mrjoy-bundler-audit 0.3.2 → 0.3.3

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml

@@ -1,6 +1,7 @@
 --- 
 gem: rgpg
 osvdb: 95948
+cve: 2013-4203
 url: http://www.osvdb.org/show/osvdb/95948
 title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
 date: 2013-08-02
@@ -8,6 +9,6 @@ description: |
   rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
   The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
   This may allow a remote attacker to execute arbitrary commands.
-cvss_v2:
+cvss_v2: 7.5
 patched_versions: 
   - ">= 0.2.3"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91216
@@ -7,4 +7,5 @@ title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrar
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91217
@@ -7,4 +7,5 @@ title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91218
@@ -7,4 +7,5 @@ title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby O
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: spree
 cve: 2013-1656
 osvdb: 91219
@@ -7,4 +7,5 @@ title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ru
 date: 2013-02-21
 description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
 cvss_v2: 4.3
-patched_versions: 
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml

@@ -0,0 +1,14 @@
+---
+gem: sprout
+cve: 2013-6421
+osvdb: 100598
+url: http://www.osvdb.org/show/osvdb/100598
+title: Sprout Gem for Ruby contains a flaw
+date: 2013-12-02
+description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
+  The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
+  'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
+cvss_v2: 7.5
+patched_versions: 
+unaffected_versions:
+  - '< 0.7.246'

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml

@@ -0,0 +1,11 @@
+---
+gem: webbynode
+osvdb: 100920
+url: http://osvdb.org/show/osvdb/100920
+title: Webbynode Gem for Ruby contains a flaw
+date: 2013-12-12
+description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
+  when handling a specially crafted growlnotify message. This may allow a
+  context-dependent attacker to execute arbitrary commands.
+cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml

@@ -0,0 +1,15 @@
+---
+gem: will_paginate
+osvdb: 101138
+cve: 2013-6459
+url: http://osvdb.org/show/osvdb/101138
+title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
+date: 2013-09-19
+description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the application does not validate certain unspecified input related to
+  generated pagination links before returning it to the user. This may allow an attacker to create
+  a specially crafted request that would execute arbitrary script code in a users browser within the
+  trust relationship between their browser and the server.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 3.0.5"

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
 require 'yaml'
 
 shared_examples_for 'Advisory' do |path|
@@ -131,7 +131,7 @@ shared_examples_for 'Advisory' do |path|
               it "should contain valid RubyGem version requirements" do
                 lambda {
                 Gem::Requirement.new(*subject)
-                }.should_not raise_error(ArgumentError)
+                }.should_not raise_error
               end
             end
           end
@@ -155,7 +155,7 @@ shared_examples_for 'Advisory' do |path|
             it "should contain valid RubyGem version requirements" do
               lambda {
                 Gem::Requirement.new(*subject)
-              }.should_not raise_error(ArgumentError)
+              }.should_not raise_error
             end
           end
         end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -1,8 +1,7 @@
-require 'spec_helper'
-require 'advisory_example'
-
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+load File.join(File.dirname(__FILE__), 'advisory_example.rb')
 describe "gems" do
-  Dir.glob('gems/*/*.yml') do |path|
+  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*.yml')) do |path|
     include_examples 'Advisory', path
   end
 end

data/data/ruby-advisory-db.ts

@@ -0,0 +1 @@
+2014-04-10 19:47:28 UTC

data/gemspec.yml

@@ -1,6 +1,6 @@
 name: mrjoy-bundler-audit
 summary: Patch-level verification for Bundler
-description: bundler-audit provides patch-level verification for Bundled apps.
+description: An improved version of bundler-audit provides patch-level verification for Bundled apps
 license: GPLv3
 authors:
 - Postmodern
@@ -13,4 +13,5 @@ homepage: https://github.com/MrJoy/mrjoy-bundler-audit#readme
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
+  thor: ~> 0.18
   bundler: ~> 1.2

data/lib/bundler/audit/cli.rb

@@ -20,12 +20,13 @@
 require 'bundler/audit/scanner'
 require 'bundler/audit/version'
 
+require 'thor'
 require 'bundler'
 require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
-    class CLI < Thor
+    class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
@@ -74,9 +75,9 @@ module Bundler
 
       protected
 
-      def say(string="", color=nil)
+      def say(message="", color=nil)
         color = nil unless $stdout.tty?
-        super(string, color)
+        super(message.to_s, color)
       end
 
       def print_warning(message)
@@ -90,7 +91,7 @@ module Bundler
         say advisory.id
 
         say "Criticality: ", :red
-        say *CRITICALITY_MAP[advisory.criticality]
+        say *(CRITICALITY_MAP[advisory.criticality] || "Unknown")
 
         say "URL: ", :red
         say advisory.url
@@ -133,13 +134,11 @@ module Bundler
         end
       end
 
