yawast 0.4.0.beta4 → 0.4.0.beta5

data/.travis.yml

@@ -6,3 +6,7 @@ notifications:
   email:
     on_success: never
     on_failure: never
+
+addons:
+    code_climate:
+        repo_token: 6fd9c710b9a6e0da2011c62b81075b9bd620200a2a400f4dbeab9c88829f4cb6

data/CHANGELOG.md

@@ -4,6 +4,8 @@
 * [#67](https://github.com/adamcaudill/yawast/issues/67) - Make "Found Redirect" optional
 * [#69](https://github.com/adamcaudill/yawast/issues/69) - False positives on non-standard 404 handling
 * [#73](https://github.com/adamcaudill/yawast/issues/73) - Use `--internalssl` when host is an IP address
+* [#64](https://github.com/adamcaudill/yawast/issues/64) - Add check for secure cookie on HTTP host
+* [#45](https://github.com/adamcaudill/yawast/issues/45) - Access Control Headers Check
 * [#65](https://github.com/adamcaudill/yawast/issues/65) - Bug: Output redirection doesn't work correctly
 * [#70](https://github.com/adamcaudill/yawast/issues/70) - Bug: Handle scans of IP addresses
 * [#72](https://github.com/adamcaudill/yawast/issues/72) - Bug: internalssl & Scanning IPs Fails

data/Gemfile

@@ -7,6 +7,6 @@ group :test do
   gem 'minitest'
   gem 'minitest-reporters'
   gem 'simplecov'
-  gem 'coveralls', require: false
   gem 'webrick'
+  gem 'codeclimate-test-reporter', require: nil
 end

data/README.md

@@ -1,4 +1,4 @@
-## YAWAST [![Build Status](https://travis-ci.org/adamcaudill/yawast.png?branch=master)](https://travis-ci.org/adamcaudill/yawast) [![Code Climate](https://codeclimate.com/github/adamcaudill/yawast.png)](https://codeclimate.com/github/adamcaudill/yawast) [![Coverage Status](https://coveralls.io/repos/github/adamcaudill/yawast/badge.svg?branch=master)](https://coveralls.io/github/adamcaudill/yawast?branch=master) [![Gem Version](https://badge.fury.io/rb/yawast.svg)](https://badge.fury.io/rb/yawast)
+## YAWAST [![Build Status](https://travis-ci.org/adamcaudill/yawast.svg?branch=master)](https://travis-ci.org/adamcaudill/yawast) [![Code Climate](https://codeclimate.com/github/adamcaudill/yawast/badges/gpa.svg)](https://codeclimate.com/github/adamcaudill/yawast) [![Test Coverage](https://codeclimate.com/github/adamcaudill/yawast/badges/coverage.svg)](https://codeclimate.com/github/adamcaudill/yawast/coverage) [![Gem Version](https://badge.fury.io/rb/yawast.svg)](https://badge.fury.io/rb/yawast)
 
 **The YAWAST Antecedent Web Application Security Toolkit**
 

data/Rakefile

@@ -1,9 +1,30 @@
 require 'rake/testtask'
 
-task :default => [:test]
+task :default => [:codeclimate]
 
 task :test do
-  Rake::TestTask.new do |t|
-    t.pattern = 'test/test_*.rb'
-  end
+  #set this, so that we can modify behavior based on where's it's ran from
+  ENV['FROM_RAKE'] = 'true'
+
+  require File.join(File.dirname(__FILE__), 'test/test_helper')
+  Dir.glob('./test/test_*.rb').each { |file| require file}
+
+  require 'minitest'
+  Minitest.run
+end
+
+task :codeclimate do
+  Rake::Task['test'].execute
+
+  require 'simplecov'
+  require 'codeclimate-test-reporter'
+
+  ENV['CODECLIMATE_REPO_TOKEN'] ='6fd9c710b9a6e0da2011c62b81075b9bd620200a2a400f4dbeab9c88829f4cb6'
+
+  SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new([
+    SimpleCov::Formatter::HTMLFormatter,
+    CodeClimate::TestReporter::Formatter
+  ])
+
+  CodeClimate::TestReporter::Formatter.new.format(SimpleCov.result)
 end

data/bin/yawast

@@ -75,7 +75,7 @@ command :cert do |c|
 
   c.option '--input STRING', String, 'List of domains to check'
 
