bundler-leak 0.0.0

data/ChangeLog.md

@@ -0,0 +1,125 @@
+### 0.6.0 / 2017-07-18
+
+* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
+* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
+  (@vassilevsky).
+
+### 0.5.0 / 2016-02-28
+
+* Added {Bundler::Audit::Task}.
+* Added {Bundler::Audit::Advisory#date}.
+* Added {Bundler::Audit::Advisory#cve_id}.
+* Added {Bundler::Audit::Advisory#osvdb_id}.
+* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
+  private network.
+
+#### CLI
+
+* Added the `--update` option to `bundle-audit check`.
+* `bundle-audit update` now returns a non-zero exit status on error.
+* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+  repository.
+
+### 0.4.0 / 2015-06-30
+
+* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
+* Added {Bundler::Audit::Advisory#osvdb}.
+* Resolve the IP addresses of gem sources and ignore intranet gem sources.
+  (PR #90)
+* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
+  (PR #92)
+
+#### CLI
+
+* Print the CVE or OSVDB id.
+* No longer print "Unpatched versions found!" when an insecure gem source
+  is detected. (PR #84)
+
+### 0.3.1 / 2014-04-20
+
+* Added thor ~> 0.18 as a dependency.
+* No longer rely on the vendored version of thor within bundler.
+* Store the timestamp of when `data/ruby-advisory-db` was last updated in
+  `data/ruby-advisory-db.ts`.
+* Use `data/ruby-advisory-db.ts` instead of the creation time of the
+  `dataruby-advisory-db` directory, which is always the install time
+  of the rubygem.
+
+### 0.3.0 / 2013-10-31
+
+* Added {Bundler::Audit::Database.update!} which uses `git` to download
+  [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
+* {Bundler::Audit::Database.path} now returns the path to either
+  `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
+  is more recent.
+
+#### CLI
+
+* Added the `bundle-audit update` sub-command.
+
+### 0.2.0 / 2013-03-05
+
+* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
+  parse approximate version requirements (`~> 1.2.3`).
+* Updated the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#unaffected_versions}.
+* Added {Bundler::Audit::Advisory#unaffected?}.
+* Added {Bundler::Audit::Advisory#patched?}.
+* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
+
+### 0.1.2 / 2013-02-17
+
+* Require [bundler] ~> 1.2.
+* Vendor a full copy of the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#path} for debugging purposes.
+* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
+
+#### CLI
+
+* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
+* Exit with non-zero status on failure (@grosser).
+
+### 0.1.1 / 2013-02-12
+
+* Fixed a Ruby 1.8 syntax error.
+
+### Advisories
+
+* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
+  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
+  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
+  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
+  * [CVE-2012-267](http://osvdb.org/83077)
+  * [CVE-2012-1098](http://osvdb.org/79726)
+  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
+  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
+  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
+  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
+  * [CVE-2012-3463](http://osvdb.org/84515)
+  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
+  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
+
+### CLI
+
+* If the advisory has no `patched_versions`, recommend removing or disabling
+  the gem until a patch is made available.
+
+### 0.1.0 / 2013-02-11
+
+* Initial release:
+  * Checks for vulnerable versions of gems in `Gemfile.lock`.
+  * Prints advisory information.
+  * Does not require a network connection.
+
+#### Advisories
+
+* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074)
+* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939)
+* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025)
+* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026)
+* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
+* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
+* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
+
+[bundler]: http://gembundler.com/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -0,0 +1,15 @@
+source 'https://rubygems.org/'
+
+gemspec
+
+group :development do
+  gem 'rake'
+  gem 'kramdown',       '~> 0.14'
+
+  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rspec',          '~> 3.0'
+  gem 'yard',           '~> 0.9'
+  gem 'simplecov',      '~> 0.7', :require => false
+end
+
+gem "byebug", "~> 11.0", :groups => [:development, :test]