-      CRITICALITY_MAP = Hash({
+      CRITICALITY_MAP = {
         :low    => ["Low"],
         :medium => ["Medium", :yellow],
         :high   => ["High", [:red, :bold]],
-      }) do |data, key|
-        "Unknown"
-      end
+      }
     end
   end
 end

data/lib/bundler/audit/database.rb

@@ -17,12 +17,11 @@
 # along with mrjoy-bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+require 'bundler/audit/advisory'
+
 require 'time'
 require 'yaml'
 
-require 'bundler/audit/advisory'
-require 'bundler/audit/vendored_time'
-
 module Bundler
   module Audit
     #
@@ -37,8 +36,11 @@ module Bundler
       # Default path to the ruby-advisory-db
       VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
 
+      # Timestamp for when the database was last updated
+      VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
+
       # Path to the user's copy of the ruby-advisory-db
-      USER_PATH = File.join(Gem.user_home,'.local','share','ruby-advisory-db')
+      USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-advisory-db'))
 
       # The path to the advisory database
       attr_reader :path
@@ -69,7 +71,7 @@ module Bundler
       def self.path
         if File.directory?(USER_PATH)
           t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
-          t2 = VENDORED_REPO_CTIME
+          t2 = VENDORED_TIMESTAMP
 
           if t1 >= t2 then USER_PATH
           else             VENDORED_PATH

data/lib/bundler/audit/task.rb

@@ -0,0 +1,45 @@
+require 'rake'
+require 'rake/tasklib'
+require 'bundler/audit/scanner'
+require 'bundler/audit/cli'
+
+module Bundler
+  module Audit
+    class Task < ::Rake::TaskLib
+      attr_accessor :name
+      attr_accessor :options
+      attr_accessor :block
+      attr_accessor :verbose
+      attr_accessor :ignore
+
+      def initialize(*args, &block)
+        @options = args || []
+        @block = block if block
+        @verbose = false
+
+        define
+      end
+
+      protected
+      def define
+        desc "Run Bundler-audit" unless ::Rake.application.last_comment
+        @name = options.shift || :audit
+
+        task @name, *options do |_, task_args|
+          RakeFileUtils.send(:verbose, @verbose) do
+            block.call(self) if block
+            run
+          end
+        end
+      end
+
+      def run
+        t = ['check']
+        t << '-v' if verbose
+        t << '-i' << ignore if ignore
+        Bundler::Audit::CLI.start t
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -20,6 +20,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.2'
+    VERSION = '0.3.3'
   end
 end

data/spec/advisory_spec.rb

@@ -8,13 +8,20 @@ describe Bundler::Audit::Advisory do
   let(:id)   { 'OSVDB-84243' }
   let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
   let(:an_unaffected_version) do
-    Advisory.load(path).
-      unaffected_versions. # Only care about unaffected versions...
-      first.               # And even then, any will do.
-      requirements.        # This is where we find versions...
-      first.               # Again, any will do.
-      last.                # We don't care about the bound, just the version number.
-      to_s                 # And we'd like it as a string.
+    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
   end
 
   describe "load" do

data/spec/bundle/secure/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.15'
+gem 'rails', '~>4.1.0'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

data/spec/database_spec.rb

@@ -1,8 +1,13 @@
 require 'spec_helper'
 require 'bundler/audit/database'
 require 'tmpdir'
+require 'rake/file_list'
 
 describe Bundler::Audit::Database do
+  let(:vendored_advisories) do
+    Rake::FileList[File.join(Bundler::Audit::Database::VENDORED_PATH, '**/*.yml')].sort
+  end
+
   describe "path" do
     subject { described_class.path }
 
@@ -101,7 +106,18 @@ describe Bundler::Audit::Database do
   end
 
   describe "#size" do
-    it { subject.size.should > 0 }
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Audit::Database.new.
+        advisories.
+        map(&:path).
+        sort
+
+      expect(actual_advisories).to eq vendored_advisories
+    end
   end
 
   describe "#to_s" do
@@ -109,4 +125,10 @@ describe Bundler::Audit::Database do
       subject.to_s.should == subject.path
     end
   end
+
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
+    end
+  end
 end

data/spec/integration_spec.rb

@@ -1,66 +1,81 @@
 require 'spec_helper'
 
 describe "CLI" do
-  let(:directory) { File.join('spec','bundle',bundle) }
+  include Helpers
 