-  c.action do |args, options|
+  c.action do |_, options|
     Yawast::Commands::Cert.process(options)
   end
 end

data/lib/scanner/apache.rb

@@ -9,7 +9,7 @@ module Yawast
         modules = banner.split(' ')
         server = modules[0]
 
-        #hack - fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
+        #fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
         # if we don't do this, it triggers a false positive on the module check
         if /\(\w*\)/.match modules[1]
           server += " #{modules[1]}"
@@ -35,7 +35,7 @@ module Yawast
         end
       end
 
-      def self.check_all(uri, head)
+      def self.check_all(uri)
         #this check for @apache may yield false negatives.. meh.
         if @apache
           #run all the defined checks

data/lib/scanner/core.rb

@@ -37,7 +37,7 @@ module Yawast
 
           #cache the HEAD result, so that we can minimize hits
           head = Yawast::Shared::Http.head(@uri)
-          Yawast::Scanner::Generic.head_info(head)
+          Yawast::Scanner::Generic.head_info(head, @uri)
 
           #perfom SSL checks
           check_ssl(@uri, options, head)
@@ -45,7 +45,7 @@ module Yawast
           #process the 'scan' stuff that goes beyond 'head'
           unless options.head
             #server specific checks
-            Yawast::Scanner::Apache.check_all(@uri, head)
+            Yawast::Scanner::Apache.check_all(@uri)
             Yawast::Scanner::Iis.check_all(@uri, head)
 
             Yawast::Scanner::Plugins::Http::FilePresence.check_all @uri

data/lib/scanner/generic.rb

@@ -79,7 +79,7 @@ module Yawast
         end
       end
 
-      def self.head_info(head)
+      def self.head_info(head, uri)
         begin
           server = ''
           powered_by = ''
@@ -93,6 +93,7 @@ module Yawast
           xss_protection = ''
           via = ''
           hpkp = ''
+          acao = ''
 
           Yawast::Utilities.puts_info 'HEAD:'
           head.each do |k, v|
@@ -109,6 +110,7 @@ module Yawast
             xss_protection = v if k.downcase == 'x-xss-protection'
             via = v if k.downcase == 'via'
             hpkp = v if k.downcase == 'public-key-pins'
+            acao = v if k.downcase == 'access-control-allow-origin'
 
             if k.downcase == 'set-cookie'
               #this chunk of magic manages to properly split cookies, when multiple are sent together
@@ -181,6 +183,10 @@ module Yawast
             Yawast::Utilities.puts_warn 'Public-Key-Pins Header Not Present'
           end
 
+          if acao == '*'
+            Yawast::Utilities.puts_warn 'Access-Control-Allow-Origin: Unrestricted'
+          end
+
           puts ''
 
           unless cookies.empty?
@@ -192,12 +198,16 @@ module Yawast
               elements = val.strip.split(';')
 
               #check for secure cookies
-              unless elements.include? ' Secure'
+              if elements.include?(' Secure') || elements.include?(' secure')
+                if uri.scheme != 'https'
+                  Yawast::Utilities.puts_warn "\t\t\tCookie with Secure flag sent over non-HTTPS connection"
+                end
+              else
                 Yawast::Utilities.puts_warn "\t\t\tCookie missing Secure flag"
               end
 
               #check for HttpOnly cookies
-              unless elements.include? ' HttpOnly'
+              unless elements.include?(' HttpOnly') || elements.include?(' httponly')
                 Yawast::Utilities.puts_warn "\t\t\tCookie missing HttpOnly flag"
               end
             end
@@ -262,21 +272,21 @@ module Yawast
 
     #Custom class to allow using the PROPFIND verb
     class Propfind < Net::HTTPRequest
-      METHOD = "PROPFIND"
+      METHOD = 'PROPFIND'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end
 
     #Custom class to allow using the OPTIONS verb
     class Options < Net::HTTPRequest
-      METHOD = "OPTIONS"
+      METHOD = 'OPTIONS'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end
 
