mrjoy-bundler-audit 0.1.4 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.document +1 -1
- data/ChangeLog.md +19 -2
- data/README.md +51 -33
- data/Rakefile +19 -2
- data/lib/bundler/audit/advisory.rb +4 -12
- data/lib/bundler/audit/cli.rb +1 -1
- data/lib/bundler/audit/scanner.rb +1 -1
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/advisory_spec.rb +12 -12
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/integration_spec.rb +3 -3
- data/spec/scanner_spec.rb +6 -6
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 86bf3607b18010fe5a5a8eea50c278a4972fa133
|
|
4
|
+
data.tar.gz: bc8390e22500c5f02f45d19f0cfa541d3f1a86bc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: abaf90aff0656335877ef86c57058dfbeef7edfc35f2a961531673d2e096f82e3072eba07de2a32bd48e8eb8c1c45d90cb80ce26824e9c787f6df54fcc85d768
|
|
7
|
+
data.tar.gz: 2a44ca737667dbbbf86435c1a84999ac36f6ad8c45d5c3cdd958d6cba889e678f3fe63aed0bf54d699eb88b8ba0686455497cf0923dc401e5da3fc186ecddb3c
|
data/.document
CHANGED
data/ChangeLog.md
CHANGED
|
@@ -1,4 +1,21 @@
|
|
|
1
|
-
### 0.1
|
|
1
|
+
### mrjoy-0.2.1 / 2013-09-13
|
|
2
|
+
|
|
3
|
+
* Integrate upstream changes from 0.2.0, with local changes from 0.1.4.
|
|
4
|
+
* Make specs automatically refresh `.gitignore`'d `Gemfile.lock` in spec
|
|
5
|
+
scenarios when the Gemfile has changed in a way that `bundle install` isn't
|
|
6
|
+
happy about (e.g. version bump on a gem previously listed in the `Gemfile`.)
|
|
7
|
+
|
|
8
|
+
### 0.2.0 / 2013-03-05
|
|
9
|
+
|
|
10
|
+
* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
|
|
11
|
+
parse approximate version requirements (`~> 1.2.3`).
|
|
12
|
+
* Updated the [ruby-advisory-db].
|
|
13
|
+
* Added {Bundle::Audit::Advisory#unaffected_versions}.
|
|
14
|
+
* Added {Bundle::Audit::Advisory#unaffected?}.
|
|
15
|
+
* Added {Bundle::Audit::Advisory#patched?}.
|
|
16
|
+
* Renamed `Advisory#cve` to {Bundle::Audit::Advisory#id}.
|
|
17
|
+
|
|
18
|
+
### mrjoy-0.1.4 / 2013-08-15
|
|
2
19
|
|
|
3
20
|
* RVM compartmentalization for the project (only relevant to people hacking on
|
|
4
21
|
it).
|
|
@@ -12,7 +29,7 @@
|
|
|
12
29
|
* Add ability for individual spec files to be called individually.
|
|
13
30
|
* Rename gem so this can be installed via Rubygems.
|
|
14
31
|
|
|
15
|
-
### 0.1.3 / 2013-03-05
|
|
32
|
+
### mrjoy-0.1.3 / 2013-03-05
|
|
16
33
|
|
|
17
34
|
* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
|
|
18
35
|
parse approximate version requirements (`~> 1.2.3`).
|
data/README.md
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
* [Homepage](https://github.com/MrJoy/mrjoy-bundler-audit#readme)
|
|
4
4
|
* [Issues](https://github.com/MrJoy/mrjoy-bundler-audit/issues)
|
|
5
|
+
* [Documentation](http://rubydoc.info/gems/mrjoy-bundler-audit/frames)
|
|
5
6
|
* [Email](mailto:jfrisby@mrjoy.com)
|
|
6
7
|
* [](https://travis-ci.org/MrJoy/mrjoy-bundler-audit)
|
|
7
8
|
* [](https://codeclimate.com/github/MrJoy/mrjoy-bundler-audit)
|
|
@@ -13,6 +14,8 @@ Patch-level verification for [Bundler][bundler].
|
|
|
13
14
|
## Features
|
|
14
15
|
|
|
15
16
|
* Checks for vulnerable versions of gems in `Gemfile.lock`.
|
|
17
|
+
* Checks for insecure gem sources (`http://`).
|
|
18
|
+
* Allows ignoring certain advisories that have been manually worked around.
|
|
16
19
|
* Prints advisory information.
|
|
17
20
|
* Does not require a network connection.
|
|
18
21
|
|
|
@@ -21,47 +24,62 @@ Patch-level verification for [Bundler][bundler].
