bundler-integrity 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/bin/bundler-integrity +78 -0
- metadata +47 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 56043f72f95a5cb20c2a59e7e474a8d13dd535291468a87afc7ee4bdde800d12
|
|
4
|
+
data.tar.gz: 65aae4ede8e596a4f0d41ee0d4e94a64102e83cd2748d40ee7c464969c811b1b
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: c072ac10c9ea9179e6d6829446d29e6c8413a3f4d632d36c859065da3a16bdcbec521358fa25cc66d8f36659e22d58a11cdd47ca1f7c9bdf8f7e6d1a290f62d6
|
|
7
|
+
data.tar.gz: af4ff12cc1b7d1fc9ec184c699c658afa6463bdfdf67848c22dc125f5fc91ba159d04302dc8ac3c71b722817011374aedb177cf65589daa68a07ff994334fa89
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
#!/usr/bin/env ruby
|
|
2
|
+
|
|
3
|
+
# This script checks the integrity of gems in your projects against RubyGems API
|
|
4
|
+
# It will detect any invalid packages potentially affected by the cache poison CVE.
|
|
5
|
+
|
|
6
|
+
# Built by Maciej Mensfeld@WhiteSource
|
|
7
|
+
|
|
8
|
+
require 'bundler'
|
|
9
|
+
require 'json'
|
|
10
|
+
require 'open-uri'
|
|
11
|
+
require 'digest/sha2'
|
|
12
|
+
|
|
13
|
+
# Packages cache paths candidates (we will check all)
|
|
14
|
+
CACHE_DIRS = [
|
|
15
|
+
Bundler::RubygemsIntegration.new.gem_cache,
|
|
16
|
+
::Bundler.app_cache
|
|
17
|
+
].tap(&:flatten!).freeze
|
|
18
|
+
|
|
19
|
+
::Bundler.configure
|
|
20
|
+
::Bundler::Fetcher.disable_endpoint = nil
|
|
21
|
+
|
|
22
|
+
deps = ::Bundler::Definition
|
|
23
|
+
.build(Bundler.default_gemfile, Bundler.default_lockfile, nil)
|
|
24
|
+
.tap(&:validate_runtime!)
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
deps.specs.each do |spec|
|
|
28
|
+
intel_path = "api/v1/versions/#{spec.name}.json"
|
|
29
|
+
|
|
30
|
+
full_name = if spec.platform.to_s == 'ruby'
|
|
31
|
+
"#{spec.name}-#{spec.version}.gem"
|
|
32
|
+
else
|
|
33
|
+
"#{spec.name}-#{spec.version}-#{spec.platform}.gem"
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
details = URI.parse("https://rubygems.org/#{intel_path}").read
|
|
37
|
+
|
|
38
|
+
raise 'Invalid RubyGems API response' if details.empty?
|
|
39
|
+
|
|
40
|
+
version = JSON.parse(details).find do |version|
|
|
41
|
+
version.fetch('number') == spec.version.to_s &&
|
|
42
|
+
version.fetch('platform') == spec.platform.to_s
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
version || raise("#{full_name} not found in the RubyGems API response")
|
|
46
|
+
|
|
47
|
+
candidates = CACHE_DIRS
|
|
48
|
+
.map { |dir| File.join(dir, full_name) }
|
|
49
|
+
.select { |path| File.exist?(path) }
|
|
50
|
+
|
|
51
|
+
if candidates.empty?
|
|
52
|
+
puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
|
|
53
|
+
next
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
candidates.each do |full_path|
|
|
57
|
+
sha = Digest::SHA2.new
|
|
58
|
+
|
|
59
|
+
File.open(full_path) do |f|
|
|
60
|
+
while chunk = f.read(256)
|
|
61
|
+
sha << chunk
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
|
|
66
|
+
if version.fetch('sha') == sha.hexdigest
|
|
67
|
+
puts "\033[0;32m[OK]\033[0m #{full_path}"
|
|
68
|
+
else
|
|
69
|
+
puts "\033[0;31m[FAILURE]\033[0m"
|
|
70
|
+
puts "Checksum verification for #{full_path} failed!"
|
|
71
|
+
|
|
72
|
+
exit 1
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
|
|
78
|
+
puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
|
metadata
ADDED
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: bundler-integrity
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 1.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Maciej Mensfeld
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2022-05-11 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Gem to verify integrity of packages installed via Bundler
|
|
14
|
+
email:
|
|
15
|
+
- maciej@mensfeld.pl
|
|
16
|
+
executables:
|
|
17
|
+
- bundler-integrity
|
|
18
|
+
extensions: []
|
|
19
|
+
extra_rdoc_files: []
|
|
20
|
+
files:
|
|
21
|
+
- bin/bundler-integrity
|
|
22
|
+
homepage: https://whitesourcesoftware.com
|
|
23
|
+
licenses:
|
|
24
|
+
- MIT
|
|
25
|
+
metadata:
|
|
26
|
+
source_code_uri: https://github.com/diffend/bundler-integrity
|
|
27
|
+
rubygems_mfa_required: 'true'
|
|
28
|
+
post_install_message:
|
|
29
|
+
rdoc_options: []
|
|
30
|
+
require_paths:
|
|
31
|
+
- lib
|
|
32
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
33
|
+
requirements:
|
|
34
|
+
- - ">="
|
|
35
|
+
- !ruby/object:Gem::Version
|
|
36
|
+
version: '2.5'
|
|
37
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
38
|
+
requirements:
|
|
39
|
+
- - ">="
|
|
40
|
+
- !ruby/object:Gem::Version
|
|
41
|
+
version: '0'
|
|
42
|
+
requirements: []
|
|
43
|
+
rubygems_version: 3.1.2
|
|
44
|
+
signing_key:
|
|
45
|
+
specification_version: 4
|
|
46
|
+
summary: Gem to verify integrity of packages installed via Bundler
|
|
47
|
+
test_files: []
|