guarddog 2.7.0__py3-none-any.whl → 2.8.4__py3-none-any.whl

guarddog/analyzer/sourcecode/rubygems-exfiltrate-sensitive-data.yml

@@ -0,0 +1,70 @@
+rules:
+  - id: rubygems-exfiltrate-sensitive-data
+    languages:
+      - ruby
+    mode: taint
+    message: |
+      This package reads sensitive data and sends it to a remote server.
+      This could indicate credential theft or data exfiltration.
+    metadata:
+      description: Identify when a package reads and exfiltrates sensitive data from the local system
+    pattern-sources:
+      - pattern-either:
+          # Environment variables
+          - pattern: ENV
+          - pattern: ENV[...]
+          - pattern: ENV.fetch(...)
+          - pattern: ENV.to_h
+          - pattern: ENV.to_hash
+
+          # Specific sensitive env vars
+          - pattern: ENV['HOME']
+          - pattern: ENV['USER']
+          - pattern: ENV['USERNAME']
+          - pattern: ENV['AWS_ACCESS_KEY_ID']
+          - pattern: ENV['AWS_SECRET_ACCESS_KEY']
+          - pattern: ENV['AWS_SESSION_TOKEN']
+          - pattern: ENV['GITHUB_TOKEN']
+          - pattern: ENV['GH_TOKEN']
+
+          # System info
+          - pattern: Socket.gethostname
+          - pattern: Etc.getlogin
+          - pattern: Etc.getpwuid(...)
+
+          # Reading sensitive files
+          - pattern: File.read("~/.ssh/...")
+          - pattern: File.read("~/.aws/...")
+          - pattern: File.read("~/.netrc")
+          - pattern: File.read("~/.git-credentials")
+
+          # Dir patterns for sensitive locations
+          - pattern: Dir.home
+          - pattern: Dir.glob("~/.ssh/*")
+          - pattern: Dir.glob("~/.aws/*")
+    pattern-sinks:
+      - pattern-either:
+          # Net::HTTP
+          - pattern: Net::HTTP.post(...)
+          - pattern: Net::HTTP.post_form(...)
+          - pattern: $HTTP.request(...)
+          - pattern: $HTTP.post(...)
+          - pattern: $HTTP.put(...)
+
+          # open-uri
+          - pattern: URI.open(...)
+          - pattern: OpenURI.open_uri(...)
+
+          # HTTParty, Faraday, RestClient
+          - pattern: HTTParty.post(...)
+          - pattern: HTTParty.put(...)
+          - pattern: Faraday.post(...)
+          - pattern: Faraday.put(...)
+          - pattern: RestClient.post(...)
+          - pattern: RestClient.put(...)
+
+          # Socket
+          - pattern: $SOCKET.write(...)
+          - pattern: $SOCKET.send(...)
+          - pattern: TCPSocket.new(...)
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-install-hook.yml

@@ -0,0 +1,45 @@
+rules:
+  - id: rubygems-install-hook
+    languages:
+      - ruby
+    message: |
+      This package uses Gem::Installer hooks which execute code during gem installation.
+      This is a common technique for malicious gems to run code when installed.
+    metadata:
+      description: Identify when a gem registers installation hooks
+    patterns:
+      - pattern-either:
+          # Post-install hooks
+          - pattern: Gem.post_install(...)
+          - pattern: Gem.post_install { ... }
+          - pattern: Gem.post_install do ... end
+          - pattern: Gem::Installer.post_install(...)
+          - pattern: Gem::Installer.post_install { ... }
+          - pattern: Gem::Installer.post_install do ... end
+
+          # Pre-install hooks
+          - pattern: Gem.pre_install(...)
+          - pattern: Gem.pre_install { ... }
+          - pattern: Gem.pre_install do ... end
+          - pattern: Gem::Installer.pre_install(...)
+          - pattern: Gem::Installer.pre_install { ... }
+          - pattern: Gem::Installer.pre_install do ... end
+
+          # Post-uninstall hooks
+          - pattern: Gem.post_uninstall(...)
+          - pattern: Gem.post_uninstall { ... }
+          - pattern: Gem.post_uninstall do ... end
+
+          # Pre-uninstall hooks
+          - pattern: Gem.pre_uninstall(...)
+          - pattern: Gem.pre_uninstall { ... }
+          - pattern: Gem.pre_uninstall do ... end
+
+          # Extension building (can run arbitrary code)
+          - pattern: |
+              Gem::Specification.new do |$S|
+                ...
+                $S.extensions = ...
+                ...
+              end
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-network-on-require.yml

