bundler-leak 0.0.0

data/spec/bundle/unpatched_gems/Gemfile

@@ -0,0 +1,39 @@
+source 'https://rubygems.org'
+
+gem "celluloid", "0.17.0"
+gem "therubyracer", "0.12.1"
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3', platform: [:mri, :rbx]
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/cli_spec.rb

@@ -0,0 +1,99 @@
+require 'spec_helper'
+require 'bundler/plumber/cli'
+
+describe Bundler::Plumber::CLI do
+  describe "#update" do
+    context "not --quiet (the default)" do
+      context "when update succeeds" do
+
+        before { expect(Bundler::Plumber::Database).to receive(:update!).and_return(true) }
+
+        it "prints updated message" do
+          expect { subject.update }.to output(/Updated ruby-mem-advisory-db/).to_stdout
+        end
+
+        it "prints total advisory count" do
+          database = double
+          expect(database).to receive(:size).and_return(1234)
+          expect(Bundler::Plumber::Database).to receive(:new).and_return(database)
+
+          expect { subject.update }.to output(/ruby-mem-advisory-db: 1234 advisories/).to_stdout
+        end
+      end
+
+      context "when update fails" do
+
+        before { expect(Bundler::Plumber::Database).to receive(:update!).and_return(false) }
+
+        it "prints failure message" do
+          expect do
+            begin
+              subject.update
+            rescue SystemExit
+            end
+          end.to output(/Failed updating ruby-mem-advisory-db!/).to_stdout
+        end
+
+        it "exits with error status code" do
+          expect {
+            # Capture output of `update` only to keep spec output clean.
+            # The test regarding specific output is above.
+            expect { subject.update }.to output.to_stdout
+          }.to raise_error(SystemExit) do |error|
+            expect(error.success?).to eq(false)
+            expect(error.status).to eq(1)
+          end
+        end
+
+      end
+    end
+
+    context "--quiet" do
+      before do
+        allow(subject).to receive(:options).and_return(double("Options", quiet?: true))
+      end
+
+      context "when update succeeds" do
+
+        before do
+          expect(Bundler::Plumber::Database).to(
+            receive(:update!).with(quiet: true).and_return(true)
+          )
+        end
+
+        it "does not print any output" do
+          expect { subject.update }.to_not output.to_stdout
+        end
+      end
+
+      context "when update fails" do
+
+        before do
+          expect(Bundler::Plumber::Database).to(
+            receive(:update!).with(quiet: true).and_return(false)
+          )
+        end
+
+        it "prints failure message" do
+          expect do
+            begin
+              subject.update
+            rescue SystemExit
+            end
+          end.to output(/Failed updating ruby-mem-advisory-db!/).to_stdout
+        end
+
+        it "exits with error status code" do
+          expect {
+            # Capture output of `update` only to keep spec output clean.
+            # The test regarding specific output is above.
+            expect { subject.update }.to output.to_stdout
+          }.to raise_error(SystemExit) do |error|
+            expect(error.success?).to eq(false)
+            expect(error.status).to eq(1)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/database_spec.rb

@@ -0,0 +1,138 @@
+require 'spec_helper'
+require 'bundler/plumber/database'
+require 'tmpdir'
+
+describe Bundler::Plumber::Database do
+  let(:vendored_advisories) do
+    Dir[File.join(Bundler::Plumber::Database::VENDORED_PATH, 'gems/*/*.yml')].sort
+  end
+
+  describe "path" do
+    subject { described_class.path }
+
+    it "it should be a directory" do
+      expect(File.directory?(subject)).to be_truthy
+    end
+
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Plumber::Database.update!(quiet: false)
+
+      Dir.chdir(Bundler::Plumber::Database::USER_PATH) do
+        puts "Timestamp:"
+        system 'git log --pretty="%cd" -1'
+      end
+
+      # As up to date...
+      expect(Bundler::Plumber::Database.path).to eq mocked_user_path
+
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Plumber::Database.path).to eq mocked_user_path
+
+      roll_user_repo_back(20)
+      expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH
+    end
+  end
+
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Plumber::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Plumber::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+
+      expect_update_to_update_repo!
+      Bundler::Plumber::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+  end
+
+  describe "#initialize" do
+    context "when given no arguments" do
+      subject { described_class.new }
+
+      it "should default path to path" do
+        expect(subject.path).to eq(described_class.path)
+      end
+    end
+
+    context "when given a directory" do
+      let(:path ) { Dir.tmpdir }
+
+      subject { described_class.new(path) }
+
+      it "should set #path" do
+        expect(subject.path).to eq(path)
+      end
+    end
+
+    context "when given an invalid directory" do
+      it "should raise an ArgumentError" do
+        expect {
+          described_class.new('/foo/bar/baz')
+        }.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  describe "#check_gem" do
+    let(:gem) do
+      Gem::Specification.new do |s|
+        s.name    = 'celluloid'
+        s.version = '0.16.1'
+      end
+    end
+
+    context "when given a block" do
+      it "should yield every advisory affecting the gem" do
+        advisories = []
+
+        subject.check_gem(gem) do |advisory|
+          advisories << advisory
+        end
+
+        expect(advisories).not_to be_empty
+        expect(advisories.all? { |advisory|
+          advisory.kind_of?(Bundler::Plumber::Advisory)
+        }).to be_truthy
+      end
+    end
+
+    context "when given no block" do
+      it "should return an Enumerator" do
+        expect(subject.check_gem(gem)).to be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  describe "#size" do
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Plumber::Database.new.
+        advisories.
+        map(&:path).
+        sort
+
+      expect(actual_advisories).to eq vendored_advisories
+    end
+  end
+
+  describe "#to_s" do
+    it "should return the Database path" do
+      expect(subject.to_s).to eq(subject.path)
+    end
+  end
+
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Plumber::Database.new.inspect).to eq("#<Bundler::Plumber::Database:#{Bundler::Plumber::Database::VENDORED_PATH}>")
+    end
+  end
+end

