bundler-leak 0.0.0

data/data/ruby-mem-advisory-db/CONTRIBUTORS.md

@@ -0,0 +1,40 @@
+### Acknowledgements
+
+This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank:
+
+* [Postmodern](https://github.com/postmodern/)
+* [Max Veytsman](https://twitter.com/mveytsman)
+* [Pietro Monteiro](https://github.com/pietro)
+* [Eric Hodel](https://github.com/drbrain)
+* [Brendon Murphy](https://github.com/bemurphy)
+* [Oliver Legg](https://github.com/olly)
+* [Larry W. Cashdollar](http://vapid.dhs.org/)
+* [Michael Grosser](https://github.com/grosser)
+* [Sascha Korth](https://github.com/skorth)
+* [David Radcliffe](https://github.com/dwradcliffe)
+* [Jörg Schiller](https://github.com/joergschiller)
+* [Derek Prior](https://github.com/derekprior)
+* [Joel Chippindale](https://github.com/mocoso)
+* [Josef Šimánek](https://github.com/simi)
+* [Amiel Martin](https://github.com/amiel)
+* [Jeremy Olliver](https://github.com/jeremyolliver)
+* [Vasily Vasinov](https://github.com/vasinov)
+* [Phill MV](https://twitter.com/phillmv)
+* [Jon Kessler](https://github.com/jonkessler)
+* [James Harton](https://github.com/jamesotron)
+* [Justin Collins](https://github.com/presidentbeef)
+* [Andy Brody](https://github.com/ab)
+* [Alexey Zapparov](https://github.com/ixti)
+* [Toni Reina](https://github.com/areina)
+* [Bernard Lambeau](https://github.com/blambeau)
+* [Don Morrison](https://github.com/elskwid)
+* [John Poulin](https://github.com/forced-request)
+* [Neal Harris](https://github.com/nealharris)
+* [Justin Bull](https://github.com/f3ndot)
+* [Andrew Selder](https://github.com/aselder)
+* [Vanessa Henderson](https://github.com/VanessaHenderson)
+* [Reed Loden](https://github.com/reedloden)
+* [ecneladis](https://github.com/ecneladis)
+* [Brendan Coles](https://github.com/bcoles)
+
+The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-mem-advisory-db/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'rspec'
+gem 'rake'
+
+group :development do
+  gem 'pry'
+  gem 'nokogiri'
+end

data/data/ruby-mem-advisory-db/LICENSE.txt

@@ -0,0 +1,5 @@
+If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
+
+However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-mem-advisory-db/README.md

@@ -0,0 +1,72 @@
+# Ruby Advisory Database
+
+The Ruby Mem Database is a community effort to compile all memory leaks that are relevant to Ruby gems.
+
+You can check your own Gemfile.locks against this database by using [bundler-leak](https://github.com/rubymem/bundler-leak).
+
+## Support Ruby security!
+
+Do you know about a memory leak that isn't listed in this database? Open an issue, submit a PR, or [use this form](https://rubymem.com/advisories/new) which will email the maintainers.
+
+## Directory Structure
+
+The database is a list of directories that match the names of Ruby libraries on
+[rubygems.org]. Within each directory are one or more files
+for the Ruby library. These  files are named using
+the advisories can be named however you want, in this example it is named after the PR number in github.
+
+    gems/:
+      celluloid/:
+        612.yml
+
+
+## Format
+
+Each file contains the information in [YAML] format:
+
+    ---
+    gem: examplegem
+    url: https://github.com/celluloid/celluloid/issues/670
+    title: Memory Leak using Examplegem::Future
+    date: 2015-08-31
+    description: |
+      The ExampleGem::Group::Spawner appears to never clean up the completed Threads
+      that it creates.
+    leaky_versions:
+      - "> 0.16.0, < 0.17.2
+    patched_versions:
+      - "~> 0.17.3"
+    unaffected_versions:
+      - < 0.16.0
+
+
+### Schema
+
+* `gem` \[String\]: Name of the affected gem.
+* `framework` \[String\] (optional): Name of the framework which the affected
+  gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory or individual vulnerability.
+* `date` \[Date\]: The public disclosure date of the advisory.
+* `description` \[String\]: One or more paragraphs describing the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
+
+### Tests
+Prior to submitting a pull request, run the tests:
+
+```
+bundle install
+bundle exec rspec
+```
+
+## Credits
+
+Please see [CONTRIBUTORS.md].
+
+[rubygems.org]: https://rubygems.org/
+[YAML]: http://www.yaml.org/
+[CONTRIBUTORS.md]: https://github.com/rubymem/ruby-mem-advisory-db/blob/master/CONTRIBUTORS.md

