bundler-audit 0.1.2 → 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0a34b6a79c055b51422c7c3225428947ca6b587e
+  data.tar.gz: 724414726507e87d679a561759e9dcbdd90aecfc
+SHA512:
+  metadata.gz: b3c59aadb9c0f2ed1b8d3a91bf6866e54295ed78105531ff1362c5ef65f264ac02699c53d3e8e3d08f025ebc9e38ef5917de4fa9906b66e2e209131a14665e42
+  data.tar.gz: f82127fe64b6bb856483ee82f5ab642fee371d4c84695e05beef44414857e4c95dd7f5a1e27244af9b2c81e9364a16027bb333ab123a547ab1a9bf6654a5f3df

data/.gitignore

@@ -2,4 +2,4 @@ Gemfile.lock
 doc/
 pkg/
 spec/bundle/*/Gemfile.lock
-vendor/cache/*.gem
+vendor/bundle/

data/ChangeLog.md

@@ -1,3 +1,13 @@
+### 0.2.0 / 2013-03-05
+
+* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
+  parse approximate version requirements (`~> 1.2.3`).
+* Updated the [ruby-advisory-db].
+* Added {Bundle::Audit::Advisory#unaffected_versions}.
+* Added {Bundle::Audit::Advisory#unaffected?}.
+* Added {Bundle::Audit::Advisory#patched?}.
+* Renamed `Advisory#cve` to {Bundle::Audit::Advisory#id}.
+
 ### 0.1.2 / 2013-02-17
 
 * Require [bundler] ~> 1.2.

data/Gemfile

@@ -1,4 +1,4 @@
-source :rubygems
+source 'https://rubygems.org/'
 
 gemspec
 

data/README.md

@@ -1,11 +1,11 @@
 # bundler-audit
 
-* [Homepage](https://github.com/postmodern/bundler-audit#readme)
-* [Issues](https://github.com/postmodern/bundler-audit/issues)
+* [Homepage](https://github.com/rubysec/bundler-audit#readme)
+* [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
-* [Email](mailto:postmodern.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/postmodern/bundler-audit.png)](https://travis-ci.org/postmodern/bundler-audit)
-
+* [Email](mailto:rubysec.mod3 at gmail.com)
+* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
+* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 ## Description
 
@@ -14,6 +14,8 @@ Patch-level verification for [Bundler][bundler].
 ## Features
 
 * Checks for vulnerable versions of gems in `Gemfile.lock`.
+* Checks for insecure gem sources (`http://`).
+* Allows ignoring certain advisories that have been manually worked around.
 * Prints advisory information.
 * Does not require a network connection.
 
@@ -21,47 +23,61 @@ Patch-level verification for [Bundler][bundler].
 
 Audit a projects `Gemfile.lock`:
 
-    $ bundle-audit
-    Name: rack
-    Version: 1.4.4
-    CVE: 2013-0263
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/89939
-    Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 
-    Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
+    Name: actionpack
+    Version: 3.2.10
+    Advisory: OSVDB-91452
+    Criticality: Medium
+    URL: http://www.osvdb.org/show/osvdb/91452
+    Title: XSS vulnerability in sanitize_css in Action Pack
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     
-    Name: json
-    Version: 1.7.6
-    CVE: 2013-0269
-    Criticality: High
-    URL: http://direct.osvdb.org/show/osvdb/90074
-    Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
-    Patched Versions: ~> 1.5.4, ~> 1.6.7, >= 1.7.7
+    Name: actionpack
+    Version: 3.2.10
+    Advisory: OSVDB-91454
+    Criticality: Medium
+    URL: http://osvdb.org/show/osvdb/91454
+    Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     
-    Name: rails
+    Name: actionpack
     Version: 3.2.10
-    CVE: 2013-0155
+    Advisory: OSVDB-89026
     Criticality: High
-    URL: http://osvdb.org/show/osvdb/89025
-    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
-    Patched Versions: ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+    URL: http://osvdb.org/show/osvdb/89026
+    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+    Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
     
-    Name: rails
+    Name: activerecord
     Version: 3.2.10
-    CVE: 2013-0156
+    Advisory: OSVDB-91453
     Criticality: High
-    URL: http://osvdb.org/show/osvdb/89026
-    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-    Remote Code Execution 
-    Patched Versions: ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+    URL: http://osvdb.org/show/osvdb/91453
+    Title: Symbol DoS vulnerability in Active Record
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     
-    Name: rails
+    Name: activerecord
     Version: 3.2.10
-    CVE: 2013-0276
+    Advisory: OSVDB-90072
     Criticality: Medium
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
-    Patched Versions: ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+    Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+    
+    Name: activerecord
+    Version: 3.2.10
+    Advisory: OSVDB-89025
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89025
+    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+    Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+    
+    Name: activesupport
+    Version: 3.2.10
+    Advisory: OSVDB-91451
+    Criticality: High
+    URL: http://www.osvdb.org/show/osvdb/91451
+    Title: XML Parsing Vulnerability affecting JRuby users
+    Solution: upgrade to ~> 3.1.12, >= 3.2.13
     
