RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9660b06fce10c2532f0c7aaa5fef6ca2d5c99067
-  data.tar.gz: 751d7e542727defa267b6d8abf2ad0b3f391ab70
+  metadata.gz: 650484979d4eb765a3c725eb4b31303d24fe5b59
+  data.tar.gz: dfc8d83b2c4488bf7284103276941bd4ab8d5f1c
 SHA512:
-  metadata.gz: 2a3cb90acc0cecc82ee931fedd43ab4d0439fd2436bc29563a45a4a328862c9038f243f7bff68a9e394bb0c12fee6f83b1496347187783b3a6d972435169dbf3
-  data.tar.gz: 89a771db86e3baf43430b5448bee5664e1b73f017fed9c48756ea8a58f6f4515c761d4c46333a93e9bcde71e3c6777271ec799a933d5662a76df9504a29dd09d
+  metadata.gz: 4da6b5b6f801ee56c94b581c2190d0cf0f607c347269b1ad5c5b3ce3bfbfdcf4e8679abc9f4d5f34542587936beede85315ba25ebc78dffe077e52ac670ecc62
+  data.tar.gz: 961867353bb8145023a2f9ab6ba41e609c8594c697adc1c6c3e4e86708e3d39b9c6326a1d8baafeff521101a8109f0b9a9edf15e8ded29383e9e29606f36a523

data/ChangeLog.md CHANGED

@@ -1,3 +1,19 @@
+### 0.5.0 / 2015-02-28
+* Added {Bundler::Audit::Task}.
+* Added {Bundler::Audit::Advisory#date}.
+* Added {Bundler::Audit::Advisory#cve_id}.
+* Added {Bundler::Audit::Advisory#osvdb_id}.
+* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
+  private network.
+#### CLI
+* Added the `--update` option to `bundle-audit check`.
+* `bundle-audit update` now returns a non-zero exit status on error.
+* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+  repository.
 ### 0.4.0 / 2015-06-30
 * Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.

data/README.md CHANGED

@@ -4,8 +4,8 @@
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
 * [Email](mailto:rubysec.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
+* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
+* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 ## Description
@@ -31,7 +31,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91452
     Title: XSS vulnerability in sanitize_css in Action Pack
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91454
@@ -39,7 +39,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91454
     Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-89026
@@ -47,7 +47,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89026
     Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
     Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-91453
@@ -55,7 +55,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91453
     Title: Symbol DoS vulnerability in Active Record
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-90072
@@ -63,7 +63,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
     Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-89025
@@ -71,7 +71,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89025
     Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
     Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
     Name: activesupport
     Version: 3.2.10
     Advisory: OSVDB-91451
@@ -79,7 +79,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91451
     Title: XML Parsing Vulnerability affecting JRuby users
     Solution: upgrade to ~> 3.1.12, >= 3.2.13
     Unpatched versions found!
 Update the [ruby-advisory-db] that `bundle-audit` uses:
@@ -108,10 +108,23 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
      create mode 100644 gems/wicked/OSVDB-98270.yml
     ruby-advisory-db: 64 advisories
+Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
+    $ bundle-audit check --update
 Ignore specific advisories:
     $ bundle-audit check --ignore OSVDB-108664
+Rake task:
+```ruby
+require_relative 'lib/bundler/audit/task'
+Bundler::Audit::Task.new
+task default: 'bundle:audit'
+```
 ## Requirements
 * [Ruby] >= 1.9.3
@@ -125,7 +138,7 @@ Ignore specific advisories:
 ## License
-Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/data/ruby-advisory-db.ts CHANGED

	@@ -1 +1 @@
1	- ~~2014~~-02-11 00:45:58 UTC
1	+ 2016-01-26 04:57:48 UTC

data/data/ruby-advisory-db/.gitignore CHANGED

	@@ -1 +1,2 @@
1 1	Gemfile.lock
2	+ _site

data/data/ruby-advisory-db/.travis.yml ADDED

@@ -0,0 +1,18 @@
+language: ruby
+sudo: false
+cache: bundler
+deploy:
+  provider: script
+  script: scripts/post-advisories.sh
+  on:
+    branch: master
+notifications:
+  irc: chat.freenode.net#rubysec
+env:
+  global:
+  - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU=

