redmine_audit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 182a256634fc3c05360c058215fa5c0bdef09bc1
+  data.tar.gz: 2619e900354882da15f5e6775552ee95e2d68168
+SHA512:
+  metadata.gz: 50b2639203a7c5540b3cee8d85e71ae67914dbb4137f02c803e9303c0374b3b982d2554bbff43b24632d5ca9c6ef53b597553eb8cc0da909ad6222e83eaa2a09
+  data.tar.gz: 4b273431a5b814f7b9d63a7d256f60a8b05026dad18fe35a7d916ad9f7c1c84fe63750089e1bd339d5720eb10aa51773c750fb081ea03ca30f8911447a3d06e6

data/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in redmine_audit.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Sho Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,41 @@
+# RedmineAudit
+
+This is Redmine plugin for checking vulnerabilities. provides redmine:audit rake task.
+
+## Installation
+
+Add this line to your Redmine's Gemfile.local:
+
+```ruby
+gem 'redmine_audit'
+```
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+Excecute redmine:audit rake task with users environment variable.
+
+```
+$ rake redmine:audit users=1,2 RAILS_ENV=production
+```
+
+Or, add same commant to crontab.
+
+```
+30 6 * * * www-data cd /path/to/redmine ; rake redmine:audit users=1,2 RAILS_ENV=production
+```
+
+users environment variable can set only system administrator.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/sho-h/redmine_audit.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  files = FileList['test/**/*test.rb']
+  t.test_files = files
+  t.verbose = true
+end
+
+task :default => :test

data/app/models/mailer.rb

@@ -0,0 +1,23 @@
+# reopen Redmine Mailer
+class Mailer < ActionMailer::Base
+  # Sends notification to specified administrator
+  #
+  # @param [Gem::Version] advisories
+  #   The version to compare against {#unaffected_versions}.
+  # @param [Array] user_ids
+  #   Array of user ids who should be notified
+  def unfixed_advisories_found(advisories, user_ids)
+    if advisories.nil? || advisories.empty?
+      raise "Couldn't find user specified: #{advisories.inspect}"
+    end
+
+    users = User.active.where(admin: true, id: user_ids).to_a
+    if users.empty?
+      raise ActiveRecord::RecordNotFound.new("Couldn't find user specified: #{user_ids.inspect}")
+    end
+
+    @advisories = advisories
+    # TODO: Internationalize suject and body.
+    mail(to: users, subject: "[Redmine] Security notification")
+  end
+end

data/app/views/mailer/unfixed_advisories_found.html.erb

@@ -0,0 +1,25 @@
+<div><%= l(:mail_summary_advisories_found) %></div>
+
+<%-
+@advisories.each do |advisory|
+  if advisory.external_references && !advisory.external_references.empty?
+    ext_refs = advisory.external_references
+  else
+    ext_refs = 'none'
+  end
+  solution = advisory.fixed_versions.join(', ')
+-%>
+
+<div>
+  <ul style="list-style:none;">
+    <li>Severity: <%= advisory.severity %></li>
+    <li>URL: <%= ext_refs %></li>
+    <li>Detail: <%= advisory.details %></li>
+    <li>Solution: upgrade to <%= solution %></li>
+  </ul>
+</div>
+<%- end -%>
+
+<div>
+<%= l(:mail_detail_link_head_advisories_found) %> <%= link_to 'redmine.org', RedmineAudit::Database::URL %> <%= l(:mail_detail_link_tail_advisories_found) %>
+</div>

data/app/views/mailer/unfixed_advisories_found.text.erb

@@ -0,0 +1,19 @@
+<%= l(:mail_summary_advisories_found) %>
+
+<%-
+@advisories.each do |advisory|
+  if advisory.external_references && !advisory.external_references.empty?
+    ext_refs = advisory.external_references
+  else
+    ext_refs = 'none'
+  end
+  solution = advisory.fixed_versions.join(', ')
+-%>
+
+Severity: <%= advisory.severity %>
+URL: <%= ext_refs %>
+Detail: <%= advisory.details %>
+Solution: upgrade to <%= solution %>
+<%- end -%>
+
+<%= l(:mail_detail_link_head_advisories_found) %> <%= RedmineAudit::Database::URL %> <%= l(:mail_detail_link_tail_advisories_found) %>

