bundler-leak 0.0.0

data/data/ruby-mem-advisory-db/spec/gem_example.rb

@@ -0,0 +1,37 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Gem Advisory" do |path|
+  include_examples 'Advisory', path
+
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:gem) { File.basename(File.dirname(path)) }
+
+    describe "gem" do
+      subject { advisory['gem'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(gem.downcase)
+      end
+    end
+
+    describe "versions" do
+      it "assumes that future versions will be patched" do
+        unaffected_versions = advisory['unaffected_versions'] || []
+        patched_versions    = advisory['patched_versions'] || []
+
+        versions = (unaffected_versions + patched_versions).sort_by do |v|
+          Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
+        end
+
+        # If a gem is unpatched this test makes no sense
+        unless patched_versions.none?
+          expect(versions.last.match(/^>=|^>/)).to be_truthy
+        end
+      end
+    end
+  end
+end

data/data/ruby-mem-advisory-db/spec/library_example.rb

@@ -0,0 +1,21 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Libraries Advisory" do |path|
+  include_examples 'Advisory', path
+
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:library) { File.basename(File.dirname(path)) }
+
+    describe "library" do
+      subject { advisory['library'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(library.downcase)
+      end
+    end
+  end
+end

data/data/ruby-mem-advisory-db/spec/ruby_example.rb

@@ -0,0 +1,22 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Rubies Advisory" do |path|
+  include_examples 'Advisory', path
+  
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:engine) { File.basename(File.dirname(path)) }
+
+    describe "engine" do
+      subject { advisory['engine'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(engine.downcase)
+      end
+    end
+  end
+end
+

data/data/ruby-mem-advisory-db/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'rspec'

data/gemspec.yml

@@ -0,0 +1,14 @@
+name: bundler-leak
+summary: Memory leaks verification for Bundler
+description: bundler-leak provides memory leak verification for Bundled apps.
+license: GPL-3.0+
+authors: Ombulabs
+email: hello@ombulabs.com
+homepage: https://github.com/rubymem/bundler-leak#readme
+
+required_ruby_version: ">= 1.9.3"
+required_rubygems_version: ">= 1.8.0"
+
+dependencies:
+  thor: ~> 0.18
+  bundler:  ">= 1.2.0, < 3"

data/lib/bundler/plumber.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/plumber/database'
+require 'bundler/plumber/version'

data/lib/bundler/plumber/advisory.rb

@@ -0,0 +1,119 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'yaml'
+
+module Bundler
+  module Plumber
+    class Advisory < Struct.new(:path,
+                                :id,
+                                :url,
+                                :title,
+                                :date,
+                                :description,
+                                :unaffected_versions,
+                                :patched_versions)
+
+      #
+      # Loads the advisory from a YAML file.
+      #
+      # @param [String] path
+      #   The path to the advisory YAML file.
+      #
+      # @return [Advisory]
+      #
+      # @api semipublic
+      #
+      def self.load(path)
+        id   = File.basename(path).chomp('.yml')
+        data = YAML.load_file(path)
+
+        unless data.kind_of?(Hash)
+          raise("advisory data in #{path.dump} was not a Hash")
+        end
+
+        parse_versions = lambda { |versions|
+          Array(versions).map do |version|
+            Gem::Requirement.new(*version.split(', '))
+          end
+        }
+
+        return new(
+          path,
+          id,
+          data['url'],
+          data['title'],
+          data['date'],
+          data['description'],
+          parse_versions[data['unaffected_versions']],
+          parse_versions[data['patched_versions']]
+        )
+      end
+
+      #
+      # Checks whether the version is not affected by the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#unaffected_versions}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is not affected by the advisory.
+      #
+      # @since 0.2.0
+      #
+      def unaffected?(version)
+        unaffected_versions.any? do |unaffected_version|
+          unaffected_version === version
+        end
+      end
+
+      #
+      # Checks whether the version is patched against the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#patched_versions}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is patched against the advisory.
+      #
+      # @since 0.2.0
+      #
+      def patched?(version)
+        patched_versions.any? do |patched_version|
+          patched_version === version
+        end
+      end
+
+      #
+      # Checks whether the version is vulnerable to the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#patched_versions}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is vulnerable to the advisory or not.
+      #
+      def vulnerable?(version)
+        !patched?(version) && !unaffected?(version)
+      end
+
+      alias to_s id
+
+    end
+  end
+end