|
|
|
21
24
|
Audit a projects `Gemfile.lock`:
|
|
22
25
|
|
|
23
26
|
$ bundle-audit
|
|
24
|
-
Name:
|
|
25
|
-
Version: 1.4.4
|
|
26
|
-
CVE: 2013-0263
|
|
27
|
-
Criticality: High
|
|
28
|
-
URL: http://osvdb.org/show/osvdb/89939
|
|
29
|
-
Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
|
|
30
|
-
Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
|
|
31
|
-
|
|
32
|
-
Name: json
|
|
33
|
-
Version: 1.7.6
|
|
34
|
-
CVE: 2013-0269
|
|
35
|
-
Criticality: High
|
|
36
|
-
URL: http://direct.osvdb.org/show/osvdb/90074
|
|
37
|
-
Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
|
|
38
|
-
Patched Versions: ~> 1.5.4, ~> 1.6.7, >= 1.7.7
|
|
39
|
-
|
|
40
|
-
Name: rails
|
|
27
|
+
Name: actionpack
|
|
41
28
|
Version: 3.2.10
|
|
42
|
-
|
|
43
|
-
Criticality:
|
|
44
|
-
URL: http://osvdb.org/show/osvdb/
|
|
45
|
-
Title:
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
Name:
|
|
29
|
+
Advisory: OSVDB-91452
|
|
30
|
+
Criticality: Medium
|
|
31
|
+
URL: http://www.osvdb.org/show/osvdb/91452
|
|
32
|
+
Title: XSS vulnerability in sanitize_css in Action Pack
|
|
33
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
|
34
|
+
|
|
35
|
+
Name: actionpack
|
|
36
|
+
Version: 3.2.10
|
|
37
|
+
Advisory: OSVDB-91454
|
|
38
|
+
Criticality: Medium
|
|
39
|
+
URL: http://osvdb.org/show/osvdb/91454
|
|
40
|
+
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
|
|
41
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
|
42
|
+
|
|
43
|
+
Name: actionpack
|
|
49
44
|
Version: 3.2.10
|
|
50
|
-
|
|
45
|
+
Advisory: OSVDB-89026
|
|
51
46
|
Criticality: High
|
|
52
47
|
URL: http://osvdb.org/show/osvdb/89026
|
|
53
|
-
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
48
|
+
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
|
|
49
|
+
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
|
50
|
+
|
|
51
|
+
Name: activerecord
|
|
52
|
+
Version: 3.2.10
|
|
53
|
+
Advisory: OSVDB-91453
|
|
54
|
+
Criticality: High
|
|
55
|
+
URL: http://osvdb.org/show/osvdb/91453
|
|
56
|
+
Title: Symbol DoS vulnerability in Active Record
|
|
57
|
+
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
|
58
|
+
|
|
59
|
+
Name: activerecord
|
|
58
60
|
Version: 3.2.10
|
|
59
|
-
|
|
61
|
+
Advisory: OSVDB-90072
|
|
60
62
|
Criticality: Medium
|
|
61
63
|
URL: http://direct.osvdb.org/show/osvdb/90072
|
|
62
64
|
Title: Ruby on Rails Active Record attr_protected Method Bypass
|
|
63
|
-
|
|
64
|
-
|
|
65
|
+
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
|
|
66
|
+
|
|
67
|
+
Name: activerecord
|
|
68
|
+
Version: 3.2.10
|
|
69
|
+
Advisory: OSVDB-89025
|
|
70
|
+
Criticality: High
|
|
71
|
+
URL: http://osvdb.org/show/osvdb/89025
|
|
72
|
+
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
|
73
|
+
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
|
74
|
+
|
|
75
|
+
Name: activesupport
|
|
76
|
+
Version: 3.2.10
|
|
77
|
+
Advisory: OSVDB-91451
|
|
78
|
+
Criticality: High
|
|
79
|
+
URL: http://www.osvdb.org/show/osvdb/91451
|
|
80
|
+
Title: XML Parsing Vulnerability affecting JRuby users
|
|
81
|
+
Solution: upgrade to ~> 3.1.12, >= 3.2.13
|
|
82
|
+
|
|
65
83
|
Unpatched versions found!
