mrjoy-bundler-audit 0.1.4

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml

@@ -0,0 +1,11 @@
+--- 
+gem: pdfkit
+cve: 2013-1607
+osvdb: 90867
+url: http://osvdb.org/show/osvdb/90867
+title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
+date: 2013-02-21
+description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
+cvss_v2: 
+patched_versions: 
+  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml

@@ -0,0 +1,18 @@
+--- 
+gem: rack-cache
+cve: 2012-2671
+osvdb: 83077
+url: http://osvdb.org/83077
+title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
+date: 2012-06-06
+
+description: |
+  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
+  sensitive HTTP headers. This will result in a weakness that may make it
+  easier for an attacker to gain access to a user's session via a specially
+  crafted header.
+
+cvss_v2: 7.5
+
+patched_versions: 
+  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml

@@ -0,0 +1,23 @@
+--- 
+gem: rack
+cve: 2013-0263
+osvdb: 89939
+url: http://osvdb.org/show/osvdb/89939
+title: |
+  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 
+date: 2009-12-01
+
+description: |
+  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
+  function. Users of the Marshal session cookie encoding (the default), are
+  subject to a timing attack that may lead an attacker to execute arbitrary
+  code. This attack is more practical against 'cloud' users as intra-cloud
+  latencies are sufficiently low to make the attack viable.
+
+cvss_v2: 7.6
+patched_versions: 
+- ~> 1.1.6
+- ~> 1.2.8
+- ~> 1.3.10
+- ~> 1.4.5
+- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml

@@ -0,0 +1,27 @@
+---
+gem: rdoc
+cve: 2013-0256
+osvdb: 90004
+url: http://www.osvdb.org/show/osvdb/90004
+title: RDoc 2.3.0 through 3.12 XSS Exploit
+date: 2013-02-06
+
+description: |
+  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
+  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
+  may lead to cookie disclosure to third parties.
+  
+  The exploit exists in darkfish.js which is copied from the RDoc install
+  location to the generated documentation.
+  
+  RDoc is a static documentation generation tool. Patching the library itself
+  is insufficient to correct this exploit.
+  
+  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 3.9.5
+  - ~> 3.12.1
+  - ">= 4.0"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -0,0 +1,13 @@
+--- 
+gem: rgpg
+osvdb: 95948
+url: http://www.osvdb.org/show/osvdb/95948
+title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
+date: 2013-08-02
+description: |
+  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
+  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
+  This may allow a remote attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml

@@ -0,0 +1,11 @@
+--- 
+gem: ruby_parser
+cve: 2013-0162
+osvdb: 90561
+url: http://osvdb.org/show/osvdb/90561
+title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
+date: 2013-02-21
+description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2: 2.1
+patched_versions: 
+  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91216
+url: http://osvdb.org/show/osvdb/91216
+title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91217
+url: http://osvdb.org/show/osvdb/91217
+title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91218
+url: http://osvdb.org/show/osvdb/91218
+title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -0,0 +1,10 @@
+--- 
+gem: spree
+cve: 2013-1656
+osvdb: 91219
+url: http://osvdb.org/show/osvdb/91219
+title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution
+date: 2013-02-21
+description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+cvss_v2: 4.3
+patched_versions: 

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml

@@ -0,0 +1,10 @@
+--- 
+gem: thumbshooter
+cve: 2013-1898
+osvdb: 91839
+url: http://osvdb.org/show/osvdb/91839
+title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-03-26
+description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions: 

data/data/ruby-advisory-db/lib/scrape.rb

@@ -0,0 +1,87 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'pry'
+require 'mechanize'
+require 'yaml'
+require 'date'
+
+class OSVDB
+  attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
+  def initialize(url)
+    self.url = url
+    parse!
+  end
+
+  def parse!
+    mech = Mechanize.new
+    self.page = mech.get(url)
+
+    page.search(".show_vuln_table").search("td ul li").each do |li|
+      case li.children[0].text.strip
+      when "CVE ID:"
+        self.cve = li.children[1].text
+      when "Vendor URL:"
+        self.set_gem(li.children[1].text)
+      end
+    end
+
+    self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
+    self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
+    self.title = page.search("title").text.gsub(/\d+: /, "")
+    self.osvdb = page.search("title").text.match(/\d+/)[0]
+    if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
+      self.set_cvss(cvss_p.children[0].text)
+    end
+  end
+
+  def set_gem(vendortext)
+    ["https://rubygems.org/gems/", "http://rubygems.org/gems/"].each do |str|
+      if vendortext.match(str)
+        self.gem = vendortext.gsub(str,"")
+      end
+    end
+  end
+
+  def set_cvss(text)
+    self.cvss_v2 = text.strip.gsub("CVSSv2 Base Score = ", "")
+  end
+
+  def date
+    Date.parse(@date)
+  end
+
+  def cvss_v2
+    @cvss_v2.nil? ? nil : @cvss_v2.to_f
+  end
+
+  def gem
+    @gem.nil? ? "unknown" : @gem
+  end
+
+  def to_yaml
+    { 'gem' => gem,
+      'cve' => cve,
+      'osvdb' => osvdb.to_i,
+      'url' => url,
+      'title' => title,
+      'date' => date,
+      'description' => description,
+      'cvss_v2' => cvss_v2,
+      'patched_versions' => patched_versions }.to_yaml
+  end
+
+  def filename
+    "OSVDB-#{osvdb}.yml"
+  end
+
+  def to_advisory!
+    gems_path = File.join(File.dirname(__FILE__), "..", "gems")
+    adv_path = File.absolute_path(File.join(gems_path, self.gem))
+
+    FileUtils.mkdir(adv_path) unless File.exists?(adv_path)
+    File.open(File.join(adv_path, filename), "w") do |io|
+      io.puts self.to_yaml
+    end
+  end
+end