data/spec/fixtures/not_a_hash.yml

@@ -0,0 +1,2 @@
+---
+"Just a string."

data/spec/integration_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe "CLI" do
+  include Helpers
+
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-leak'))
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle', bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print a warning" do
+      expect(subject).to include("Vulnerabilities found!")
+    end
+
+    it "should print advisory information for the vulnerable gems" do
+      advisory_pattern = /(Name: [^\n]+
+Version: \d+.\d+.\d+
+URL: https?:\/\/(www\.)?.+
+Title: [^\n]*?
+Solution: remove or disable this gem until a patch is available!)+/
+
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Vulnerabilities found!")
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
+
+    it "should print nothing when everything is fine" do
+      expect(subject.strip).to eq("No vulnerabilities found")
+    end
+  end
+
+  describe "update" do
+
+    let(:update_command) { "#{command} update" }
+    let(:bundle)         { 'secure' }
+    let(:directory)      { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(update_command) }
+    end
+
+    context "when advisories update successfully" do
+      it "should print status" do
+        expect(subject).not_to include("Fail")
+        expect(subject).to include("Updating ruby-mem-advisory-db ...\n")
+        expect(subject).to include("Updated ruby-mem-advisory-db\n")
+        expect(subject.lines.to_a.last).to match(/ruby-mem-advisory-db: \d+ advisories/)
+      end
+    end
+
+  end
+
+end

data/spec/scanner_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'bundler/plumber/scanner'
+
+describe Scanner do
+  describe "#scan" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject { described_class.new(directory) }
+
+    it "should yield results" do
+      results = []
+
+      subject.scan { |result| results << result }
+
+      expect(results).not_to be_empty
+    end
+
+    context "when not called with a block" do
+      it "should return an Enumerator" do
+        expect(subject.scan).to be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)  { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      expect(subject.all? { |result|
+        result.advisory.vulnerable?(result.gem.version)
+      }).to be_truthy
+    end
+
+    context "when the :ignore option is given" do
+      subject { scanner.scan(:ignore => ['OSVDB-89026']) }
+
+      it "should ignore the specified advisories" do
+        ids = subject.map { |result| result.advisory.id }
+
+        expect(ids).not_to include('OSVDB-89026')
+      end
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should print nothing when everything is fine" do
+      expect(subject).to be_empty
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,62 @@
+require 'simplecov'
+SimpleCov.start
+
+require 'rspec'
+require 'bundler/plumber/version'
+require 'bundler/plumber/database'
+
+module Helpers
+  def sh(command, options={})
+    Bundler.with_clean_env do
+      result = `#{command} 2>&1`
+      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
+      result
+    end
+  end
+
+  def decolorize(string)
+    string.gsub(/\e\[\d+m/, "")
+  end
+
+  def mocked_user_path
+    File.expand_path('../../tmp/ruby-mem-advisory-db', __FILE__)
+  end
+
+  def expect_update_to_clone_repo!
+    expect(Bundler::Plumber::Database).
+      to receive(:system).
+      with('git', 'clone', Bundler::Plumber::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+
+  def expect_update_to_update_repo!
+    expect(Bundler::Plumber::Database).
+      to receive(:system).
+      with('git', 'pull', 'origin', 'master').
+      and_call_original
+  end
+
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
+    end
+  end
+end
+
+include Bundler::Plumber
+
+RSpec.configure do |config|
+  include Helpers
+
+  config.before(:each) do
+    stub_const("Bundler::Plumber::Database::URL", Bundler::Plumber::Database::VENDORED_PATH)
+    stub_const("Bundler::Plumber::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf(mocked_user_path) if File.exist?(mocked_user_path)
+  end
+end