data/README.md

@@ -0,0 +1,118 @@
+# bundler-leak
+
+* [Homepage](https://github.com/rubymem/bundler-leak#readme)
+* [Issues](https://github.com/rubymem/bundler-leak/issues)
+* [Documentation](http://rubydoc.info/gems/bundler-leak/frames)
+* [Email](mailto:hello at ombulabs.com)
+* [![Build Status](https://travis-ci.org/rubymem/bundler-leak.svg?branch=master)](https://travis-ci.org/rubymem/bundler-leak)
+* [![Code Climate](https://codeclimate.com/github/rubymem/bundler-leak.svg)](https://codeclimate.com/github/rubymem/bundler-leak)
+
+## Description
+
+Patch-level verification for [bundler].
+
+## Features
+
+* Checks for memory leaks of gems in `Gemfile.lock`.
+* Prints memory leak information.
+* Does not require a network connection.
+
+## Synopsis
+
+Audit a project's `Gemfile.lock`:
+
+```shell
+    $ bundle leak
+
+    Name: celluloid
+    Version: 0.17.0
+    URL: https://github.com/celluloid/celluloid/issues/670
+    Title: Memory Leak using Celluloid::Future
+    Solution: remove or disable this gem until a patch is available!
+
+    Name: therubyracer
+    Version: 0.12.1
+    URL: https://github.com/cowboyd/therubyracer/pull/336
+    Title: Memory leak in WeakValueMap
+    Solution: upgrade to ~> 0.12.3
+
+    Unpatched versions found!
+```
+
+Update the [ruby-mem-advisory-db] that `bundle leak` uses:
+
+```shell
+    $ bundle leak update
+
+    cd data/ruby-mem-advisory-db
+    git pull origin master
+    remote: Enumerating objects: 14, done.
+    remote: Counting objects: 100% (14/14), done.
+    remote: Compressing objects: 100% (4/4), done.
+    remote: Total 9 (delta 5), reused 7 (delta 4), pack-reused 0
+    Unpacking objects: 100% (9/9), done.
+    From github.com:rubymem/ruby-mem-advisory-db
+     * branch            master     -> FETCH_HEAD
+       3254525..c4fc78e  master     -> origin/master
+    Updating 3254525..c4fc78e
+    Fast-forward
+     README.md                 | 68 ++++++++++++++++++++------------------------------------------------
+     gems/therubyracer/336.yml |  4 ++++
+     2 files changed, 24 insertions(+), 48 deletions(-)
+```
+
+Update the [ruby-mem-advisory-db] and check `Gemfile.lock` (useful for CI runs):
+
+    $ bundle leak check --update
+
+Rake task:
+
+```ruby
+require 'bundler/plumber/task'
+Bundler::Plumber::Task.new
+
+task default: 'bundle:leak'
+```
+
+## Requirements
+
+* [ruby] >= 1.9.3
+* [rubygems] >= 1.8
+* [thor] ~> 0.18
+* [bundler] ~> 1.2
+
+## Install
+
+    $ gem install bundler-leak
+
+## Contributing
+
+1. Clone the repo
+1. `git submodule update --init` # To populate data dir.
+1. `bundle exec rake`
+
+## License
+
+Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+
+Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+
+bundler-leak is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+bundler-leak is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+
+[ruby]: https://ruby-lang.org
+[rubygems]: https://rubygems.org
+[thor]: http://whatisthor.com/
+[bundler]: https://github.com/carlhuda/bundler#readme
+
+[ruby-mem-advisory-db]: https://github.com/rubymem/ruby-mem-advisory-db

data/Rakefile

@@ -0,0 +1,57 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  abort e.message
+end
+
+require 'rake'
+require 'time'
+
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+namespace :db do
+  desc 'Updates data/ruby-mem-advisory-db'
+  task :update do
+    timestamp = nil
+
+    chdir 'data/ruby-mem-advisory-db' do
+      sh 'git', 'pull', 'origin', 'master'
+
+      File.open('../ruby-mem-advisory-db.ts','w') do |file|
+        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+      end
+    end
+
+    sh 'git', 'commit', 'data/ruby-mem-advisory-db',
+                        'data/ruby-mem-advisory-db.ts',
+                        '-m', 'Updated ruby-mem-advisory-db'
+  end
+end
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+namespace :spec do
+  task :bundle do
+    root = 'spec/bundle'
+
+    %w[secure unpatched_gems insecure_sources].each do |bundle|
+      chdir(File.join(root,bundle)) do
+        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
+      end
+    end
+  end
+end
+task :spec => 'spec:bundle'
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new  
+task :doc => :yard

data/bin/bundle-leak

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'bundler/plumber/cli'
+
+Bundler::Plumber::CLI.start

data/bin/bundler-leak

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+load File.expand_path('../bundle-leak', __FILE__)