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -0,0 +1,165 @@
+require 'spec_helper'
+require 'yaml'
+
+shared_examples_for 'Advisory' do |path|
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:gem) { File.basename(File.dirname(path)) }
+    let(:filename_cve) do
+      if File.basename(path).start_with?('CVE-')
+        File.basename(path).gsub('CVE-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+    let(:filename_osvdb) do
+      if File.basename(path).start_with?('OSVDB-')
+        File.basename(path).gsub('OSVDB-','').chomp('.yml')
+      else
+        nil
+      end
+    end
+
+    it "should have CVE or OSVDB" do
+      (advisory['cve'] || advisory['osvdb']).should_not be_nil
+    end
+
+    describe "gem" do
+      subject { advisory['gem'] }
+
+      it { should be_kind_of(String) }
+      it { should == gem }
+    end
+
+    describe "framework" do
+      subject { advisory['framework'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
+
+    describe "platform" do
+      subject { advisory['platform'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+    end
+
+    describe "cve" do
+      subject { advisory['cve'] }
+
+      it "may be nil or a String" do
+        [NilClass, String].should include(subject.class)
+      end
+      it "should be id in filename if filename is CVE-XXX" do
+        if filename_cve
+          should == filename_cve
+        end
+      end
+    end
+
+    describe "osvdb" do
+      subject { advisory['osvdb'] }
+      it "may be nil or a Fixnum" do
+        [NilClass, Fixnum].should include(subject.class)
+      end
+       it "should be id in filename if filename is OSVDB-XXX" do
+        if filename_osvdb
+          should == filename_osvdb.to_i
+        end
+      end
+    end
+
+    describe "url" do
+      subject { advisory['url'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "title" do
+      subject { advisory['title'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "date" do
+      subject { advisory['date'] }
+
+      it { should be_kind_of(Date) }
+    end
+
+    describe "description" do
+      subject { advisory['description'] }
+
+      it { should be_kind_of(String) }
+      it { should_not be_empty }
+    end
+
+    describe "cvss_v2" do
+      subject { advisory['cvss_v2'] }
+
+      it "may be nil or a Float" do
+        [NilClass, Float].should include(subject.class)
+      end
+
+      case advisory['cvss_v2']
+      when Float
+        context "when a Float" do
+          it { ((0.0)..(10.0)).should include(subject) }
+        end
+      end
+    end
+
+    describe "patched_versions" do
+      subject { advisory['patched_versions'] }
+
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
+
+      describe "each patched version" do
+        if advisory['patched_versions']
+          advisory['patched_versions'].each do |version|
+            describe version do
+              subject { version.split(', ') }
+              
+              it "should contain valid RubyGem version requirements" do
+                lambda {
+                Gem::Requirement.new(*subject)
+                }.should_not raise_error(ArgumentError)
+              end
+            end
+          end
+        end
+      end
+    end
+
+    describe "unaffected_versions" do
+      subject { advisory['unaffected_versions'] }
+
+      it "may be nil or an Array" do
+        [NilClass, Array].should include(subject.class)
+      end
+
+      case advisory['unaffected_versions']
+      when Array
+        advisory['unaffected_versions'].each do |version|
+          describe version do
+            subject { version.split(', ') }
+            
+            it "should contain valid RubyGem version requirements" do
+              lambda {
+                Gem::Requirement.new(*subject)
+              }.should_not raise_error(ArgumentError)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'advisory_example'
+
+describe "gems" do
+  Dir.glob('gems/*/*.yml') do |path|
+    include_examples 'Advisory', path
+  end
+end

data/data/ruby-advisory-db/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'rspec'

data/gemspec.yml

@@ -0,0 +1,16 @@
+name: mrjoy-bundler-audit
+summary: Patch-level verification for Bundler
+description: bundler-audit provides patch-level verification for Bundled apps.
+license: GPLv3
+authors:
+- Postmodern
+- MrJoy
+email:
+- postmodern.mod3@gmail.com
+- jfrisby@mrjoy.com
+homepage: https://github.com/MrJoy/mrjoy-bundler-audit#readme
+
+required_rubygems_version: ">= 1.8.0"
+
+dependencies:
+  bundler: ~> 1.2