data/lib/bundler/plumber/cli.rb

@@ -0,0 +1,135 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/plumber/scanner'
+require 'bundler/plumber/version'
+
+require 'thor'
+require 'bundler'
+require 'bundler/vendored_thor'
+
+module Bundler
+  module Plumber
+    class CLI < ::Thor
+
+      default_task :check
+      map '--version' => :version
+
+      desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :verbose, :type => :boolean, :aliases => '-v'
+      method_option :update, :type => :boolean, :aliases => '-u'
+
+      def check
+        update if options[:update]
+
+        scanner    = Scanner.new
+        vulnerable = false
+
+        scanner.scan do |result|
+          vulnerable = true
+
+          case result
+          when Scanner::UnpatchedGem
+            print_advisory result.gem, result.advisory
+          end
+        end
+
+        if vulnerable
+          say "Vulnerabilities found!", :red
+          exit 1
+        else
+          say("No vulnerabilities found", :green) unless options.quiet?
+        end
+      end
+
+      desc 'update', 'Updates the ruby-mem-advisory-db'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+
+      def update
+        say("Updating ruby-mem-advisory-db ...") unless options.quiet?
+
+        case Database.update!(quiet: options.quiet?)
+        when true
+          say("Updated ruby-mem-advisory-db", :green) unless options.quiet?
+        when false
+          say "Failed updating ruby-mem-advisory-db!", :red
+          exit 1
+        when nil
+          say "Skipping update", :yellow
+        end
+
+        unless options.quiet?
+          puts("ruby-mem-advisory-db: #{Database.new.size} advisories")
+        end
+      end
+
+      desc 'version', 'Prints the bundler-leak version'
+      def version
+        database = Database.new
+
+        puts "#{File.basename($0)} #{VERSION} (advisories: #{database.size})"
+      end
+
+      protected
+
+      def say(message="", color=nil)
+        color = nil unless $stdout.tty?
+        super(message.to_s, color)
+      end
+
+      def print_warning(message)
+        say message, :yellow
+      end
+
+      def print_advisory(gem, advisory)
+        say "Name: ", :red
+        say gem.name
+
+        say "Version: ", :red
+        say gem.version
+
+        say "URL: ", :red
+        say advisory.url
+
+        if options.verbose?
+          say "Description:", :red
+          say
+
+          print_wrapped advisory.description, :indent => 2
+          say
+        else
+
+          say "Title: ", :red
+          say advisory.title
+        end
+
+        unless advisory.patched_versions.empty?
+          say "Solution: upgrade to ", :red
+          say advisory.patched_versions.join(', ')
+        else
+          say "Solution: ", :red
+          say "remove or disable this gem until a patch is available!", [:red, :bold]
+        end
+
+        say
+      end
+
+    end
+  end
+end