     Unpatched versions found!
 

data/Rakefile

@@ -23,13 +23,26 @@ require 'rake'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
+desc 'Updates data/ruby-advisory-db'
+task :update do
+  chdir 'data/ruby-advisory-db' do
+    sh 'git', 'pull', 'origin', 'master'
+  end
+
+  sh 'git', 'commit', 'data/ruby-advisory-db', '-m', 'Updated ruby-advisory-db'
+end
+
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
 namespace :spec do
   task :bundle do
-    %w[spec/bundle/vuln spec/bundle/secure].each do |path|
-      chdir(path) { sh 'bundle', 'install', '--quiet' }
+    root = 'spec/bundle'
+
+    %w[secure unpatched_gems insecure_sources].each do |bundle|
+      chdir(File.join(root,bundle)) do
+        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
+      end
     end
   end
 end

data/data/ruby-advisory-db/CONTRIBUTING.md

@@ -0,0 +1,6 @@
+# Contributing Guidelines
+
+## Style
+
+1. All text must be within 80 columns.
+2. YAML must be indented by 2 spaces.

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -0,0 +1,13 @@
+### Acknowledgements
+
+This database would not be possible without volunteers willing to submit pull requests.
+
+Thanks,
+* [Postmodern](https://github.com/postmodern/)
+* [Max Veytsman](https://twitter.com/mveytsman)
+* [Pietro Monteiro](https://github.com/pietro)
+* [Eric Hodel](https://github.com/drbrain)
+* [Brendon Murphy](https://github.com/bemurphy)
+* [Oliver Legg](https://github.com/olly)
+* [Larry W. Cashdollar](http://vapid.dhs.org/)
+* [Michael Grosser](https://github.com/grosser)

data/data/ruby-advisory-db/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gem 'pry'
+gem 'mechanize'

data/data/ruby-advisory-db/LICENSE.txt

@@ -0,0 +1,5 @@
+If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
+
+However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-advisory-db/README.md

@@ -1,6 +1,13 @@
 # Ruby Advisory Database
 
-The Ruby advisory database seeks to compile all advisories relevant to Ruby libraries.
+The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.
+
+## Goals
+
+1. Provide advisory **metadata** in a **simple** yet **structured** [YAML]
+   schema for automated tools to consume.
+2. Avoid reinventing [CVE]s.
+3. Avoid duplicating the efforts of the [OSVDB].
 
 ## Directory Structure
 
@@ -10,17 +17,22 @@ for the Ruby library. These advisory files are typically named using
 the advisories [CVE] identifier number.
 
     gems/:
-      rails/:
-        2012-1098.yml  2012-2660.yml  2012-2661.yml  2012-3463.yml
+      actionpack/:
+        CVE-2012-1099.yml  CVE-2012-3463.yml  CVE-2013-0156.yml
+        CVE-2013-1857.yml  CVE-2012-3424.yml  CVE-2012-3465.yml
+        CVE-2013-1855.yml
 
 If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
+
 ## Format
 
 Each advisory file contains the advisory information in [YAML] format:
 
     ---
-    gem: rails
+    gem: actionpack
+    framework: rails
     cve: 2013-0156
+    osvdb: 89026
     url: http://osvdb.org/show/osvdb/89026
     title: |
       Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
@@ -43,22 +55,32 @@ Each advisory file contains the advisory information in [YAML] format:
 ### Schema
 
 * `gem` \[String\]: Name of the affected gem.
-* `cve` \[String\]: CVE id
+* `framework` \[String\] (optional): Name of framework gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
+* `cve` \[String\]: CVE id.
+* `osvdb` \[Fixnum\]: OSVDB id.
 * `url` \[String\]: The URL to the full advisory.
 * `title` \[String\]: The title of the advisory.
+* `date` \[Date\]: Disclosure date of the advisory.
 * `description` \[String\]: Multi-paragraph description of the vulnerability.
 * `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
 * `patched_versions` \[Array\<String\>\]: The version requirements for the
   patched versions of the Ruby library.
 
 ## Credits
 
-* [Postmodern](https://github.com/postmodern/)
-* [Max Veytsman](https://twitter.com/mveytsman)
+Please see [CONTRIBUTORS.md].
+
+This database also includes data from the [Open Source Vulnerability Database][OSVDB]
+developed by the Open Security Foundation (OSF) and its contributors.
 
