holepicker 0.1.2 → 0.2.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OTdjY2M3YzA1YTE1MTc4MmZiYzE5YzNkNGVlMWIwYmNlYjE0YmZmMQ==
+  data.tar.gz: !binary |-
+    NmNhZTIyZTQ5YzNjNDBjOWMzMGM2OGU0ZTZjMWFlNjhkOGYxODBjNA==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    NjNhMzhiNGM1YmFhNTYzNzc3YzgzMjRkNWQ4N2I3OWU2ZDFiMmNhNTc1YTEw
+    MzJmZDI4NWQ5MWE0OGUyODkzYWVmMTVlOTI0ZGQ5NTFhOWZkMTljYTMzOGVh
+    Yjg3MzRhMGE5YWY2MWUyMzQ2ZTJmZGQxMGMwMzg3N2NiMjI5YWE=
+  data.tar.gz: !binary |-
+    NzQzMmNiOTJiZTdiZTYyODA1N2U3MzgyNjViNGRiY2RhYWMxMWE5NmI2OGNk
+    MmZkYWU2Y2MyM2ZlMjMyNzZhNTY2YjgzOTNkZTVmNDE1YTk3ODc3NDU4MDVl
+    MzIyNzBmNmQ1ODEzOTI0ZmNhNWFhNDExNzQwMzhiYTMzZDhmZWI=

data/Changelog.markdown

@@ -1,7 +1,14 @@
+#### Version 0.2.0 (7.03.2013)
+
+* Capistrano recipe (@manuelvanrijn)
+* updated JSON vulnerability from February to also include json_pure
+* print warning if no gemfiles are found
+* print green checkmarks instead of OK for safe gemfiles
+
 #### Version 0.1.2 (23.02.2013)
 
-* fixed issue on Ruby 1.8
-* fixed issue with relative paths like '.' in parameters
+* fixed some issues on Ruby 1.8 (@timpeters)
+* fixed issue with relative paths like '.' in parameters (@bct)
 * fixed parsing gemfiles with platform-specific gems (e.g. mingw32)
 
 #### Version 0.1.1 (18.82.2013)

data/Gemfile

@@ -1,5 +1,7 @@
 source "http://rubygems.org"
 gemspec
 
+gem 'fakefs'
 gem 'mocha'
 gem 'rspec'
+gem 'webmock'

data/Gemfile.lock

@@ -1,14 +1,17 @@
 PATH
   remote: .
   specs:
-    holepicker (0.1.2)
+    holepicker (0.2.0)
       json (>= 1.7.7)
       rainbow (>= 1.1.4)
 
 GEM
   remote: http://rubygems.org/
   specs:
+    addressable (2.2.8)
+    crack (0.3.2)
     diff-lcs (1.1.3)
+    fakefs (0.4.2)
     json (1.7.7)
     metaclass (0.0.1)
     mocha (0.13.2)
@@ -22,11 +25,16 @@ GEM
     rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.2)
+    webmock (1.8.7)
+      addressable (>= 2.2.7)
+      crack (>= 0.1.7)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  fakefs
   holepicker!
   mocha
   rspec
+  webmock

data/README.markdown

@@ -40,6 +40,8 @@ You can also scan all apps deployed to a production or demo server; in this case
 
     holepicker -c /var/www
 
+HolePicker will return a non-zero status code if vulnerabilities are found, so you could wrap it in some kind of script that's run periodically from cron that notifies you when something is wrong.
+
 ### Scanning Nginx/Apache config directory
 
 You might have a lot of random apps deployed in the `/var/www` directory, but only some of them currently enabled in the Nginx config files. In this case, you might want to only check the apps that are actually running. To do that, use the `-f` (`--follow-roots`) option and point HolePicker to your HTTP server's config directory. It will find all the `root` or `DocumentRoot` directives and follow the paths to find the gemfiles of enabled apps.
@@ -47,6 +49,15 @@ You might have a lot of random apps deployed in the `/var/www` directory, but on
     holepicker -f /etc/nginx/sites-enabled
 
 
+## Integration with capistrano
+
+To automatically check for vulnerabilities before deployment, you can add the HolePicker Capistrano recipe:
+
+1. Add `gem 'holepicker'` to your `Gemfile` (preferably with `:require => false`)
+2. Add `require 'holepicker/capistrano'` to your `config/deploy.rb`
+
+This will introduce a `cap holepicker` task which will be executed before the deploy.
+
 ## Results
 
 This is more or less what you will get if you run HolePicker in a directory with some old Rails projects:

data/bin/holepicker

@@ -31,11 +31,6 @@ OptionParser.new do |opts|
     options[:offline] = true
   end
 
