bundler-audit 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9660b06fce10c2532f0c7aaa5fef6ca2d5c99067
-  data.tar.gz: 751d7e542727defa267b6d8abf2ad0b3f391ab70
+  metadata.gz: 650484979d4eb765a3c725eb4b31303d24fe5b59
+  data.tar.gz: dfc8d83b2c4488bf7284103276941bd4ab8d5f1c
 SHA512:
-  metadata.gz: 2a3cb90acc0cecc82ee931fedd43ab4d0439fd2436bc29563a45a4a328862c9038f243f7bff68a9e394bb0c12fee6f83b1496347187783b3a6d972435169dbf3
-  data.tar.gz: 89a771db86e3baf43430b5448bee5664e1b73f017fed9c48756ea8a58f6f4515c761d4c46333a93e9bcde71e3c6777271ec799a933d5662a76df9504a29dd09d
+  metadata.gz: 4da6b5b6f801ee56c94b581c2190d0cf0f607c347269b1ad5c5b3ce3bfbfdcf4e8679abc9f4d5f34542587936beede85315ba25ebc78dffe077e52ac670ecc62
+  data.tar.gz: 961867353bb8145023a2f9ab6ba41e609c8594c697adc1c6c3e4e86708e3d39b9c6326a1d8baafeff521101a8109f0b9a9edf15e8ded29383e9e29606f36a523

data/ChangeLog.md

@@ -1,3 +1,19 @@
+### 0.5.0 / 2015-02-28
+
+* Added {Bundler::Audit::Task}.
+* Added {Bundler::Audit::Advisory#date}.
+* Added {Bundler::Audit::Advisory#cve_id}.
+* Added {Bundler::Audit::Advisory#osvdb_id}.
+* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
+  private network.
+
+#### CLI
+
+* Added the `--update` option to `bundle-audit check`.
+* `bundle-audit update` now returns a non-zero exit status on error.
+* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+  repository.
+
 ### 0.4.0 / 2015-06-30
 
 * Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.

data/README.md

@@ -4,8 +4,8 @@
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
 * [Email](mailto:rubysec.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
+* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
+* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 ## Description
 
@@ -31,7 +31,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91452
     Title: XSS vulnerability in sanitize_css in Action Pack
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91454
@@ -39,7 +39,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91454
     Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-89026
@@ -47,7 +47,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89026
     Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
     Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-91453
@@ -55,7 +55,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91453
     Title: Symbol DoS vulnerability in Active Record
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-90072
@@ -63,7 +63,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
     Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-89025
@@ -71,7 +71,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89025
     Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
     Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activesupport
     Version: 3.2.10
     Advisory: OSVDB-91451
@@ -79,7 +79,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91451
     Title: XML Parsing Vulnerability affecting JRuby users
     Solution: upgrade to ~> 3.1.12, >= 3.2.13
-    
+
     Unpatched versions found!
 
 Update the [ruby-advisory-db] that `bundle-audit` uses:
@@ -108,10 +108,23 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
      create mode 100644 gems/wicked/OSVDB-98270.yml
     ruby-advisory-db: 64 advisories
 
+Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
+
+    $ bundle-audit check --update
+
 Ignore specific advisories:
 
     $ bundle-audit check --ignore OSVDB-108664
 
+Rake task:
+
+```ruby
+require_relative 'lib/bundler/audit/task'
+Bundler::Audit::Task.new
+
+task default: 'bundle:audit'
+```
+
 ## Requirements
 
 * [Ruby] >= 1.9.3
@@ -125,7 +138,7 @@ Ignore specific advisories:
 
 ## License
 
-Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/data/ruby-advisory-db.ts

@@ -1 +1 @@
-2014-02-11 00:45:58 UTC
+2016-01-26 04:57:48 UTC

data/data/ruby-advisory-db/.gitignore

@@ -1 +1,2 @@
 Gemfile.lock
+_site

data/data/ruby-advisory-db/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+
+sudo: false
+
+cache: bundler
+
+deploy:
+  provider: script
+  script: scripts/post-advisories.sh
+  on:
+    branch: master
+
+notifications:
+  irc: chat.freenode.net#rubysec
+
+env:
+  global:
+  - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU=

data/data/ruby-advisory-db/CONTRIBUTING.md

@@ -1,6 +1,56 @@
 # Contributing Guidelines
 
-## Style
+* All text must be within 80 columns.
+* YAML must be indented by 2 spaces.
+* Have any questions? Feel free to open an issue.
+* Prior to submitting a pull request, run the tests:
+
+```
+bundle install
+bundle exec rspec
+```
+
+* Follow the schema. Here is a sample advisory:
+
+```yaml
+    ---
+    gem: activerecord
+    framework: rails
+    cve: 2014-3514
+    url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
+    title: Data Injection Vulnerability in Active Record 
+    date: 2014-08-18
+
+    description: >-
+      The create_with functionality in Active Record was implemented
+      incorrectly and completely bypasses the strong parameters
+      protection. Applications which pass user-controlled values to
+      create_with could allow attackers to set arbitrary attributes on
+      models.
+      
+    cvss_v2: 8.7
+
+    unaffected_versions:
+      - "< 4.0.0"
+
+    patched_versions:
+      - ~> 4.0.9 
+      - ">= 4.1.5"
+```
+### Schema
+
+* `gem` \[String\]: Name of the affected gem.
+* `framework` \[String\] (optional): Name of framework gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
+* `cve` \[String\]: CVE id.
+* `osvdb` \[Fixnum\]: OSVDB id.
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory.
+* `date` \[Date\]: Disclosure date of the advisory.
+* `description` \[String\]: Multi-paragraph description of the vulnerability.
+* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
 
-1. All text must be within 80 columns.
-2. YAML must be indented by 2 spaces.