     #Custom class to allow using the TRACE verb
     class Trace < Net::HTTPRequest
-      METHOD = "TRACE"
+      METHOD = 'TRACE'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end

data/lib/scanner/iis.rb

@@ -55,7 +55,7 @@ module Yawast
 
     #Custom class to allow using the DEBUG verb
     class Debug < Net::HTTPRequest
-      METHOD = "DEBUG"
+      METHOD = 'DEBUG'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end

data/lib/scanner/plugins/http/directory_search.rb

@@ -3,7 +3,7 @@ module Yawast
     module Plugins
       module Http
         class DirectorySearch
-          def self.search(uri, recursive, list_redirects)
+          def self.search(uri, recursive, list_redirects, search_list = nil)
             @recursive = recursive
             @list_redirects = list_redirects
 
@@ -13,6 +13,18 @@ module Yawast
               puts 'Searching for common directories...'
             end
 
+            if search_list == nil
+              @search_list = []
+
+              File.open(File.dirname(__FILE__) + '/../../../resources/common.txt', 'r') do |f|
+                f.each_line do |line|
+                  @search_list.push line.strip
+                end
+              end
+            else
+              @search_list = search_list
+            end
+
             begin
               pool_size = 16
               @jobs = Queue.new
@@ -58,14 +70,12 @@ module Yawast
           end
 
           def self.load_queue(uri)
-            File.open(File.dirname(__FILE__) + '/../../../resources/common.txt', "r") do |f|
-              f.each_line do |line|
-                check = uri.copy
-                check.path = check.path + "#{line.strip}/"
+            @search_list.each do |line|
+              check = uri.copy
+              check.path = check.path + "#{line}/"
 
-                #add the job to the queue
-                @jobs.push check
-              end
+              #add the job to the queue
+              @jobs.push check
             end
           end
 

data/lib/scanner/plugins/http/file_presence.rb

@@ -12,7 +12,7 @@ module Yawast
             check.path = "#{path}"
             code = Yawast::Shared::Http.get_status_code(check)
 
-            if code == "200"
+            if code == '200'
               msg = "'#{path}' found: #{check}"
 
               if vuln

data/lib/scanner/ssl.rb

@@ -107,7 +107,7 @@ module Yawast
       def self.get_ciphers(uri)
         puts 'Supported Ciphers (based on your OpenSSL version):'
 
-        dns = Resolv::DNS.new()
+        dns = Resolv::DNS.new
 
         if IPAddress.valid? uri.host
           ip = IPAddress.parse uri.host
@@ -120,7 +120,7 @@ module Yawast
 
         versions.each do |version|
           #ignore SSLv23, as it's an auto-negotiate, which just adds noise
-          if version.to_s != "SSLv23"
+          if version.to_s != 'SSLv23'
             ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
             puts "\tChecking for #{version.to_s} suites (#{ciphers.count} possible suites)"
 
@@ -197,7 +197,7 @@ module Yawast
             headers = Yawast::Shared::Http.get_headers
 
             #force 3DES - this is to ensure that 3DES specific limits are caught
-            req.ciphers = ["3DES"]
+            req.ciphers = ['3DES']
 
             req.start do |http|
               10000.times do |i|

data/lib/scanner/ssl_labs.rb

@@ -5,6 +5,7 @@ require 'digest/sha1'
 
 module Yawast
   module Scanner
+    # noinspection RubyResolve
     class SslLabs
       def self.info(uri, tdes_session_count)
         puts 'Beginning SSL Labs scan (this could take a minute or two)'
@@ -259,7 +260,6 @@ module Yawast
               strength = 112
             end
 
-            suite_info = nil
             if ke != nil
               suite_info = "#{suite.name.ljust(50)} - #{strength}-bits - #{ke}"
             else

data/lib/shared/http.rb

@@ -53,6 +53,7 @@ module Yawast
         req
       end
 
+      # noinspection RubyStringKeysInHashInspection
       def self.get_headers
         if @cookie == nil
           headers = { 'User-Agent' => HTTP_UA }