-  opts.on("-r", "--skip-releases",
-      "Skip gemfiles in 'releases' directory (like -c but will include non-Capistrano deploys)") do
-    options[:skip_releases] = true
-  end
-
   opts.on("-h", "--help", "Display this help") do
     puts opts
     exit

data/lib/holepicker/capistrano.rb

@@ -0,0 +1,24 @@
+require 'holepicker/scanner'
+
+Capistrano::Configuration.instance.load do
+  set(:holepicker_offline, false) unless exists?(:holepicker_offline)
+  set(:holepicker_ignored_gems, []) unless exists?(:holepicker_ignored_gems)
+
+  before "deploy:update_code", "holepicker"
+
+  namespace :holepicker do
+    desc "Look for vulnerabilities in your Gemfile"
+    task :default, :roles => :app do
+      options = {
+        :ignored_gems => holepicker_ignored_gems,
+        :offline => holepicker_offline
+      }
+
+      gemfile_lock = "#{ENV['BUNDLE_GEMFILE']}.lock"
+      success = HolePicker::Scanner.new(gemfile_lock, options).scan
+      unless success
+        raise Capistrano::CommandError.new("HolePicker found vulnerabilities!")
+      end
+    end
+  end
+end

data/lib/holepicker/config_gemfile_finder.rb

@@ -0,0 +1,19 @@
+require 'holepicker/config_reader'
+require 'holepicker/file_finder'
+
+module HolePicker
+  class ConfigGemfileFinder
+    def find_gemfiles(path)
+      configs = find_configs(path)
+      configs.map { |f| ConfigReader.new(f).find_gemfiles }.flatten
+    end
+
+    private
+
+    def find_configs(path)
+      full_path = File.expand_path(path)
+
+      FileFinder.find_files(full_path, '-type f -or -type l').select { |f| File.exist?(f) }
+    end
+  end
+end

data/lib/holepicker/config_reader.rb

@@ -0,0 +1,13 @@
+module HolePicker
+  class ConfigReader
+    ROOT_LINE_PATTERN = %r{\b(?:root|DocumentRoot)\s+(.*)/public\b}
+
+    def initialize(path)
+      @contents = File.read(path)
+    end
+
+    def find_gemfiles
+      @contents.scan(ROOT_LINE_PATTERN).map { |result| "#{result.first}/Gemfile.lock" }.select { |f| File.exist?(f) }
+    end
+  end
+end

data/lib/holepicker/data/data.json

@@ -10,7 +10,8 @@
     },
     {
       "gems": {
-        "json": ["1.7.7", "1.6.8", "1.5.5"]
+        "json": ["1.7.7", "1.6.8", "1.5.5"],
+        "json_pure": ["1.7.7", "1.6.8", "1.5.5"]
       },
       "url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58",
       "date": "2013-02-11T18:26Z"

data/lib/holepicker/direct_gemfile_finder.rb

@@ -0,0 +1,31 @@
+require 'holepicker/file_finder'
+
+module HolePicker
+  class DirectGemfileFinder
+    SKIPPED_DIRECTORIES = [
+      "-name cached-copy",
+      "-path '*/bundle/ruby'",
+      "-name tmp",
+      "-name '.*'"
+    ]
+
+    def initialize(options = {})
+      @skip_ignored = options.fetch(:skip_ignored, true)
+      @only_current = options.fetch(:only_current, false)
+    end
+
+    def find_gemfiles(path)
+      full_path = File.expand_path(path)
+      gemfiles = @only_current ? "-path '*/current/Gemfile.lock'" : "-name 'Gemfile.lock'"
+      options = @skip_ignored ? "\\( #{skipped_directories} \\) -prune -or #{gemfiles} -print" : gemfiles
+
+      FileFinder.find_files(full_path, options)
+    end
+
+    private
+
+    def skipped_directories
+      SKIPPED_DIRECTORIES.join(" -or ")
+    end
+  end
+end

data/lib/holepicker/file_finder.rb

@@ -0,0 +1,7 @@
+module HolePicker
+  module FileFinder
+    def self.find_files(path, options = "")
+      %x(find -L #{path} #{options}).lines.map(&:strip)
+    end
+  end
+end

data/lib/holepicker/scanner.rb

@@ -1,4 +1,8 @@
+# encoding: utf-8
+
 require 'holepicker/gem'
+require 'holepicker/config_gemfile_finder'
+require 'holepicker/direct_gemfile_finder'
 require 'holepicker/offline_database'
 require 'holepicker/online_database'
 require 'holepicker/utils'
@@ -7,8 +11,6 @@ require 'set'
 
 module HolePicker
   class Scanner
-    SKIPPED_DIRECTORIES = ["-name cached-copy", "-path '*/bundle/ruby'", "-name tmp", "-name '.*'"]
-    ROOT_LINE_PATTERN = %r{\b(?:root|DocumentRoot)\s+(.*)/public\b}
     GEMFILE_GEM_PATTERN = %r(^ {4}[^ ])
 
     def initialize(paths, options = {})
@@ -16,16 +18,23 @@ module HolePicker
 
       @database = options[:offline] ? OfflineDatabase.load : OnlineDatabase.load
 
+      @finder = if options[:follow_roots]
+        ConfigGemfileFinder.new
+      else
+        DirectGemfileFinder.new(
+          :skip_ignored => !options[:dont_skip],
+          :only_current => options[:current]
+        )
+      end
+
       @ignored = options[:ignored_gems] || []
-      @skip = !options[:dont_skip]
-      @current = options[:current]
-      @roots = options[:follow_roots]
     end
 
     def scan
       puts "Looking for gemfiles..."
 
