RubyGems - dradis-projects - Versions diffs - 3.14.0 → 3.14.1 - Mend

dradis-projects 3.14.0 → 3.14.1

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d6fc70a27fa19b6a05ceb21ddd2d1ce140cd01a0
-  data.tar.gz: faddb3da14a31adbd6e9906ce1d2267695b84990
+  metadata.gz: 4bcb99879ce1660ca26e84dfa80564c46aaf5e99
+  data.tar.gz: c9838ef567edba5bd151ca33651661ff7d0d05f3
 SHA512:
-  metadata.gz: a4521a538811350eb4244a0fc2bad39a78853f13f38a08055fe2d861dd838c0ba374aa918d47f3e82e0e68509978b1db35874d0b67950b2c2dd20d412825f88d
-  data.tar.gz: 0527cb5c5ea5aa9f45a30df6ab76dfb156afef7471ce6c140e4c16c61f915cc9dfbcdd4e1de645b9a1e8db8f89e95698fdb62b6d4d5f17c16734f72c95d55bf9
+  metadata.gz: 86bd5c1ee5bdb8793b10e9e17f2da497dfadaf0b1a70a693b4b76d43756a6c6e47cba220defe57ec94c3a783a19fe04fc69786bb668c4000c75c758a02120292
+  data.tar.gz: 8d9ed93eb3d32eadba159a2bcd6051de9b8c4c8f87e62c72d4a9a21fa77a76a978b016218781b8e55fddb121ef8059d31e95ae158ca55553dd8ba5fe27350ce6

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## Dradis Framework 3.14.1 (October, 2019) ##
+*  Fix directory traversal vulnerability
 ## Dradis Framework 3.14 (August, 2019) ##
 *  No changes

data/dradis-projects.gemspec CHANGED

@@ -26,5 +26,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec'
   spec.add_dependency 'dradis-plugins', '~> 3.7'
-  spec.add_dependency 'rubyzip', '~> 1.2.2'
+  spec.add_dependency 'rubyzip'
 end

@@ -9,7 +9,7 @@ module Dradis
       module VERSION
         MAJOR = 3
         MINOR = 14
-        TINY = 0
+        TINY = 1
         PRE = nil
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

@@ -18,18 +18,21 @@ module Dradis::Plugins::Projects::Upload
         success = false
         # Unpack the archive in a temporary location
-        FileUtils.mkdir Rails.root.join('tmp', 'zip')
+        temporary_dir = Rails.root.join('tmp', 'zip')
+        FileUtils.mkdir temporary_dir
         begin
           logger.info { 'Uncompressing the file...' }
           #TODO: this could be improved by only uncompressing the XML, then parsing
           # it to get the node_lookup table and then uncompressing each entry to its
           # final destination
-          Zip::File.foreach(package) do |entry|
-            path = Rails.root.join('tmp', 'zip', entry.name)
-            FileUtils.mkdir_p(File.dirname(path))
-            entry.extract(path)
-            logger.info { "\t#{entry.name}" }
+          Dir.chdir(temporary_dir) do
+            Zip::File.foreach(package) do |entry|
+              path = temporary_dir.join(entry.name)
+              FileUtils.mkdir_p(File.dirname(path))
+              entry.extract
+              logger.info { "\t#{entry.name}" }
+            end
           end
           logger.info { 'Done.' }

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-projects
 version: !ruby/object:Gem::Version
-  version: 3.14.0
+  version: 3.14.1
 platform: ruby
 authors:
 - Daniel Martin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-12 00:00:00.000000000 Z
+date: 2019-10-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -84,16 +84,16 @@ dependencies:
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.2
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.2
+        version: '0'
 description: This plugin allows you to dump the contents of the repo into a zip archive
   and restore the state from one of them.
 email:
@@ -153,7 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.5
+rubygems_version: 2.6.8
 signing_key:
 specification_version: 4
 summary: Project export/upload for the Dradis Framework.