data/data/ruby-advisory-db/CONTRIBUTING.md CHANGED

@@ -1,6 +1,56 @@
 # Contributing Guidelines
-## Style
+* All text must be within 80 columns.
+* YAML must be indented by 2 spaces.
+* Have any questions? Feel free to open an issue.
+* Prior to submitting a pull request, run the tests:
+```
+bundle install
+bundle exec rspec
+```
+* Follow the schema. Here is a sample advisory:
+```yaml
+    ---
+    gem: activerecord
+    framework: rails
+    cve: 2014-3514
+    url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
+    title: Data Injection Vulnerability in Active Record
+    date: 2014-08-18
+    description: >-
+      The create_with functionality in Active Record was implemented
+      incorrectly and completely bypasses the strong parameters
+      protection. Applications which pass user-controlled values to
+      create_with could allow attackers to set arbitrary attributes on
+      models.
+    cvss_v2: 8.7
+    unaffected_versions:
+      - "< 4.0.0"
+    patched_versions:
+      - ~> 4.0.9
+      - ">= 4.1.5"
+```
+### Schema
+* `gem` \[String\]: Name of the affected gem.
+* `framework` \[String\] (optional): Name of framework gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
+* `cve` \[String\]: CVE id.
+* `osvdb` \[Fixnum\]: OSVDB id.
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory.
+* `date` \[Date\]: Disclosure date of the advisory.
+* `description` \[String\]: Multi-paragraph description of the vulnerability.
+* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
-1. All text must be within 80 columns.
-2. YAML must be indented by 2 spaces.

data/data/ruby-advisory-db/CONTRIBUTORS.md CHANGED

@@ -1,8 +1,7 @@
 ### Acknowledgements
-This database would not be possible without volunteers willing to submit pull requests.
+This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank:
-Thanks,
 * [Postmodern](https://github.com/postmodern/)
 * [Max Veytsman](https://twitter.com/mveytsman)
 * [Pietro Monteiro](https://github.com/pietro)
@@ -21,3 +20,19 @@ Thanks,
 * [Jeremy Olliver](https://github.com/jeremyolliver)
 * [Vasily Vasinov](https://github.com/vasinov)
 * [Phill MV](https://twitter.com/phillmv)
+* [Jon Kessler](https://github.com/jonkessler)
+* [James Harton](https://github.com/jamesotron)
+* [Justin Collins](https://github.com/presidentbeef)
+* [Andy Brody](https://github.com/ab)
+* [Alexey Zapparov](https://github.com/ixti)
+* [Toni Reina](https://github.com/areina)
+* [Bernard Lambeau](https://github.com/blambeau)
+* [Don Morrison](https://github.com/elskwid)
+* [John Poulin](https://github.com/forced-request)
+* [Neal Harris](https://github.com/nealharris)
+* [Justin Bull](https://github.com/f3ndot)
+* [Andrew Selder](https://github.com/aselder)
+* [Vanessa Henderson](https://github.com/VanessaHenderson)
+* [Reed Loden](https://github.com/reedloden)
+The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-advisory-db/Gemfile CHANGED

@@ -1,3 +1,9 @@
 source 'https://rubygems.org'
-gem 'pry'
-gem 'mechanize'
+gem 'rspec', '3.3.0'
+gem 'rake'
+group :development do
+  gem 'pry'
+  gem 'nokogiri'
+end

data/data/ruby-advisory-db/Rakefile CHANGED

@@ -2,7 +2,6 @@ require 'yaml'
 namespace :lint do
   begin
-    gem 'rspec', '~> 2.4'
     require 'rspec/core/rake_task'
     RSpec::Core::RakeTask.new(:yaml)
@@ -13,7 +12,7 @@ namespace :lint do
   end
   task :cve do
-    Dir.glob('gems/*/*.yml') do |path|
+    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
       advisory = YAML.load_file(path)
       unless advisory['cve']

data/data/ruby-advisory-db/gems/{arabic-prawn → Arabic-Prawn}/OSVDB-104365.yml RENAMED

@@ -1,15 +1,12 @@
 ---
 gem: Arabic-Prawn
+cve: 2014-2322
 osvdb: 104365
 url: http://osvdb.org/show/osvdb/104365
-title: Arabic-Prawn Gem for Ruby contains a flaw
+title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote Command Injection
 date: 2014-03-10
 description: |
   Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
   file. The issue is due to the program failing to sanitize user input. This may
   allow a remote attacker to inject arbitrary commands.
-cvss_v2:
-patched_versions:
+cvss_v2: 7.5

data/data/ruby-advisory-db/gems/RedCloth/OSVDB-115941.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: RedCloth
+cve: 2012-6684
+osvdb: 115941
+url: http://www.osvdb.org/show/osvdb/115941
+title: RedCloth Gem for Ruby Textile Link Parsing XSS
+date: 2012-02-29
+description: |
+  RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS)
+  attack. This flaw exists because the program does not validate input when
+  parsing textile links before returning it to users. This may allow a remote
+  attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4995.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: VladTheEnterprising
+cve: 2014-4995
+osvdb: 108728
+url: http://www.osvdb.org/show/osvdb/108728
+title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
+date: 2014-06-30
+description: |
+  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
+  temporary files insecurely. It is possible for a local attacker to use
+  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
+  overwrite arbitrary files, gain access to the MySQL root password,
+  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4996.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: VladTheEnterprising
+cve: 2014-4996
+osvdb: 108728
+url: http://www.osvdb.org/show/osvdb/108728
+title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
+date: 2014-06-30
+description: |
+  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
+  temporary files insecurely. It is possible for a local attacker to use
+  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
+  overwrite arbitrary files, gain access to the MySQL root password,
+  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-0130.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0130
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
+title: Directory Traversal Vulnerability With Certain Route Configurations
+date: 2014-05-06
+description: |
+  There is a vulnerability in the 'implicit render'
+  functionality in Ruby on Rails.The implicit render functionality
+  allows controllers to render a template, even if there is no
+  explicit action with the corresponding name.  This module does not
+  perform adequate input sanitization which could allow an attacker to
+  use a specially crafted request to retrieve arbitrary files from the
+  rails application server.
+cvss_v2: 4.3
+patched_versions:
+  - ~> 3.2.18
+  - ~> 4.0.5
+  - ">= 4.1.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7818.yml ADDED