 [rubygems.org]: https://rubygems.org/
 [CVE]: http://cve.mitre.org/
 [CVSSv2]: http://www.first.org/cvss/cvss-guide.html
+[OSVDB]: http://www.osvdb.org/
 [YAML]: http://www.yaml.org/
+[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md
 
 [1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

data/data/ruby-advisory-db/Rakefile

@@ -0,0 +1,27 @@
+require 'yaml'
+
+namespace :lint do
+  begin
+    gem 'rspec', '~> 2.4'
+    require 'rspec/core/rake_task'
+
+    RSpec::Core::RakeTask.new(:yaml)
+  rescue LoadError => e
+    task :spec do
+      abort "Please run `gem install rspec` to install RSpec."
+    end
+  end
+
+  task :cve do
+    Dir.glob('gems/*/*.yml') do |path|
+      advisory = YAML.load_file(path)
+
+      unless advisory['cve']
+        puts "Missing CVE: #{path}"
+      end
+    end
+  end
+end
+
+task :lint    => ['lint:yaml', 'lint:cve']
+task :default => :lint

data/data/ruby-advisory-db/gems/actionpack/{2012-1099.yml → OSVDB-79727.yml}

@@ -1,10 +1,13 @@
 --- 
 gem: actionpack
+framework: rails
 cve: 2012-1099
+osvdb: 79727
 url: http://www.osvdb.org/show/osvdb/79727
 title:
   Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
   Manually Generated Select Tag Options XSS
+date: 2012-03-01
 
 description: |
   Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) 

data/data/ruby-advisory-db/gems/actionpack/{2012-3424.yml → OSVDB-84243.yml}

@@ -1,10 +1,13 @@
 --- 
 gem: actionpack
+framework: rails
 cve: 2012-3424
+osvdb: 84243
 url: http://www.osvdb.org/show/osvdb/84243
 title: 
   Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
   with_http_digest Helper Method Remote DoS
+date: 2012-07-26
 
 description: |
   Ruby on Rails contains a flaw that may allow a remote denial of service.
@@ -15,7 +18,11 @@ description: |
 
 cvss_v2: 4.3
 
+unaffected_versions:
+  - ">= 2.3.5, <= 2.3.14"
+
 patched_versions: 
   - ~> 3.0.16
   - ~> 3.1.7
   - ">= 3.2.7"
+

data/data/ruby-advisory-db/gems/actionpack/{2012-3465.yml → OSVDB-84513.yml}

@@ -1,8 +1,11 @@
 --- 
 gem: actionpack
+framework: rails
 cve: 2012-3465
+osvdb: 84513
 url: http://www.osvdb.org/show/osvdb/84513
 title: Ruby on Rails strip_tags Helper Method XSS
+date: 2012-08-09
 
 description: |
   Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)

data/data/ruby-advisory-db/gems/actionpack/{2012-3463.yml → OSVDB-84515.yml}

@@ -1,8 +1,11 @@
 --- 
 gem: actionpack
+framework: rails
 cve: 2012-3463
+osvdb: 84515
 url: http://osvdb.org/84515
 title: Ruby on Rails select_tag Helper Method prompt Value XSS
+date: 2012-08-09
 
 description: |
   Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
@@ -14,6 +17,9 @@ description: |
 
 cvss_v2: 4.3
 
+unaffected_versions:
+  - ~> 2.3.0
+
 patched_versions: 
   - ~> 3.0.17
   - ~> 3.1.8

data/data/ruby-advisory-db/gems/actionpack/{2013-0156.yml → OSVDB-89026.yml}

@@ -1,10 +1,13 @@
 --- 
 gem: actionpack
+framework: rails
 cve: 2013-0156
+osvdb: 89026
 url: http://osvdb.org/show/osvdb/89026
 title:
   Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
   Remote Code Execution 
+date: 2013-01-08
 
 description: |
   Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml

@@ -0,0 +1,20 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1855
+osvdb: 91452
+url: http://www.osvdb.org/show/osvdb/91452
+title: XSS vulnerability in sanitize_css in Action Pack
+date: 2013-03-19
+
+description: | 
+  There is an XSS vulnerability in the `sanitize_css` method in Action
+  Pack. Carefully crafted text can bypass the sanitization provided in
+  the `sanitize_css` method in Action Pack
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml

@@ -0,0 +1,23 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1857
+osvdb: 91454
+url: http://osvdb.org/show/osvdb/91454
+title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+date: 2013-03-19
+
+description: | 
+  The sanitize helper in Ruby on Rails is designed to
+  filter HTML and remove all tags and attributes which could be
+  malicious. The code which ensured that URLs only contain supported
+  protocols contained several bugs which could allow an attacker to
+  embed a tag containing a URL which executes arbitrary javascript
+  code.
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"