data/lib/bundler/plumber/database.rb

@@ -0,0 +1,249 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/plumber/advisory'
+
+require 'time'
+require 'yaml'
+
+module Bundler
+  module Plumber
+    #
+    # Represents the directory of advisories, grouped by gem name
+    # and CVE number.
+    #
+    class Database
+
+      # Git URL of the ruby-mem-advisory-db
+      URL = 'https://github.com/rubymem/ruby-mem-advisory-db.git'
+
+      # Default path to the ruby-mem-advisory-db
+      VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-mem-advisory-db'))
+
+      # Timestamp for when the database was last updated
+      VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
+
+      # Path to the user's copy of the ruby-mem-advisory-db
+      USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-mem-advisory-db'))
+
+      # The path to the advisory database
+      attr_reader :path
+
+      #
+      # Initializes the Advisory Database.
+      #
+      # @param [String] path
+      #   The path to the advisory database.
+      #
+      # @raise [ArgumentError]
+      #   The path was not a directory.
+      #
+      def initialize(path=self.class.path)
+        unless File.directory?(path)
+          raise(ArgumentError,"#{path.dump} is not a directory")
+        end
+
+        @path = path
+      end
+
+      #
+      # The default path for the database.
+      #
+      # @return [String]
+      #   The path to the database directory.
+      #
+      def self.path
+        if File.directory?(USER_PATH)
+          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
+          t2 = VENDORED_TIMESTAMP
+
+          if t1 >= t2 then USER_PATH
+          else             VENDORED_PATH
+          end
+        else
+          VENDORED_PATH
+        end
+      end
+
+      #
+      # Updates the ruby-mem-advisory-db.
+      #
+      # @param [Boolean, quiet]
+      #   Specify whether `git` should be `--quiet`.
+      #
+      # @return [Boolean, nil]
+      #   Specifies whether the update was successful.
+      #   A `nil` indicates no update was performed.
+      #
+      # @note
+      #   Requires network access.
+      #
+      # @since 0.3.0
+      #
+      def self.update!(options={})
+        raise "Invalid option(s)" unless (options.keys - [:quiet]).empty?
+        if File.directory?(USER_PATH)
+          if File.directory?(File.join(USER_PATH, ".git"))
+            Dir.chdir(USER_PATH) do
+              command = %w(git pull)
+              command << '--quiet' if options[:quiet]
+              command << 'origin' << 'master'
+              system *command
+            end
+          end
+        else
+          command = %w(git clone)
+          command << '--quiet' if options[:quiet]
+          command << URL << USER_PATH
+          system *command
+        end
+      end
+
+      #
+      # Enumerates over every advisory in the database.
+      #
+      # @yield [advisory]
+      #   If a block is given, it will be passed each advisory.
+      #
+      # @yieldparam [Advisory] advisory
+      #   An advisory from the database.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def advisories(&block)
+        return enum_for(__method__) unless block_given?
+
+        each_advisory_path do |path|
+          yield Advisory.load(path)
+        end
+      end
+
+      #
+      # Enumerates over advisories for the given gem.
+      #
+      # @param [String] name
+      #   The gem name to lookup.
+      #
+      # @yield [advisory]
+      #   If a block is given, each advisory for the given gem will be yielded.
+      #
+      # @yieldparam [Advisory] advisory
+      #   An advisory for the given gem.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def advisories_for(name)
+        return enum_for(__method__,name) unless block_given?
+
+        each_advisory_path_for(name) do |path|
+          yield Advisory.load(path)
+        end
+      end
+
+      #
+      # Verifies whether the gem is effected by any advisories.
+      #
+      # @param [Gem::Specification] gem
+      #   The gem to verify.
+      #
+      # @yield [advisory]
+      #   If a block is given, it will be passed advisories that effect
+      #   the gem.
+      #
+      # @yieldparam [Advisory] advisory
+      #   An advisory that effects the specific version of the gem.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def check_gem(gem)
+        return enum_for(__method__,gem) unless block_given?
+
+        advisories_for(gem.name) do |advisory|
+          if advisory.vulnerable?(gem.version)
+            yield advisory
+          end
+        end
+      end
+
+      #
+      # The number of advisories within the database.
+      #
+      # @return [Integer]
+      #   The number of advisories.
+      #
+      def size
+        each_advisory_path.count
+      end
+
+      #
+      # Converts the database to a String.
+      #
+      # @return [String]
+      #   The path to the database.
+      #
+      def to_s
+        @path
+      end
+
+      #
+      # Inspects the database.
+      #
+      # @return [String]
+      #   The inspected database.
+      #
+      def inspect
+        "#<#{self.class}:#{self}>"
+      end
+
+      protected
+
+      #
+      # Enumerates over every advisory path in the database.
+      #
+      # @yield [path]
+      #   The given block will be passed each advisory path.
+      #
+      # @yieldparam [String] path
+      #   A path to an advisory `.yml` file.
+      #
+      def each_advisory_path(&block)
+        Dir.glob(File.join(@path,'gems','*','*.yml'),&block)
+      end
+
+      #
+      # Enumerates over the advisories for the given gem.
+      #
+      # @param [String] name
+      #   The gem of the gem.
+      #
+      # @yield [path]
+      #   The given block will be passed each advisory path.
+      #
+      # @yieldparam [String] path
+      #   A path to an advisory `.yml` file.
+      #
+      def each_advisory_path_for(name,&block)
+        Dir.glob(File.join(@path,'gems',name,'*.yml'),&block)
+      end
+
+    end
+  end
+end