-  context "when auditing a vulnerable bundle" do
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit'))
+  end
+
+  context "when auditing a bundle with unpatched gems" do
     let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print a warning" do
+      subject.should include("Unpatched versions found!")
+    end
 
     it "should print advisory information for the vulnerable gems" do
-      output = audit_in_directory "", directory, :fail => true
-      # Doing this so we can get an exact count on the number of
-      # vulnerabilities we should match with the regex below.
-      vuln_count = output.split(/Name:/).length - 1 # Less one for the
-                                                    # zero-width prefix before
-                                                    # the first match.
-
-      # Note the "{vuln_count}" below indicates the minimum number of
-      # advisories that we should see matches for -- as a particular version of
-      # code will never
       advisory_pattern = /(Name: [^\n]+
-Version: \d+\.\d+\.\d+
+Version: \d+.\d+.\d+
 Advisory: OSVDB-\d+
 Criticality: (High|Medium)
-URL: http:\/\/(direct\.|www\.)?osvdb\.org\/show\/osvdb\/\d+
-Title: [^\n]+
-Solution: upgrade to ((~>|=>|>=) \d+\.\d+\.\d+, )*((~>|=>|>=) \d+\.\d+\.\d+)[\s\n]*?){#{vuln_count}}/
-      expect(vuln_count).to be >= 8 # As of 2013-11-04, this bundle turns up 8
-                                    # vulns.  That could increase over time of
-                                    # course.
-      expect(output).to match(advisory_pattern)
-      expect(output).to include("Unpatched versions found!")
+URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
+Title: [^\n]*?
+Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
+
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Unpatched versions found!")
     end
   end
 
   context "when auditing a bundle with ignored gems" do
     let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
 
-    it "should not print advisory information for ignored gem" do
-      output = audit_in_directory "-i OSVDB-89026", directory, :fail => true
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i OSVDB-89026'))
+    end
 
-      expect(output).to_not include("OSVDB-89026")
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should not print advisory information for ignored gem" do
+      subject.should_not include("OSVDB-89026")
     end
   end
 
   context "when auditing a bundle with insecure sources" do
     let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
 
     it "should print warnings about insecure sources" do
-      output = audit_in_directory "", directory, :fail => true
-      expect(output).to include(%{
+      subject.should include(%{
 Insecure Source URI found: git://github.com/rails/jquery-rails.git
 Insecure Source URI found: http://rubygems.org/
       }.strip)
     end
   end
 
-
   context "when auditing a secure bundle" do
     let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
 
     it "should print nothing when everything is fine" do
-      output = audit_in_directory "", directory
-      expect(output.strip).to eq "No unpatched versions found"
+      subject.strip.should == "No unpatched versions found"
     end
   end
 end

data/spec/rake_task_spec.rb

@@ -0,0 +1,35 @@
+require 'bundler/audit/task'
+
+describe Bundler::Audit::Task do
+  let(:task) { Bundler::Audit::Task.new }
+
+  context "default options" do
+    it "runs bundle-audit check" do
+      task = Bundler::Audit::Task.new(:audit_task)
+      expect(Bundler::Audit::CLI).to receive(:start)
+      task.send(:run)
+    end
+
+    it "creates task name" do
+      task = Bundler::Audit::Task.new(:audit_task)
+      expect(task.name).to eq(:audit_task)
+      expect(task).to receive(:run) { true }
+      Rake.application.invoke_task("audit_task")
+    end
+
+    it "can fail" do
+      task = Bundler::Audit::Task.new(:failed_audit)
+      Rake.application.invoke_task("failed_audit")
+    end
+  end
+
+  context "verbose" do
+    it "correctly adds verbose to the command" do
+      task = Bundler::Audit::Task.new(:audit_test_1) do |r|
+        r.verbose = true
+      end
+      expect(Bundler::Audit::CLI).to receive(:start).with ['check', '-v']
+      Rake.application.invoke_task("audit_test_1")
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,8 +1,16 @@
-require 'simplecov'
-require 'json'
-SimpleCov.start
+require 'rubygems'
+require 'bundler'
+Bundler.require(:default, :development, :test)
+
+version = RUBY_VERSION.split(/\./).map(&:to_i)
+if((version[0] == 1 && version[1] >= 9) || (version[0] >= 2))
+  require 'simplecov'
+  require 'json'
+  SimpleCov.start
+end
 
 require 'rspec'
+require 'bundler/audit'
 require 'bundler/audit/version'
 
 module Helpers