bundler-integrity 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 56043f72f95a5cb20c2a59e7e474a8d13dd535291468a87afc7ee4bdde800d12
+  data.tar.gz: 65aae4ede8e596a4f0d41ee0d4e94a64102e83cd2748d40ee7c464969c811b1b
+SHA512:
+  metadata.gz: c072ac10c9ea9179e6d6829446d29e6c8413a3f4d632d36c859065da3a16bdcbec521358fa25cc66d8f36659e22d58a11cdd47ca1f7c9bdf8f7e6d1a290f62d6
+  data.tar.gz: af4ff12cc1b7d1fc9ec184c699c658afa6463bdfdf67848c22dc125f5fc91ba159d04302dc8ac3c71b722817011374aedb177cf65589daa68a07ff994334fa89

data/bin/bundler-integrity

@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+
+# This script checks the integrity of gems in your projects against RubyGems API
+# It will detect any invalid packages potentially affected by the cache poison CVE.
+
+# Built by Maciej Mensfeld@WhiteSource
+
+require 'bundler'
+require 'json'
+require 'open-uri'
+require 'digest/sha2'
+
+# Packages cache paths candidates (we will check all)
+CACHE_DIRS = [
+  Bundler::RubygemsIntegration.new.gem_cache,
+  ::Bundler.app_cache
+].tap(&:flatten!).freeze
+
+::Bundler.configure
+::Bundler::Fetcher.disable_endpoint = nil
+
+deps = ::Bundler::Definition
+       .build(Bundler.default_gemfile, Bundler.default_lockfile, nil)
+       .tap(&:validate_runtime!)
+
+
+deps.specs.each do |spec|
+  intel_path = "api/v1/versions/#{spec.name}.json"
+
+  full_name = if spec.platform.to_s == 'ruby'
+    "#{spec.name}-#{spec.version}.gem"
+  else
+    "#{spec.name}-#{spec.version}-#{spec.platform}.gem"
+  end
+
+  details = URI.parse("https://rubygems.org/#{intel_path}").read
+
+  raise 'Invalid RubyGems API response' if details.empty?
+
+  version = JSON.parse(details).find do |version|
+    version.fetch('number') == spec.version.to_s &&
+      version.fetch('platform') == spec.platform.to_s
+  end
+
+  version || raise("#{full_name} not found in the RubyGems API response")
+
+  candidates = CACHE_DIRS
+    .map { |dir| File.join(dir, full_name) }
+    .select { |path| File.exist?(path) }
+
+  if candidates.empty?
+    puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
+    next
+  end
+
+  candidates.each do |full_path|
+    sha = Digest::SHA2.new
+
+    File.open(full_path) do |f|
+      while chunk = f.read(256)
+        sha << chunk
+      end
+    end
+
+
+    if version.fetch('sha') == sha.hexdigest
+      puts "\033[0;32m[OK]\033[0m #{full_path}"
+    else
+      puts "\033[0;31m[FAILURE]\033[0m"
+      puts "Checksum verification for #{full_path} failed!"
+
+      exit 1
+    end
+  end
+end
+
+puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
+puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"

metadata

@@ -0,0 +1,47 @@
+--- !ruby/object:Gem::Specification
+name: bundler-integrity
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Maciej Mensfeld
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-05-11 00:00:00.000000000 Z
+dependencies: []
+description: Gem to verify integrity of packages installed via Bundler
+email:
+- maciej@mensfeld.pl
+executables:
+- bundler-integrity
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/bundler-integrity
+homepage: https://whitesourcesoftware.com
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/diffend/bundler-integrity
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Gem to verify integrity of packages installed via Bundler
+test_files: []