data/data/ruby-mem-advisory-db/Rakefile

@@ -0,0 +1,26 @@
+require 'yaml'
+
+namespace :lint do
+  begin
+    require 'rspec/core/rake_task'
+
+    RSpec::Core::RakeTask.new(:yaml)
+  rescue LoadError => e
+    task :spec do
+      abort "Please run `gem install rspec` to install RSpec."
+    end
+  end
+
+  task :cve do
+    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
+      advisory = YAML.load_file(path)
+
+      unless advisory['cve']
+        puts "Missing CVE: #{path}"
+      end
+    end
+  end
+end
+
+task :lint    => ['lint:yaml', 'lint:cve']
+task :default => :lint

data/data/ruby-mem-advisory-db/gems/celluloid/670.yml

@@ -0,0 +1,10 @@
+---
+gem: celluloid
+url: https://github.com/celluloid/celluloid/issues/670
+title: Memory Leak using Celluloid::Future
+date: 2015-08-31
+description: |
+  The Celluloid::Group::Spawner appears to never clean up the completed Threads
+  that it creates.
+leaky_versions:
+  - "> 0.16.0, < 0.17.2"

data/data/ruby-mem-advisory-db/gems/grape/301.yml

@@ -0,0 +1,9 @@
+---
+gem: grape
+url: https://github.com/ruby-grape/grape/issues/301
+title: Memory leak in formatter middleware
+date: 2012-12-27
+description: |
+  The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
+leaky_versions:
+  - "< 0.2.5"

data/data/ruby-mem-advisory-db/gems/oj/229.yml

@@ -0,0 +1,9 @@
+---
+gem: oj
+url: https://github.com/ohler55/oj/issues/229
+title: Memory Leak using Oj::Doc.open
+date: 2015-04-18
+description: |
+ Oj::Doc.open steadily increases memory usage.
+leaky_versions:
+  - "< 2.12.4"

data/data/ruby-mem-advisory-db/gems/redcarpet/516.yml

@@ -0,0 +1,12 @@
+---
+gem: redcarpet
+url: https://github.com/vmg/redcarpet/pull/516
+title: Memory Leak in Redcarpet::Render::Base
+date: 2015-09-11
+description: |
+ rb_redcarpet_rbase_alloc used to allocate a struct rb_redcarpet_rndr instance
+ which was never freed.
+
+ This caused 312 leaked bytes (on a 64-bit machine) on every render call
+leaky_versions:
+  - "< 3.3.3"

data/data/ruby-mem-advisory-db/gems/redis/612.yml

@@ -0,0 +1,9 @@
+---
+gem: redis
+url: https://github.com/redis/redis-rb/issues/612
+title: Memory Leak using Celluloid::Future
+date: 2016-04-25
+description: |
+ write_timeout results in lots of short-lived threads created, since each timeout block creates a separate thread. Now every write to Redis requires the creation of a new Thread.
+leaky_versions:
+  - "= 3.3.0"

data/data/ruby-mem-advisory-db/gems/sidekiq-statistic/73.yml

@@ -0,0 +1,9 @@
+---
+gem: sidekiq-statistic
+url: https://github.com/davydovanton/sidekiq-statistic/issues/73
+title: Memory Leak since timeslist does not expire
+date: 2015-09-15
+description: |
+  The timeslist should be expired after some amount of time and the times aggregated into a much more compact form.
+leaky_versions:
+  - "<= 1.2"