|
|
66
84
|
|
|
67
85
|
## Requirements
|
data/Rakefile
CHANGED
|
@@ -23,6 +23,15 @@ require 'rake'
|
|
|
23
23
|
require 'rubygems/tasks'
|
|
24
24
|
Gem::Tasks.new
|
|
25
25
|
|
|
26
|
+
desc 'Updates data/ruby-advisory-db'
|
|
27
|
+
task :update do
|
|
28
|
+
chdir 'data/ruby-advisory-db' do
|
|
29
|
+
sh 'git', 'pull', 'origin', 'master'
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
sh 'git', 'commit', 'data/ruby-advisory-db', '-m', 'Updated ruby-advisory-db'
|
|
33
|
+
end
|
|
34
|
+
|
|
26
35
|
require 'rspec/core/rake_task'
|
|
27
36
|
RSpec::Core::RakeTask.new
|
|
28
37
|
|
|
@@ -32,7 +41,15 @@ namespace :spec do
|
|
|
32
41
|
|
|
33
42
|
%w[secure unpatched_gems insecure_sources].each do |bundle|
|
|
34
43
|
chdir(File.join(root,bundle)) do
|
|
35
|
-
|
|
44
|
+
# rm_f "Gemfile.lock" if(File.exist?("Gemfile.lock"))
|
|
45
|
+
begin
|
|
46
|
+
sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
|
|
47
|
+
rescue
|
|
48
|
+
if(File.exist?("Gemfile.lock"))
|
|
49
|
+
puts "Looks like Gemfile may have been updated. Attempting to update things."
|
|
50
|
+
sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle update'
|
|
51
|
+
end
|
|
52
|
+
end
|
|
36
53
|
end
|
|
37
54
|
end
|
|
38
55
|
end
|
|
@@ -43,5 +60,5 @@ task :test => :spec
|
|
|
43
60
|
task :default => :spec
|
|
44
61
|
|
|
45
62
|
require 'yard'
|
|
46
|
-
YARD::Rake::YardocTask.new
|
|
63
|
+
YARD::Rake::YardocTask.new
|
|
47
64
|
task :doc => :yard
|
|
@@ -22,7 +22,7 @@ require 'yaml'
|
|
|
22
22
|
module Bundler
|
|
23
23
|
module Audit
|
|
24
24
|
class Advisory < Struct.new(:path,
|
|
25
|
-
:
|
|
25
|
+
:id,
|
|
26
26
|
:url,
|
|
27
27
|
:title,
|
|
28
28
|
:description,
|
|
@@ -41,8 +41,8 @@ module Bundler
|
|
|
41
41
|
# @api semipublic
|
|
42
42
|
#
|
|
43
43
|
def self.load(path)
|
|
44
|
+
id = File.basename(path).chomp('.yml')
|
|
44
45
|
data = YAML.load_file(path)
|
|
45
|
-
cve = data['cve']
|
|
46
46
|
|
|
47
47
|
unless data.kind_of?(Hash)
|
|
48
48
|
raise("advisory data in #{path.dump} was not a Hash")
|
|
@@ -56,7 +56,7 @@ module Bundler
|
|
|
56
56
|
|
|
57
57
|
return new(
|
|
58
58
|
path,
|
|
59
|
-
|
|
59
|
+
id,
|
|
60
60
|
data['url'],
|
|
61
61
|
data['title'],
|
|
62
62
|
data['description'],
|
|
@@ -127,15 +127,7 @@ module Bundler
|
|
|
127
127
|
!patched?(version) && !unaffected?(version)
|
|
128
128
|
end
|
|
129
129
|
|
|
130
|
-
|
|
131
|
-
# Converts the advisory to a String.
|
|
132
|
-
#
|
|
133
|
-
# @return [String]
|
|
134
|
-
# The CVE identifier.
|
|
135
|
-
#
|
|
136
|
-
def to_s
|
|
137
|
-
"CVE-#{cve}"
|
|
138
|
-
end
|
|
130
|
+
alias to_s id
|
|
139
131
|
|
|
140
132
|
end
|
|
141
133
|
end
|
data/lib/bundler/audit/cli.rb
CHANGED
data/spec/advisory_spec.rb
CHANGED
|
@@ -5,10 +5,16 @@ require 'bundler/audit/advisory'
|
|
|
5
5
|
describe Bundler::Audit::Advisory do
|
|
6
6
|
let(:root) { Bundler::Audit::Database::PATH }
|
|
7
7
|
let(:gem) { 'actionpack' }
|
|
8
|
-
let(:
|
|
9
|
-
let(:
|
|
8
|
+
let(:id) { 'OSVDB-84243' }
|
|
9
|
+
let(:path) { File.join(root,gem,"#{id}.yml") }
|
|
10
10
|
let(:an_unaffected_version) do
|
|
11
|
-
YAML.
|
|
11
|
+
YAML.
|
|
12
|
+
load(File.read(path))['unaffected_versions'].
|
|
13
|
+
map { |item| item.split(/\s*,\s*/) }.
|
|
14
|
+
flatten.
|
|
15
|
+
select { |ver| ver =~ /^(~>|>=|=|<=)/ }.
|
|
16
|
+
first.
