bundler-integrity 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/bin/bundler-integrity +78 -0
- metadata +47 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 56043f72f95a5cb20c2a59e7e474a8d13dd535291468a87afc7ee4bdde800d12
|
4
|
+
data.tar.gz: 65aae4ede8e596a4f0d41ee0d4e94a64102e83cd2748d40ee7c464969c811b1b
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: c072ac10c9ea9179e6d6829446d29e6c8413a3f4d632d36c859065da3a16bdcbec521358fa25cc66d8f36659e22d58a11cdd47ca1f7c9bdf8f7e6d1a290f62d6
|
7
|
+
data.tar.gz: af4ff12cc1b7d1fc9ec184c699c658afa6463bdfdf67848c22dc125f5fc91ba159d04302dc8ac3c71b722817011374aedb177cf65589daa68a07ff994334fa89
|
@@ -0,0 +1,78 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
# This script checks the integrity of gems in your projects against RubyGems API
|
4
|
+
# It will detect any invalid packages potentially affected by the cache poison CVE.
|
5
|
+
|
6
|
+
# Built by Maciej Mensfeld@WhiteSource
|
7
|
+
|
8
|
+
require 'bundler'
|
9
|
+
require 'json'
|
10
|
+
require 'open-uri'
|
11
|
+
require 'digest/sha2'
|
12
|
+
|
13
|
+
# Packages cache paths candidates (we will check all)
|
14
|
+
CACHE_DIRS = [
|
15
|
+
Bundler::RubygemsIntegration.new.gem_cache,
|
16
|
+
::Bundler.app_cache
|
17
|
+
].tap(&:flatten!).freeze
|
18
|
+
|
19
|
+
::Bundler.configure
|
20
|
+
::Bundler::Fetcher.disable_endpoint = nil
|
21
|
+
|
22
|
+
deps = ::Bundler::Definition
|
23
|
+
.build(Bundler.default_gemfile, Bundler.default_lockfile, nil)
|
24
|
+
.tap(&:validate_runtime!)
|
25
|
+
|
26
|
+
|
27
|
+
deps.specs.each do |spec|
|
28
|
+
intel_path = "api/v1/versions/#{spec.name}.json"
|
29
|
+
|
30
|
+
full_name = if spec.platform.to_s == 'ruby'
|
31
|
+
"#{spec.name}-#{spec.version}.gem"
|
32
|
+
else
|
33
|
+
"#{spec.name}-#{spec.version}-#{spec.platform}.gem"
|
34
|
+
end
|
35
|
+
|
36
|
+
details = URI.parse("https://rubygems.org/#{intel_path}").read
|
37
|
+
|
38
|
+
raise 'Invalid RubyGems API response' if details.empty?
|
39
|
+
|
40
|
+
version = JSON.parse(details).find do |version|
|
41
|
+
version.fetch('number') == spec.version.to_s &&
|
42
|
+
version.fetch('platform') == spec.platform.to_s
|
43
|
+
end
|
44
|
+
|
45
|
+
version || raise("#{full_name} not found in the RubyGems API response")
|
46
|
+
|
47
|
+
candidates = CACHE_DIRS
|
48
|
+
.map { |dir| File.join(dir, full_name) }
|
49
|
+
.select { |path| File.exist?(path) }
|
50
|
+
|
51
|
+
if candidates.empty?
|
52
|
+
puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
|
53
|
+
next
|
54
|
+
end
|
55
|
+
|
56
|
+
candidates.each do |full_path|
|
57
|
+
sha = Digest::SHA2.new
|
58
|
+
|
59
|
+
File.open(full_path) do |f|
|
60
|
+
while chunk = f.read(256)
|
61
|
+
sha << chunk
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
|
66
|
+
if version.fetch('sha') == sha.hexdigest
|
67
|
+
puts "\033[0;32m[OK]\033[0m #{full_path}"
|
68
|
+
else
|
69
|
+
puts "\033[0;31m[FAILURE]\033[0m"
|
70
|
+
puts "Checksum verification for #{full_path} failed!"
|
71
|
+
|
72
|
+
exit 1
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
|
78
|
+
puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
|
metadata
ADDED
@@ -0,0 +1,47 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: bundler-integrity
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Maciej Mensfeld
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2022-05-11 00:00:00.000000000 Z
|
12
|
+
dependencies: []
|
13
|
+
description: Gem to verify integrity of packages installed via Bundler
|
14
|
+
email:
|
15
|
+
- maciej@mensfeld.pl
|
16
|
+
executables:
|
17
|
+
- bundler-integrity
|
18
|
+
extensions: []
|
19
|
+
extra_rdoc_files: []
|
20
|
+
files:
|
21
|
+
- bin/bundler-integrity
|
22
|
+
homepage: https://whitesourcesoftware.com
|
23
|
+
licenses:
|
24
|
+
- MIT
|
25
|
+
metadata:
|
26
|
+
source_code_uri: https://github.com/diffend/bundler-integrity
|
27
|
+
rubygems_mfa_required: 'true'
|
28
|
+
post_install_message:
|
29
|
+
rdoc_options: []
|
30
|
+
require_paths:
|
31
|
+
- lib
|
32
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
33
|
+
requirements:
|
34
|
+
- - ">="
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: '2.5'
|
37
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
38
|
+
requirements:
|
39
|
+
- - ">="
|
40
|
+
- !ruby/object:Gem::Version
|
41
|
+
version: '0'
|
42
|
+
requirements: []
|
43
|
+
rubygems_version: 3.1.2
|
44
|
+
signing_key:
|
45
|
+
specification_version: 4
|
46
|
+
summary: Gem to verify integrity of packages installed via Bundler
|
47
|
+
test_files: []
|