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -1,8 +1,7 @@
 ### Acknowledgements
 
-This database would not be possible without volunteers willing to submit pull requests.
+This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank:
 
-Thanks,
 * [Postmodern](https://github.com/postmodern/)
 * [Max Veytsman](https://twitter.com/mveytsman)
 * [Pietro Monteiro](https://github.com/pietro)
@@ -21,3 +20,19 @@ Thanks,
 * [Jeremy Olliver](https://github.com/jeremyolliver)
 * [Vasily Vasinov](https://github.com/vasinov)
 * [Phill MV](https://twitter.com/phillmv)
+* [Jon Kessler](https://github.com/jonkessler)
+* [James Harton](https://github.com/jamesotron)
+* [Justin Collins](https://github.com/presidentbeef)
+* [Andy Brody](https://github.com/ab)
+* [Alexey Zapparov](https://github.com/ixti)
+* [Toni Reina](https://github.com/areina)
+* [Bernard Lambeau](https://github.com/blambeau)
+* [Don Morrison](https://github.com/elskwid)
+* [John Poulin](https://github.com/forced-request)
+* [Neal Harris](https://github.com/nealharris)
+* [Justin Bull](https://github.com/f3ndot)
+* [Andrew Selder](https://github.com/aselder)
+* [Vanessa Henderson](https://github.com/VanessaHenderson)
+* [Reed Loden](https://github.com/reedloden)
+
+The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-advisory-db/Gemfile

@@ -1,3 +1,9 @@
 source 'https://rubygems.org'
-gem 'pry'
-gem 'mechanize'
+
+gem 'rspec', '3.3.0'
+gem 'rake'
+
+group :development do
+  gem 'pry'
+  gem 'nokogiri'
+end

data/data/ruby-advisory-db/Rakefile

@@ -2,7 +2,6 @@ require 'yaml'
 
 namespace :lint do
   begin
-    gem 'rspec', '~> 2.4'
     require 'rspec/core/rake_task'
 
     RSpec::Core::RakeTask.new(:yaml)
@@ -13,7 +12,7 @@ namespace :lint do
   end
 
   task :cve do
-    Dir.glob('gems/*/*.yml') do |path|
+    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
       advisory = YAML.load_file(path)
 
       unless advisory['cve']

data/data/ruby-advisory-db/gems/{arabic-prawn → Arabic-Prawn}/OSVDB-104365.yml

@@ -1,15 +1,12 @@
 ---
 gem: Arabic-Prawn
+cve: 2014-2322
 osvdb: 104365
 url: http://osvdb.org/show/osvdb/104365
-title: Arabic-Prawn Gem for Ruby contains a flaw
+title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote Command Injection
 date: 2014-03-10
-
 description: |
   Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
   file. The issue is due to the program failing to sanitize user input. This may
   allow a remote attacker to inject arbitrary commands.
-
-cvss_v2:
-
-patched_versions:
+cvss_v2: 7.5

data/data/ruby-advisory-db/gems/RedCloth/OSVDB-115941.yml

@@ -0,0 +1,16 @@
+---
+gem: RedCloth
+cve: 2012-6684
+osvdb: 115941
+url: http://www.osvdb.org/show/osvdb/115941
+title: RedCloth Gem for Ruby Textile Link Parsing XSS
+date: 2012-02-29
+description: |
+  RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS)
+  attack. This flaw exists because the program does not validate input when
+  parsing textile links before returning it to users. This may allow a remote
+  attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+cvss_v2: 4.3
+patched_versions:

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4995.yml

@@ -0,0 +1,13 @@
+---
+gem: VladTheEnterprising
+cve: 2014-4995
+osvdb: 108728
+url: http://www.osvdb.org/show/osvdb/108728
+title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
+date: 2014-06-30
+description: |
+  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
+  temporary files insecurely. It is possible for a local attacker to use
+  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
+  overwrite arbitrary files, gain access to the MySQL root password,
+  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4996.yml

@@ -0,0 +1,13 @@
+---
+gem: VladTheEnterprising
+cve: 2014-4996
+osvdb: 108728
+url: http://www.osvdb.org/show/osvdb/108728
+title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact 
+date: 2014-06-30
+description: |
+  VladTheEnterprising Gem for Ruby contains a flaw as the program creates
+  temporary files insecurely. It is possible for a local attacker to use
+  a symlink attack against the /tmp/my.cnf.#{target_host} file they can
+  overwrite arbitrary files, gain access to the MySQL root password,
+  or inject arbitrary commands.