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.4.0.beta4'
+  VERSION = '0.4.0.beta5'
 end

data/lib/yawast.rb

@@ -44,7 +44,7 @@ module Yawast
   def self.set_openssl_options
     #change certain defaults, to make things work better
     #we prefer RSA, to avoid issues with small DH keys
-    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = "RSA:ALL:COMPLEMENTOFALL"
+    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = 'RSA:ALL:COMPLEMENTOFALL'
     OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
     OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_ALL
   end

data/test/base.rb

@@ -1,3 +1,8 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+#if we are running from RubyMine, we need this, but it breaks things when called from Rake.
+require 'minitest/autorun' unless ENV['FROM_RAKE'] == 'true'
+
 module TestBase
   def override_stdout
     @orig_stdout = $stdout
@@ -17,7 +22,7 @@ module TestBase
   end
 
   def start_web_server(file, url, port = 1234)
-    thr = Thread.new {
+    Thread.new {
       server = WEBrick::HTTPServer.new :Port => port,
                                        :BindAddress => 'localhost',
                                        :AccessLog => [],
@@ -25,8 +30,6 @@ module TestBase
       server.mount "/#{url}", WEBrick::HTTPServlet::FileHandler, file
       server.start
     }
-
-    thr
   end
 
   def parse_headers_from_file(file)

data/test/test_cmd_util.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/test/test_directory_search.rb

@@ -0,0 +1,54 @@
+require 'webrick'
+require File.dirname(__FILE__) + '/../lib/yawast'
+require File.dirname(__FILE__) + '/base'
+
+class TestDirectorySearch < Minitest::Test
+  include TestBase
+
+  def test_directory_search_recurs
+    port = rand(60000) + 1024 # pick a random port number
+    server = run_server port
+
+    override_stdout
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
+    Yawast::Scanner::Plugins::Http::DirectorySearch.search uri, true, true, %w(test data)
+
+    assert stdout_value.include?('Recursively searching for common directories'), 'Output not found'
+
+    server.exit
+    restore_stdout
+  end
+
+  def test_directory_search
+    port = rand(60000) + 1024 # pick a random port number
+    server = run_server port
+
+    override_stdout
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
+    Yawast::Scanner::Plugins::Http::DirectorySearch.search uri, false, true, %w(test data)
+
+    assert stdout_value.include?('Searching for common directories'), 'Output not found'
+
+    server.exit
+    restore_stdout
+  end
+
+  def run_server(port)
+    Thread.new {
+      sockets = WEBrick::Utils.create_listeners nil, port
+
+      server = WEBrick::HTTPServer.new :Port => port,
+                                       :BindAddress => 'localhost',
+                                       :AccessLog => [],
+                                       :Logger => WEBrick::Log.new('/dev/null'),
+                                       :DocumentRoot => File.dirname(__FILE__),
+                                       :DoNotListen => true
+      server.listeners.replace sockets
+      server.start
+    }
+  end
+end

data/test/test_helper.rb

@@ -1,5 +1,8 @@
-require 'minitest/reporters'
-require 'coveralls'
+require 'simplecov'
+
+dir = File.join(File.dirname(__FILE__), '../coverage')
+SimpleCov.coverage_dir(dir)
+SimpleCov.start
 
+require 'minitest/reporters'
 MiniTest::Reporters.use!
-Coveralls.wear!

data/test/test_object_presence.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require 'webrick'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
@@ -12,6 +11,8 @@ class TestScannerApacheServerStatus < Minitest::Test
 
     override_stdout
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
     Yawast::Scanner::Plugins::Http::FilePresence.check_readme_html uri
 
     assert stdout_value.include?('\'/readme.html\' found:'), 'readme.html page warning not found'
@@ -20,12 +21,30 @@ class TestScannerApacheServerStatus < Minitest::Test
     restore_stdout
   end
 
+  def test_readme_html_present_all
+    port = rand(60000) + 1024 # pick a random port number
+    server = start_web_server File.dirname(__FILE__) + '/data/wordpress_readme_html.txt', 'readme.html', port
+
+    override_stdout
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
+    Yawast::Scanner::Plugins::Http::FilePresence.check_all uri
+
+    assert stdout_value.include?('\'/readme.html\' found:'), 'readme.html page warning not found'
+
+    server.exit
+    restore_stdout
+  end
+
   def test_release_notes_txt_present
     port = rand(60000) + 1024 # pick a random port number
     server = start_web_server File.dirname(__FILE__) + '/data/tomcat_release_notes.txt', 'RELEASE-NOTES.txt', port
 
     override_stdout
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
     Yawast::Scanner::Plugins::Http::FilePresence.check_release_notes_txt uri
 
     assert stdout_value.include?('\'/RELEASE-NOTES.txt\' found:'), 'RELEASE-NOTES.txt page warning not found'

data/test/test_scan_apache_banner.rb

@@ -1,11 +1,10 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 
 class TestScannerApacheBanner < Minitest::Test
   include TestBase
 