data/bundler-leak.gemspec

@@ -0,0 +1,67 @@
+# encoding: utf-8
+
+require 'yaml'
+
+Gem::Specification.new do |gem|
+  gemspec = YAML.load_file('gemspec.yml')
+
+  gem.name    = gemspec.fetch('name')
+  gem.version = gemspec.fetch('version') do
+                  lib_dir = File.join(File.dirname(__FILE__),'lib')
+                  $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+                  require 'bundler/plumber/version'
+                  Bundler::Plumber::VERSION
+                end
+
+  gem.summary     = gemspec['summary']
+  gem.description = gemspec['description']
+  gem.licenses    = Array(gemspec['license'])
+  gem.authors     = Array(gemspec['authors'])
+  gem.email       = gemspec['email']
+  gem.homepage    = gemspec['homepage']
+
+  glob = lambda { |patterns| gem.files & Dir[*patterns] }
+
+  gem.files = `git ls-files`.split($/)
+  gem.files = glob[gemspec['files']] if gemspec['files']
+
+  # add paths from data/ruby-mem-advisory-db/
+  gem.files += Dir.chdir('data/ruby-mem-advisory-db') do
+    `git ls-files`.split($/).map do |sub_path|
+      File.join('data','ruby-mem-advisory-db',sub_path)
+    end
+  end
+
+  gem.executables = gemspec.fetch('executables') do
+    glob['bin/*'].map { |path| File.basename(path) }
+  end
+  gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
+
+  gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
+  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
+
+  gem.require_paths = Array(gemspec.fetch('require_paths') {
+    %w[ext lib].select { |dir| File.directory?(dir) }
+  })
+
+  gem.requirements              = gemspec['requirements']
+  gem.required_ruby_version     = gemspec['required_ruby_version']
+  gem.required_rubygems_version = gemspec['required_rubygems_version']
+  gem.post_install_message      = gemspec['post_install_message']
+
+  split = lambda { |string| string.split(/,\s*/) }
+
+  if gemspec['dependencies']
+    gemspec['dependencies'].each do |name,versions|
+      gem.add_dependency(name,split[versions])
+    end
+  end
+
+  if gemspec['development_dependencies']
+    gemspec['development_dependencies'].each do |name,versions|
+      gem.add_development_dependency(name,split[versions])
+    end
+  end
+end

data/data/ruby-mem-advisory-db.ts

@@ -0,0 +1 @@
+2019-08-08 21:11:00 UTC

data/data/ruby-mem-advisory-db/.gitignore

@@ -0,0 +1 @@
+_site

data/data/ruby-mem-advisory-db/.rspec

@@ -0,0 +1 @@
+--colour

data/data/ruby-mem-advisory-db/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+
+sudo: false
+
+cache: bundler
+
+notifications:
+  irc: chat.freenode.net#rubysec
+
+env:
+  global:
+  - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU=

data/data/ruby-mem-advisory-db/CONTRIBUTING.md

@@ -0,0 +1,69 @@
+# Contributing Guidelines
+
+* All text must be within 80 columns.
+* YAML must be indented by 2 spaces.
+* Have any questions? Feel free to open an issue.
+* Prior to submitting a pull request, run the tests:
+
+```
+bundle install
+bundle exec rspec
+```
+
+* Follow the schema. Here is an example advisory:
+
+```yaml
+    ---
+    gem: examplegem
+    cve: 2013-0156
+    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
+    title: |
+      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+      Remote Code Execution
+
+    description: |
+      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
+      The issue is triggered when a type casting error occurs during the parsing
+      of parameters. This may allow a remote attacker to potentially execute
+      arbitrary code.
+
+    cvss_v2: 10.0
+
+    patched_versions:
+      - ~> 2.3.15
+      - ~> 3.0.19
+      - ~> 3.1.10
+      - ">= 3.2.11"
+    unaffected_versions:
+      - ~> 2.4.3
+
+    related:
+      cve:
+        - 2013-1234567
+        - 2013-1234568
+      url:
+        - https://github.com/rubysec/ruby-advisory-db/issues/123457
+
+```
+### Schema
+
+* `gem` \[String\]: Name of the affected gem.
+* `framework` \[String\] (optional): Name of framework gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
+* `cve` \[String\]: CVE id.
+* `osvdb` \[Integer\]: OSVDB id.
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory.
+* `date` \[Date\]: Disclosure date of the advisory.
+* `description` \[String\]: Multi-paragraph description of the vulnerability.
+* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
+* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
+
+
+[CVSSv2]: https://www.first.org/cvss/v2/guide
+[CVSSv3]: https://www.first.org/cvss/user-guide