       @found_vulnerabilities = Set.new
+      @scanned_gemfiles = 0
       @matched_gemfiles = 0
       @matched_gems = 0
 
@@ -43,37 +52,12 @@ module HolePicker
       @database.vulnerabilities.select { |v| v.gem_vulnerable?(gem) }
     end
 
-    def find_gemfiles_in_path(path)
-      skips = SKIPPED_DIRECTORIES.join(" -or ")
-      gemfiles = @current ? "-path '*/current/Gemfile.lock'" : "-name 'Gemfile.lock'"
-
-      command = if @skip
-        "find -L #{path} \\( #{skips} \\) -prune -or #{gemfiles} -print"
-      else
-        "find -L #{path} #{gemfiles}"
-      end
-
-      run_and_read_lines(command)
-    end
-
-    def find_gemfiles_in_configs(path)
-      configs = run_and_read_lines("find -L #{path} -type f -or -type l")
-      configs = select_existing(configs)
-
-      directories = configs.map { |f| File.read(f).scan(ROOT_LINE_PATTERN) }
-      gemfiles = directories.flatten.map { |dir| "#{dir}/Gemfile.lock" }
-
-      select_existing(gemfiles)
-    end
-
     def read_gemfile(path)
       File.readlines(path).select { |l| l =~ GEMFILE_GEM_PATTERN }.map { |l| Gem.new(l) }
     end
 
     def scan_path(path)
-      path = File.expand_path(path)
-      gemfiles = @roots ? find_gemfiles_in_configs(path) : find_gemfiles_in_path(path)
-      gemfiles.each { |f| scan_gemfile(f) }
+      @finder.find_gemfiles(path).each { |f| scan_gemfile(f) }
     end
 
     def scan_gemfile(path)
@@ -88,7 +72,7 @@ module HolePicker
       count = vulnerable_gems.length
 
       if count == 0
-        puts "OK"
+        puts "✔".color(:green)
       else
         puts "#{count} vulnerable #{Utils.pluralize(count, 'gem')} found!".color(:red)
 
@@ -103,27 +87,26 @@ module HolePicker
 
         puts
       end
+
+      @scanned_gemfiles += 1
     end
 
     def print_report
-      if @matched_gemfiles == 0
+      if @scanned_gemfiles == 0
+        puts "No gemfiles found - are you sure the paths are correct?".color(:red)
+      elsif @matched_gemfiles == 0
         puts "No vulnerabilities found."
       else
-        puts(("#{@matched_gems} vulnerable #{Utils.pluralize(@matched_gems, 'gem')} found in " +
-          "#{@matched_gemfiles} #{Utils.pluralize(@matched_gemfiles, 'gemfile')}!").color(:red) + "\n\n")
+        gems = Utils.pluralize(@matched_gems, 'gem')
+        gemfiles = Utils.pluralize(@matched_gemfiles, 'gemfile')
+
+        warning = "#{@matched_gems} vulnerable #{gems} found in #{@matched_gemfiles} #{gemfiles}!\n"
+        puts warning.color(:red)
 
         @found_vulnerabilities.sort_by(&:id).each do |v|
           puts "[#{v.tag}] #{v.day}: #{v.url}"
         end
       end
     end
-
-    def select_existing(files)
-      files.select { |f| File.exist?(f) }
-    end
-
-    def run_and_read_lines(command)
-      %x(#{command}).lines.map(&:strip)
-    end
   end
 end

data/lib/holepicker/version.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 
 module HolePicker
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 
   def self.version
     ::Gem::Version.new(VERSION)

metadata

@@ -1,20 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: holepicker
 version: !ruby/object:Gem::Version
-  version: 0.1.2
-  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors:
 - Jakub Suder
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-23 00:00:00.000000000 Z
+date: 2013-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -30,7 +27,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -38,7 +34,6 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -55,40 +50,43 @@ files:
 - Changelog.markdown
 - Gemfile
 - Gemfile.lock
+- lib/holepicker/capistrano.rb
+- lib/holepicker/config_gemfile_finder.rb
+- lib/holepicker/config_reader.rb
 - lib/holepicker/data/data.json
 - lib/holepicker/database.rb
+- lib/holepicker/direct_gemfile_finder.rb
+- lib/holepicker/file_finder.rb
 - lib/holepicker/gem.rb
 - lib/holepicker/offline_database.rb
 - lib/holepicker/online_database.rb
 - lib/holepicker/scanner.rb
 - lib/holepicker/utils.rb
-- lib/holepicker/validator.rb
 - lib/holepicker/version.rb
 - lib/holepicker/vulnerability.rb
 - lib/holepicker.rb
 - bin/holepicker
 homepage: http://github.com/jsuder/holepicker
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.0.0
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: A tool for checking gem versions in Gemfile.lock files for known vulnerabilities
 test_files: []