|
|
17
|
+
sub(/^.*?(~>|>=|=|<=)\s+/, '')
|
|
12
18
|
end
|
|
13
19
|
|
|
14
20
|
describe "load" do
|
|
@@ -16,7 +22,7 @@ describe Bundler::Audit::Advisory do
|
|
|
16
22
|
|
|
17
23
|
subject { described_class.load(path) }
|
|
18
24
|
|
|
19
|
-
its(:
|
|
25
|
+
its(:id) { should == id }
|
|
20
26
|
its(:url) { should == data['url'] }
|
|
21
27
|
its(:title) { should == data['title'] }
|
|
22
28
|
its(:cvss_v2) { should == data['cvss_v2'] }
|
|
@@ -58,9 +64,6 @@ describe Bundler::Audit::Advisory do
|
|
|
58
64
|
end
|
|
59
65
|
|
|
60
66
|
describe "#unaffected?" do
|
|
61
|
-
let(:gem) { 'activerecord' }
|
|
62
|
-
let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
|
|
63
|
-
|
|
64
67
|
subject { described_class.load(path) }
|
|
65
68
|
|
|
66
69
|
context "when passed a version that matches one unaffected version" do
|
|
@@ -92,7 +95,7 @@ describe Bundler::Audit::Advisory do
|
|
|
92
95
|
end
|
|
93
96
|
|
|
94
97
|
context "when passed a version that matches no patched version" do
|
|
95
|
-
let(:version) { Gem::Version.new('
|
|
98
|
+
let(:version) { Gem::Version.new('2.9.0') }
|
|
96
99
|
|
|
97
100
|
it "should return false" do
|
|
98
101
|
subject.patched?(version).should be_false
|
|
@@ -112,16 +115,13 @@ describe Bundler::Audit::Advisory do
|
|
|
112
115
|
end
|
|
113
116
|
|
|
114
117
|
context "when passed a version that matches no patched version" do
|
|
115
|
-
let(:version) { Gem::Version.new('
|
|
118
|
+
let(:version) { Gem::Version.new('2.9.0') }
|
|
116
119
|
|
|
117
120
|
it "should return true" do
|
|
118
121
|
subject.vulnerable?(version).should be_true
|
|
119
122
|
end
|
|
120
123
|
|
|
121
124
|
context "when unaffected_versions is not empty" do
|
|
122
|
-
let(:gem) { 'activerecord' }
|
|
123
|
-
let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
|
|
124
|
-
|
|
125
125
|
subject { described_class.load(path) }
|
|
126
126
|
|
|
127
127
|
context "when passed a version that matches one unaffected version" do
|
data/spec/bundle/secure/Gemfile
CHANGED
data/spec/integration_spec.rb
CHANGED
|
@@ -22,7 +22,7 @@ describe "CLI" do
|
|
|
22
22
|
it "should print advisory information for the vulnerable gems" do
|
|
23
23
|
advisory_pattern = /(Name: [^\n]+
|
|
24
24
|
Version: \d+.\d+.\d+
|
|
25
|
-
Advisory:
|
|
25
|
+
Advisory: OSVDB-\d+
|
|
26
26
|
Criticality: (High|Medium)
|
|
27
27
|
URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
|
|
28
28
|
Title: [^\n]*?
|
|
@@ -38,7 +38,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
|
|
|
38
38
|
let(:directory) { File.join('spec','bundle',bundle) }
|
|
39
39
|
|
|
40
40
|
let(:command) do
|
|
41
|
-
File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i
|
|
41
|
+
File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i OSVDB-89026'))
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
subject do
|
|
@@ -46,7 +46,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
|
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
it "should not print advisory information for ignored gem" do
|
|
49
|
-
subject.should_not include("
|
|
49
|
+
subject.should_not include("OSVDB-89026")
|
|
50
50
|
end
|
|
51
51
|
end
|
|
52
52
|
|
data/spec/scanner_spec.rb
CHANGED
|
@@ -31,18 +31,18 @@ describe Scanner do
|
|
|
31
31
|
subject { scanner.scan.to_a }
|
|
32
32
|
|
|
33
33
|
it "should match unpatched gems to their advisories" do
|
|
34
|
-
subject
|
|
35
|
-
|
|
36
|
-
|
|
34
|
+
subject.all? { |result|
|
|
35
|
+
result.advisory.vulnerable?(result.gem.version)
|
|
36
|
+
}.should be_true
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
context "when the :ignore option is given" do
|
|
40
|
-
subject { scanner.scan(:ignore => ['
|
|
40
|
+
subject { scanner.scan(:ignore => ['OSVDB-89026']) }
|
|
41
41
|
|
|
42
42
|
it "should ignore the specified advisories" do
|
|
43
|
-
|
|
43
|
+
ids = subject.map { |result| result.advisory.id }
|
|
44
44
|
|
|
45
|
-
|
|
45
|
+
ids.should_not include('OSVDB-89026')
|
|
46
46
|
end
|
|
47
47
|
end
|
|
48
48
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mrjoy-bundler-audit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Postmodern
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-
|
|
12
|
+
date: 2013-09-13 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: bundler
|