-  def test_apache_basic_banner_no_version
+  def test_apache_banner_no_version
     server = 'Apache'
     override_stdout
     Yawast::Scanner::Apache.check_banner server
@@ -25,7 +24,7 @@ class TestScannerApacheBanner < Minitest::Test
     restore_stdout
   end
 
-  def test_apache_basic_banner_distro
+  def test_apache_banner_distro
     server = 'Apache/2.4.7 (Ubuntu)'
     override_stdout
     Yawast::Scanner::Apache.check_banner server

data/test/test_scan_apache_server_info.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require 'webrick'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
@@ -12,6 +11,8 @@ class TestScannerApacheServerInfo < Minitest::Test
 
     override_stdout
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
     Yawast::Scanner::Apache.check_server_info uri
 
     assert stdout_value.include?('Apache Server Info page found'), 'Apache Server Info page warning not found'

data/test/test_scan_apache_server_status.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require 'webrick'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
@@ -12,6 +11,8 @@ class TestScannerApacheServerStatus < Minitest::Test
 
     override_stdout
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    Yawast::Shared::Http.setup nil, nil
     Yawast::Scanner::Apache.check_server_status uri
 
     assert stdout_value.include?('Apache Server Status page found'), 'Apache Server Status page warning not found'

data/test/test_scan_cms.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/test/test_scan_iis_headers.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/test/test_scan_nginx_banner.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/test/test_shared_http.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 
@@ -10,12 +9,14 @@ class TestSharedHttp < Minitest::Test
   end
 
   def test_get_apple_success
+    Yawast::Shared::Http.setup nil, nil
     body = Yawast::Shared::Http.get @uri
 
     assert body.include?('Success'), 'Failed to receive "Success" message from Apple.com'
   end
 
   def test_status_apple_success
+    Yawast::Shared::Http.setup nil, nil
     status = Yawast::Shared::Http.get_status_code @uri
 
     assert_equal status, '200'
@@ -24,13 +25,17 @@ class TestSharedHttp < Minitest::Test
   def test_status_apple_failure
     uri = @uri
     uri.path += '.404'
+
+    Yawast::Shared::Http.setup nil, nil
     status = Yawast::Shared::Http.get_status_code uri
 
     assert_equal status, '404'
   end
 
   def test_head_apple_success
+    Yawast::Shared::Http.setup nil, nil
     head = Yawast::Shared::Http.head @uri
+
     head.each do |k, v|
       if k.downcase == 'server'
         assert_equal v, 'Apache'

data/test/test_shared_util.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 require 'colorize'

data/test/test_string_ext.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/test/test_yawast.rb

@@ -1,4 +1,3 @@
-require 'minitest/autorun'
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 

data/yawast.gemspec

@@ -1,17 +1,17 @@
-$:.push File.expand_path("../lib", __FILE__)
-require File.expand_path("../lib/version", __FILE__)
+$:.push File.expand_path('../lib', __FILE__)
+require File.expand_path('../lib/version', __FILE__)
 
 Gem::Specification.new do |s|
   s.name              = 'yawast'
   s.version           = Yawast::VERSION
   s.platform          = Gem::Platform::RUBY
-  s.summary           = "The YAWAST Antecedent Web Application Security Toolkit"
-  s.description       = "YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors."
-  s.authors           = ["Adam Caudill"]
+  s.summary           = 'The YAWAST Antecedent Web Application Security Toolkit'
+  s.description       = 'YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors.'
+  s.authors           = ['Adam Caudill']
   s.email             = 'adam@adamcaudill.com'
   s.homepage          = 'https://github.com/adamcaudill/yawast'
   s.license           = 'MIT'
-  s.rubyforge_project = "yawast"
+  s.rubyforge_project = 'yawast'
 
   s.add_runtime_dependency 'ssllabs', '~> 1.24'
   s.add_runtime_dependency 'commander', '~> 4.4'
@@ -25,5 +25,5 @@ Gem::Specification.new do |s|
   s.files             = `git ls-files`.split("\n")
   s.test_files        = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables       = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_path      = ["lib"]
+  s.require_path      = ['lib']
 end