-Prawn/OSVDB-104365.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: Arabic-Prawn
-cve: 2014-2322
-osvdb: 104365
-url: http://osvdb.org/show/osvdb/104365
-title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote Command Injection
-date: 2014-03-10
-description: |
-  Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
-  file. The issue is due to the program failing to sanitize user input. This may
-  allow a remote attacker to inject arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/RedCloth/CVE-2012-6684.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: RedCloth
-cve: 2012-6684
-osvdb: 115941
-url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6684
-title: RedCloth Gem for Ruby Textile Link Parsing XSS
-date: 2012-02-29
-description: |
-  RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS)
-  attack. This flaw exists because the program does not validate input when
-  parsing textile links before returning it to users. This may allow a remote
-  attacker to create a specially crafted request that would execute arbitrary
-  script code in a user's browser session within the trust relationship between
-  their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 4.3.0"
-related:
-  url:
-    - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c
-    - http://co3k.org/blog/redcloth-unfixed-xss-en

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4995.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: VladTheEnterprising
-cve: 2014-4995
-osvdb: 108728
-url: http://www.osvdb.org/show/osvdb/108728
-title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
-date: 2014-06-30
-description: |
-  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
-  temporary files insecurely. It is possible for a local attacker to use
-  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
-  overwrite arbitrary files, gain access to the MySQL root password,
-  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4996.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: VladTheEnterprising
-cve: 2014-4996
-osvdb: 108728
-url: http://www.osvdb.org/show/osvdb/108728
-title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
-date: 2014-06-30
-description: |
-  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
-  temporary files insecurely. It is possible for a local attacker to use
-  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
-  overwrite arbitrary files, gain access to the MySQL root password,
-  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: actionmailer
-cve: 2013-4389
-osvdb: 98629
-url: http://www.osvdb.org/show/osvdb/98629
-title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
-date: 2013-10-16
-description: Action Mailer Gem for Ruby contains a format string flaw in
-  the Log Subscriber component. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied
-  input when handling email addresses. This may allow a remote attacker
-  to cause a denial of service
-cvss_v2: 4.3
-unaffected_versions:
-  - ~> 2.3.2
-patched_versions:
-  - '>= 3.2.15'

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-0130.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2014-0130
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
-title: Directory Traversal Vulnerability With Certain Route Configurations
-date: 2014-05-06
-description: |
-  There is a vulnerability in the 'implicit render'
-  functionality in Ruby on Rails.The implicit render functionality
-  allows controllers to render a template, even if there is no
-  explicit action with the corresponding name.  This module does not
-  perform adequate input sanitization which could allow an attacker to
-  use a specially crafted request to retrieve arbitrary files from the
-  rails application server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.18
-  - ~> 4.0.5
-  - ">= 4.1.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7818.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2014-7818
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
-title: Arbitrary file existence disclosure in Action Pack
-date: 2014-10-30
-description: |
-  Specially crafted requests can be used to determine whether a file exists on
-  the filesystem that is outside the Rails application's root directory.  The
-  files will not be served, but attackers can determine whether or not the file
-  exists.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.2.20
-  - ~> 4.0.11
-  - ~> 4.1.7
-  - ">= 4.2.0.beta3"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7829.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2014-7829
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
-title: Arbitrary file existence disclosure in Action Pack
-date: 2014-11-17
-description: |
-  Specially crafted requests can be used to determine whether a file exists on
-  the filesystem that is outside the Rails application's root directory.  The
-  files will not be served, but attackers can determine whether or not the file
-  exists.  This vulnerability is very similar to CVE-2014-7818, but the
-  specially crafted string is slightly different.
-cvss_v2: 5.0
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.2.21
-  - ~> 4.0.11.1
-  - ~> 4.0.12
-  - ~> 4.1.7.1
-  - ">= 4.1.8"

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml DELETED

@@ -1,116 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2015-7576
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
-title: Timing attack vulnerability in basic authentication in Action Controller.
-description: |
-    There is a timing attack vulnerability in the basic authentication support
-    in Action Controller. This vulnerability has been assigned the CVE
-    identifier CVE-2015-7576.
-    Versions Affected:  All.
-    Not affected:       None.
-    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-    Impact
-    ------
-    Due to the way that Action Controller compares user names and passwords in
-    basic authentication authorization code, it is possible for an attacker to
-    analyze the time taken by a response and intuit the password.
-    For example, this string comparison:
-      "foo" == "bar"
-    is possibly faster than this comparison:
-      "foo" == "fo1"
-    Attackers can use this information to attempt to guess the username and
-    password used in the basic authentication system.
-    You can tell you application is vulnerable to this attack by looking for
-    `http_basic_authenticate_with` method calls in your application.
-    All users running an affected release should either upgrade or use one of
-    the workarounds immediately.
-    Releases
-    --------
-    The FIXED releases are available at the normal locations.
-    Workarounds
-    -----------
-    If you can't upgrade, please use the following monkey patch in an initializer
-    that is loaded before your application:
-    ```
-    $ cat config/initializers/basic_auth_fix.rb
-    module ActiveSupport
-      module SecurityUtils
-        def secure_compare(a, b)
-          return false unless a.bytesize == b.bytesize
-          l = a.unpack "C#{a.bytesize}"
-          res = 0
-          b.each_byte { |byte| res |= byte ^ l.shift }
-          res == 0
-        end
-        module_function :secure_compare
-        def variable_size_secure_compare(a, b)
-          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
-        end
-        module_function :variable_size_secure_compare
-      end
-    end
-    module ActionController
-      class Base
-        def self.http_basic_authenticate_with(options = {})
-          before_action(options.except(:name, :password, :realm)) do
-            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-              # This comparison uses & so that it doesn't short circuit and
-              # uses `variable_size_secure_compare` so that length information
-              # isn't leaked.
-              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
-            end
-          end
-        end
-      end
-    end
-    ```
-    Patches
-    -------
-    To aid users who aren't able to upgrade immediately we have provided patches for
-    the two supported release series. They are in git-am format and consist of a
-    single changeset.
-    * 4-1-basic_auth.patch - Patch for 4.1 series
-    * 4-2-basic_auth.patch - Patch for 4.2 series
-    * 5-0-basic_auth.patch - Patch for 5.0 series
-    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-    of earlier unsupported releases are advised to upgrade as soon as possible as we
-    cannot guarantee the continued availability of security fixes for unsupported
-    releases.
-    Credits
-    -------
-    Thank you to Daniel Waterworth for reporting the problem and working with us to
-    fix it.
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"