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "redmine_audit"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config/locales/en.yml

@@ -0,0 +1,5 @@
+# English strings go here for Rails i18n
+en:
+  mail_summary_advisories_found: "Vulnerabilities found your Redmine!"
+  mail_detail_link_head_advisories_found: "See"
+  mail_detail_link_tail_advisories_found: "for more detail."

data/config/locales/ja.yml

@@ -0,0 +1,4 @@
+ja:
+  mail_summary_advisories_found: "Redmineの脆弱性が見つかりました!"
+  mail_detail_link_head_advisories_found: "詳しくは"
+  mail_detail_link_tail_advisories_found: "を参照してください。"

data/config/routes.rb

@@ -0,0 +1,2 @@
+# Plugin's routes
+# See: http://guides.rubyonrails.org/routing.html

data/init.rb

@@ -0,0 +1,8 @@
+Redmine::Plugin.register :redmine_audit do
+  name 'Redmine Audit plugin'
+  author 'Sho Hashimoto'
+  description 'Redmine plugin for checking vulnerabilities'
+  version RedmineAudit::VERSION
+  url 'https://github.com/sho-h/redmine_audit/'
+  author_url 'https://github.com/sho-h/'
+end

data/lib/redmine_audit.rb

@@ -0,0 +1,10 @@
+require 'redmine_audit/version'
+
+module RedmineAudit
+  # Run the classic redmine plugin initializer after rails boot
+  class Plugin < ::Rails::Engine
+    config.after_initialize do
+      require File.expand_path('../init', __dir__)
+    end
+  end
+end

data/lib/redmine_audit/advisory.rb

@@ -0,0 +1,48 @@
+module RedmineAudit
+  # Redmine advisory
+  #
+  # ex)  Advisory.new('High', 'http://someurl.example.com',
+  #                   [Gem::Requirement], [Gem::Requirement])
+  class Advisory < Struct.new(:severity,
+                              :details,
+                              :external_references,
+                              :unaffected_versions,
+                              :fixed_versions)
+    # Checks whether the version is not affected by the advisory.
+    #
+    # @param [Gem::Version] version
+    #   The version to compare against {#unaffected_versions}.
+    #
+    # @return [Boolean]
+    #   Specifies whether the version is not affected by the advisory.
+    def unaffected?(version)
+      unaffected_versions.any? do |unaffected_version|
+        unaffected_version === version
+      end
+    end
+
+    # Checks whether the version is fixed against the advisory.
+    #
+    # @param [Gem::Version] version
+    #   The version to compare against {#fixed_versions}.
+    #
+    # @return [Boolean]
+    #   Specifies whether the version is fixed against the advisory.
+    def fixed?(version)
+      fixed_versions.any? do |fixed_version|
+        fixed_version === version
+      end
+    end
+
+    # Checks whether the version is vulnerable to the advisory.
+    #
+    # @param [Gem::Version] version
+    #   The version to compare against {#fixed_versions}.
+    #
+    # @return [Boolean]
+    #   Specifies whether the version is vulnerable to the advisory or not.
+    def vulnerable?(version)
+      !fixed?(version) && !unaffected?(version)
+    end
+  end
+end