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-0130.yml

@@ -0,0 +1,23 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0130
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
+title: Directory Traversal Vulnerability With Certain Route Configurations
+date: 2014-05-06
+
+description: |
+  There is a vulnerability in the 'implicit render'
+  functionality in Ruby on Rails.The implicit render functionality
+  allows controllers to render a template, even if there is no
+  explicit action with the corresponding name.  This module does not
+  perform adequate input sanitization which could allow an attacker to
+  use a specially crafted request to retrieve arbitrary files from the
+  rails application server.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.2.18
+  - ~> 4.0.5
+  - ">= 4.1.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7818.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-7818
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
+title: Arbitrary file existence disclosure in Action Pack
+date: 2014-10-30
+
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside the Rails application's root directory.  The
+  files will not be served, but attackers can determine whether or not the file
+  exists.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+  - "< 3.0.0"
+
+patched_versions:
+  - ~> 3.2.20
+  - ~> 4.0.11
+  - ~> 4.1.7
+  - ">= 4.2.0.beta3"

data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7829.yml

@@ -0,0 +1,26 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-7829
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
+title: Arbitrary file existence disclosure in Action Pack
+date: 2014-11-17
+
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside the Rails application's root directory.  The
+  files will not be served, but attackers can determine whether or not the file
+  exists.  This vulnerability is very similar to CVE-2014-7818, but the
+  specially crafted string is slightly different.
+
+cvss_v2: 5.0
+
+unaffected_versions:
+  - "< 3.0.0"
+
+patched_versions:
+  - ~> 3.2.21
+  - ~> 4.0.11.1
+  - ~> 4.0.12
+  - ~> 4.1.7.1
+  - ">= 4.1.8"

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml

@@ -0,0 +1,116 @@
+---
+gem: actionpack
+framework: rails
+cve: 2015-7576
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
+
+title: Timing attack vulnerability in basic authentication in Action Controller.
+
+description: |
+    There is a timing attack vulnerability in the basic authentication support 
+    in Action Controller. This vulnerability has been assigned the CVE 
+    identifier CVE-2015-7576. 
+
+    Versions Affected:  All. 
+    Not affected:       None. 
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
+
+    Impact 
+    ------ 
+    Due to the way that Action Controller compares user names and passwords in 
+    basic authentication authorization code, it is possible for an attacker to 
+    analyze the time taken by a response and intuit the password. 
+
+    For example, this string comparison: 
+
+      "foo" == "bar" 
+
+    is possibly faster than this comparison: 
+
+      "foo" == "fo1" 
+
+    Attackers can use this information to attempt to guess the username and 
+    password used in the basic authentication system. 
+
+    You can tell you application is vulnerable to this attack by looking for 
+    `http_basic_authenticate_with` method calls in your application. 
+
+    All users running an affected release should either upgrade or use one of 
+    the workarounds immediately. 
+
+    Releases 
+    -------- 
+    The FIXED releases are available at the normal locations. 
+
+    Workarounds 
+    ----------- 
+    If you can't upgrade, please use the following monkey patch in an initializer 
+    that is loaded before your application: 
+
+    ``` 
+    $ cat config/initializers/basic_auth_fix.rb 
+    module ActiveSupport 
+      module SecurityUtils 
+        def secure_compare(a, b) 
+          return false unless a.bytesize == b.bytesize 
+
+          l = a.unpack "C#{a.bytesize}" 
+
+          res = 0 
+          b.each_byte { |byte| res |= byte ^ l.shift } 
+          res == 0 
+        end 
+        module_function :secure_compare 
+
+        def variable_size_secure_compare(a, b) 
+          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) 
+        end 
+        module_function :variable_size_secure_compare 
+      end 
+    end 
+
+    module ActionController 
+      class Base 
+        def self.http_basic_authenticate_with(options = {}) 
+          before_action(options.except(:name, :password, :realm)) do 
+            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| 
+              # This comparison uses & so that it doesn't short circuit and 
+              # uses `variable_size_secure_compare` so that length information 
+              # isn't leaked. 
+              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & 
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) 
+            end 
+          end 
+        end 
+      end 
+    end 
+    ``` 
+
+
+    Patches 
+    ------- 
+    To aid users who aren't able to upgrade immediately we have provided patches for 
+    the two supported release series. They are in git-am format and consist of a 
+    single changeset. 
+
+    * 4-1-basic_auth.patch - Patch for 4.1 series 
+    * 4-2-basic_auth.patch - Patch for 4.2 series 
+    * 5-0-basic_auth.patch - Patch for 5.0 series 
+
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
+    of earlier unsupported releases are advised to upgrade as soon as possible as we 
+    cannot guarantee the continued availability of security fixes for unsupported 
+    releases. 
+
+    Credits 
+    ------- 
+
+    Thank you to Daniel Waterworth for reporting the problem and working with us to 
+    fix it.
+
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1" 
+  - "~> 4.1.14.1"
+  - "~> 3.2.22.1"