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-7818
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
+title: Arbitrary file existence disclosure in Action Pack
+date: 2014-10-30
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside the Rails application's root directory.  The
+  files will not be served, but attackers can determine whether or not the file
+  exists.
+cvss_v2: 4.3
+unaffected_versions:
+  - "< 3.0.0"
+patched_versions:
+  - ~> 3.2.20
+  - ~> 4.0.11
+  - ~> 4.1.7
+  - ">= 4.2.0.beta3"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7829.yml ADDED

@@ -0,0 +1,26 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-7829
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
+title: Arbitrary file existence disclosure in Action Pack
+date: 2014-11-17
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside the Rails application's root directory.  The
+  files will not be served, but attackers can determine whether or not the file
+  exists.  This vulnerability is very similar to CVE-2014-7818, but the
+  specially crafted string is slightly different.
+cvss_v2: 5.0
+unaffected_versions:
+  - "< 3.0.0"
+patched_versions:
+  - ~> 3.2.21
+  - ~> 4.0.11.1
+  - ~> 4.0.12
+  - ~> 4.1.7.1
+  - ">= 4.1.8"

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml ADDED

@@ -0,0 +1,116 @@
+---
+gem: actionpack
+framework: rails
+cve: 2015-7576
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
+title: Timing attack vulnerability in basic authentication in Action Controller.
+description: |
+    There is a timing attack vulnerability in the basic authentication support
+    in Action Controller. This vulnerability has been assigned the CVE
+    identifier CVE-2015-7576.
+    Versions Affected:  All.
+    Not affected:       None.
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+    Impact
+    ------
+    Due to the way that Action Controller compares user names and passwords in
+    basic authentication authorization code, it is possible for an attacker to
+    analyze the time taken by a response and intuit the password.
+    For example, this string comparison:
+      "foo" == "bar"
+    is possibly faster than this comparison:
+      "foo" == "fo1"
+    Attackers can use this information to attempt to guess the username and
+    password used in the basic authentication system.
+    You can tell you application is vulnerable to this attack by looking for
+    `http_basic_authenticate_with` method calls in your application.
+    All users running an affected release should either upgrade or use one of
+    the workarounds immediately.
+    Releases
+    --------
+    The FIXED releases are available at the normal locations.
+    Workarounds
+    -----------
+    If you can't upgrade, please use the following monkey patch in an initializer
+    that is loaded before your application:
+    ```
+    $ cat config/initializers/basic_auth_fix.rb
+    module ActiveSupport
+      module SecurityUtils
+        def secure_compare(a, b)
+          return false unless a.bytesize == b.bytesize
+          l = a.unpack "C#{a.bytesize}"
+          res = 0
+          b.each_byte { |byte| res |= byte ^ l.shift }
+          res == 0
+        end
+        module_function :secure_compare
+        def variable_size_secure_compare(a, b)
+          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+        end
+        module_function :variable_size_secure_compare
+      end
+    end
+    module ActionController
+      class Base
+        def self.http_basic_authenticate_with(options = {})
+          before_action(options.except(:name, :password, :realm)) do
+            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
+              # This comparison uses & so that it doesn't short circuit and
+              # uses `variable_size_secure_compare` so that length information
+              # isn't leaked.
+              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+            end
+          end
+        end
+      end
+    end
+    ```
+    Patches
+    -------
+    To aid users who aren't able to upgrade immediately we have provided patches for
+    the two supported release series. They are in git-am format and consist of a
+    single changeset.
+    * 4-1-basic_auth.patch - Patch for 4.1 series
+    * 4-2-basic_auth.patch - Patch for 4.2 series
+    * 5-0-basic_auth.patch - Patch for 5.0 series
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+    of earlier unsupported releases are advised to upgrade as soon as possible as we
+    cannot guarantee the continued availability of security fixes for unsupported
+    releases.
+    Credits
+    -------
+    Thank you to Daniel Waterworth for reporting the problem and working with us to
+    fix it.
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1"
+  - "~> 4.1.14.1"
+  - "~> 3.2.22.1"