data/data/ruby-mem-advisory-db/gems/sidekiq/2598.yml

@@ -0,0 +1,9 @@
+---
+gem: sidekiq
+url: https://github.com/mperham/sidekiq/pull/2598
+title: Memory Leak in Sidekiq::Manager#real_thread
+date: 2015-10-09
+description: |
+  Before starting to execute the task, Processor does an async call to Manager (real_thread method) to add processor's thread to @threads hash in Manager
+leaky_versions:
+  - "< 3.5.1"

data/data/ruby-mem-advisory-db/gems/therubyracer/336.yml

@@ -0,0 +1,13 @@
+---
+gem: therubyracer
+url: https://github.com/cowboyd/therubyracer/pull/336
+title: Memory leak in WeakValueMap
+date: 2015-03-31
+description: |
+  Entries were not being cleaned up correctly from the backing store.
+leaky_versions:
+  - "< 0.12.2"
+unaffected_versions:
+  - "~> 0.12.3"
+patched_versions:
+  - "~> 0.12.3"

data/data/ruby-mem-advisory-db/gems/zipruby/PRE-SA-2012-02.yml

@@ -0,0 +1,9 @@
+---
+gem: zipruby
+url: https://packetstormsecurity.com/files/111242/libzip-0.10-Heap-Overflow-Information-Leak.html
+title: Heap overflow, information leak
+date: 2012-03-21
+description: |
+ libzip  has two vulnerabilities that may lead to a heap overflow or an information leak via corrupted zip files.
+leaky_versions:
+  - "<= 0.3.6"

data/data/ruby-mem-advisory-db/scripts/post-advisories.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -o errexit -o nounset
+
+REPO="https://${GH_TOKEN}@github.com/rubysec/rubysec.github.io.git"
+DIR="_site"
+
+git clone $REPO $DIR
+
+cd $DIR
+
+git config user.name "RubySec CI"
+git config user.email "ci@rubysec.com"
+
+bundle install --jobs=3 --retry=3
+bundle exec rake advisories
+
+git push -q

data/data/ruby-mem-advisory-db/spec/advisories_spec.rb

@@ -0,0 +1,23 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'gem_example'
+require 'library_example'
+require 'ruby_example'
+
+describe "gems" do
+  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*')) do |path|
+    include_examples 'Gem Advisory', path
+  end
+end
+
+describe "libraries" do
+  Dir.glob(File.join(File.dirname(__FILE__), '../libraries/*/*')) do |path|
+    include_examples 'Libraries Advisory', path
+  end
+end
+
+describe "rubies" do
+  Dir.glob(File.join(File.dirname(__FILE__), '../rubies/*/*')) do |path|
+    include_examples 'Rubies Advisory', path
+  end
+end
+