data/lib/redmine_audit/database.rb

@@ -0,0 +1,71 @@
+require 'open-uri'
+require 'nokogiri'
+require 'redmine_audit/advisory'
+
+module RedmineAudit
+  # Redmine advisory database
+  class Database
+    URL = 'http://www.redmine.org/projects/redmine/wiki/Security_Advisories'
+    TABLE_XPATH = '//*[@id="content"]/div[2]/table'
+
+    attr_reader :vulnerabilities
+
+    # Get unfixed advisories against specified Redmine version.
+    #
+    # @param [String] version
+    #   The Redmine version to compare against {#unaffected_versions}.
+    #
+    # @return [[Redmine::Advisory]]
+    #   The array of Redmine::Advisory unfixed.
+    def advisories(v)
+      if @known_advisories.nil?
+        @known_advisories = []
+        html = fetch_advisory_data
+        doc = Nokogiri::HTML(html)
+        doc.xpath(TABLE_XPATH).xpath('tr')[1..-1].each do |tr|
+          if res = parse_tds(tr.xpath('td'))
+            @known_advisories << Advisory.new(*res)
+          end
+        end
+      end
+
+      # tarball version has '.stable'.
+      # This is hack to avoid treating prerelease by Gem::Version.
+      # TODO: refactoring such as fix Gem::Version like setting @prerelease = false.
+      redmine_version = Gem::Version.new(v.gsub(/\.stable\z/, ''))
+      unfixed_advisories = []
+      @known_advisories.each do |advisory|
+        if advisory.vulnerable?(redmine_version)
+          unfixed_advisories.push(advisory)
+        end
+      end
+      return unfixed_advisories
+    end
+
+    private
+
+    def fetch_advisory_data(url = URL)
+      open(url).read
+    end
+
+    # [severity, details, external_references, unaffected_versions, fixed_versions]
+    def parse_tds(tds)
+      # TODO: treat affected_versions if needed.
+      # Last element is unaffected_versions. Always empty array now.
+      res = tds[0..2].map(&:content) + [[]]
+
+      # Ignore depends gem
+      return nil if /Ruby on Rails vulnerability/.match(res[1])
+
+      versions = tds[4].content.split(/\s*(?:and|,)\s*/)
+      fixed_versions = []
+      if versions.length > 1
+        fixed_versions =
+          versions[0..-2].map {|v| Gem::Requirement.new('~> ' + v)}
+      end
+      fixed_versions.push(Gem::Requirement.new('>= ' + versions.last))
+      res.push(fixed_versions)
+      return res
+    end
+  end
+end

data/lib/redmine_audit/version.rb

@@ -0,0 +1,3 @@
+module RedmineAudit
+  VERSION = '0.1.0'
+end

data/lib/tasks/redmine_audit.rake

@@ -0,0 +1,30 @@
+require 'redmine/version'
+require 'redmine_audit/advisory'
+require 'redmine_audit/database'
+
+desc <<-END_DESC
+Check redmine vulnerabilities.
+
+Available options:
+  * users    => comma separated list of user/group ids who should be notified
+
+Example:
+  rake redmine:bundle_audit users="1,23, 56" RAILS_ENV="production"
+END_DESC
+
+namespace :redmine do
+  task audit: :environment do
+    # TODO: More better if requires mailer automatically.
+    require_dependency 'mailer'
+    require_relative '../../app/models/mailer.rb'
+
+    redmine_ver = Redmine::VERSION
+    advisories = RedmineAudit::Database.new.advisories(redmine_ver.to_s)
+    if advisories.length > 0
+      users = (ENV['users'] || '').split(',').each(&:strip!)
+      Mailer.with_synched_deliveries do
+        Mailer.unfixed_advisories_found(advisories, users).deliver
+      end
+    end
+  end
+end

data/redmine_audit.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'redmine_audit/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'redmine_audit'
+  spec.version       = RedmineAudit::VERSION
+  spec.authors       = ['Sho Hashimoto']
+  spec.email         = ['sho.hsmt@gmail.com']
+
+  spec.summary       = %q{Redmine plugin for checking vulnerabilities}
+  spec.description   = %q{Redmine plugin for checking vulnerabilities}
+  spec.homepage      = 'https://github.com/sho-h/redmine_audit'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'nokogiri'
+
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'test-unit'
+  spec.add_development_dependency 'test-unit-rr'
+end

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: redmine_audit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sho Hashimoto
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-06-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit-rr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Redmine plugin for checking vulnerabilities
+email:
+- sho.hsmt@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- app/controllers/.keep
+- app/helpers/.keep
+- app/models/.keep
+- app/models/mailer.rb
+- app/views/.keep
+- app/views/mailer/unfixed_advisories_found.html.erb
+- app/views/mailer/unfixed_advisories_found.text.erb
+- bin/console
+- bin/setup
+- config/locales/en.yml
+- config/locales/ja.yml
+- config/routes.rb
+- db/migrate/.keep
+- init.rb
+- lib/redmine_audit.rb
+- lib/redmine_audit/advisory.rb
+- lib/redmine_audit/database.rb
+- lib/redmine_audit/version.rb
+- lib/tasks/.keep
+- lib/tasks/redmine_audit.rake
+- redmine_audit.gemspec
+homepage: https://github.com/sho-h/redmine_audit
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Redmine plugin for checking vulnerabilities
+test_files: []