data/data/ruby-mem-advisory-db/spec/advisory_example.rb

@@ -0,0 +1,209 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'yaml'
+
+shared_examples_for 'Advisory' do |path|
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:filename) { File.basename(path) }
+
+    let(:filename_cve) do
+      if filename.start_with?('CVE-')
+        filename.gsub('CVE-','')
+      end
+    end
+
+    let(:filename_osvdb) do
+      if filename.start_with?('OSVDB-')
+        filename.gsub('OSVDB-','')
+      end
+    end
+
+    it "should be correctly named CVE-XXX or OSVDB-XXX" do
+      expect(filename).
+        to match(/^(CVE-\d{4}-(0\d{3}|[1-9]\d{3,})|OSVDB-\d+)\.yml$/)
+    end
+
+    it "should have CVE or OSVDB" do
+      expect(advisory['cve'] || advisory['osvdb']).not_to be_nil
+    end
+
+    describe "framework" do
+      subject { advisory['framework'] }
+
+      it "may be nil or a String" do
+        expect(subject).to be_kind_of(String).or(be_nil)
+      end
+    end
+
+    describe "platform" do
+      subject { advisory['platform'] }
+
+      it "may be nil or a String" do
+        expect(subject).to be_kind_of(String).or(be_nil)
+      end
+    end
+
+    describe "cve" do
+      subject { advisory['cve'] }
+
+      it "may be nil or a String" do
+        expect(subject).to be_kind_of(String).or(be_nil)
+      end
+      it "should be id in filename if filename is CVE-XXX" do
+        if filename_cve
+          is_expected.to eq(filename_cve.chomp('.yml'))
+        end
+      end
+    end
+
+    describe "osvdb" do
+      subject { advisory['osvdb'] }
+
+      it "may be nil or a Integer" do
+        expect(subject).to be_kind_of(Integer).or(be_nil)
+      end
+
+       it "should be id in filename if filename is OSVDB-XXX" do
+        if filename_osvdb
+          is_expected.to eq(filename_osvdb.to_i)
+        end
+      end
+    end
+
+    describe "url" do
+      subject { advisory['url'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
+    end
+
+    describe "title" do
+      subject { advisory['title'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
+    end
+
+    describe "date" do
+      subject { advisory['date'] }
+
+      it { is_expected.to be_kind_of(Date) }
+    end
+
+    describe "description" do
+      subject { advisory['description'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
+    end
+
+    describe "cvss_v2" do
+      subject { advisory['cvss_v2'] }
+
+      it "may be nil or a Float" do
+        expect(subject).to be_kind_of(Float).or(be_nil)
+      end
+
+      case advisory['cvss_v2']
+      when Float
+        context "when a Float" do
+          it { expect((0.0)..(10.0)).to include(subject) }
+        end
+      end
+    end
+
+    describe "cvss_v3" do
+      subject { advisory['cvss_v3'] }
+
+      it "may be nil or a Float" do
+        expect(subject).to be_kind_of(Float).or(be_nil)
+      end
+
+      case advisory['cvss_v3']
+      when Float
+        context "when a Float" do
+          it { expect((0.0)..(10.0)).to include(subject) }
+        end
+      end
+
+      if advisory['cvss_v2']
+        it "should also provide a cvss_v2 score" do
+          expect(advisory['cvss_v2']).to_not be_nil
+        end
+      end
+    end
+
+    describe "patched_versions" do
+      subject { advisory['patched_versions'] }
+
+      it "may be nil or an Array" do
+        expect(subject).to be_kind_of(Array).or(be_nil)
+      end
+
+      describe "each patched version" do
+        if advisory['patched_versions']
+          advisory['patched_versions'].each do |version|
+            describe version do
+              subject { version.split(', ') }
+
+              it "should contain valid RubyGem version requirements" do
+                expect {
+                Gem::Requirement.new(*subject)
+                }.not_to raise_error
+              end
+            end
+          end
+        end
+      end
+    end
+
+    describe "unaffected_versions" do
+      subject { advisory['unaffected_versions'] }
+
+      it "may be nil or an Array" do
+        expect(subject).to be_kind_of(Array).or(be_nil)
+      end
+
+      case advisory['unaffected_versions']
+      when Array
+        advisory['unaffected_versions'].each do |version|
+          describe version do
+            subject { version.split(', ') }
+
+            it "should contain valid RubyGem version requirements" do
+              expect {
+                Gem::Requirement.new(*subject)
+              }.not_to raise_error
+            end
+          end
+        end
+      end
+    end
+
+    describe "related" do
+      subject { advisory['related'] }
+
+      it "may be nil or a Hash" do
+        expect(subject).to be_kind_of(Hash).or(be_nil)
+      end
+
+      case advisory["related"]
+      when Hash
+        advisory["related"].each_pair do |name, values|
+          describe name do
+            it "should be either a cve, an osvdb or a url" do
+              expect(["cve", "osvdb", "url"]).to include(name)
+            end
+
+            it "should always contain an array" do
+              expect(values).to be_kind_of(Array)
+            end
+          end
+        end
+      end
+    end
+
+
+  end
+end