@@ -0,0 +1,78 @@
+rules:
+  - id: rubygems-network-on-require
+    languages:
+      - ruby
+    message: |
+      This package makes network requests at the top level, which means it runs
+      when the gem is required. Malicious gems often use this to phone home or
+      download additional payloads.
+    metadata:
+      description: Identify when a gem makes network requests when required
+    patterns:
+      - pattern-either:
+          # Net::HTTP at top level
+          - pattern: |
+              require 'net/http'
+              ...
+              Net::HTTP.$METHOD(...)
+          - pattern: |
+              require "net/http"
+              ...
+              Net::HTTP.$METHOD(...)
+
+          # open-uri at top level
+          - pattern: |
+              require 'open-uri'
+              ...
+              URI.open(...)
+          - pattern: |
+              require "open-uri"
+              ...
+              URI.open(...)
+          - pattern: |
+              require 'open-uri'
+              ...
+              open(...)
+          - pattern: |
+              require "open-uri"
+              ...
+              open(...)
+
+          # HTTParty at top level
+          - pattern: |
+              require 'httparty'
+              ...
+              HTTParty.$METHOD(...)
+          - pattern: |
+              require "httparty"
+              ...
+              HTTParty.$METHOD(...)
+
+          # Faraday at top level
+          - pattern: |
+              require 'faraday'
+              ...
+              Faraday.$METHOD(...)
+          - pattern: |
+              require "faraday"
+              ...
+              Faraday.$METHOD(...)
+
+          # Socket connections at top level
+          - pattern: |
+              require 'socket'
+              ...
+              TCPSocket.new(...)
+          - pattern: |
+              require "socket"
+              ...
+              TCPSocket.new(...)
+          - pattern: |
+              require 'socket'
+              ...
+              TCPSocket.open(...)
+          - pattern: |
+              require "socket"
+              ...
+              TCPSocket.open(...)
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-serialize-environment.yml

@@ -0,0 +1,38 @@
+rules:
+  - id: rubygems-serialize-environment
+    languages:
+      - ruby
+    message: |
+      This package serializes the entire ENV hash, which may indicate
+      an attempt to steal environment variables including secrets and credentials.
+    metadata:
+      description: Identify when a package serializes ENV to exfiltrate environment variables
+    patterns:
+      - pattern-either:
+          # JSON serialization
+          - pattern: ENV.to_h.to_json
+          - pattern: ENV.to_hash.to_json
+          - pattern: JSON.dump(ENV)
+          - pattern: JSON.dump(ENV.to_h)
+          - pattern: JSON.dump(ENV.to_hash)
+          - pattern: JSON.generate(ENV)
+          - pattern: JSON.generate(ENV.to_h)
+          - pattern: JSON.generate(ENV.to_hash)
+
+          # YAML serialization
+          - pattern: ENV.to_h.to_yaml
+          - pattern: ENV.to_hash.to_yaml
+          - pattern: YAML.dump(ENV)
+          - pattern: YAML.dump(ENV.to_h)
+          - pattern: YAML.dump(ENV.to_hash)
+
+          # Marshal serialization
+          - pattern: Marshal.dump(ENV)
+          - pattern: Marshal.dump(ENV.to_h)
+          - pattern: Marshal.dump(ENV.to_hash)
+
+          # Converting to string for sending
+          - pattern: ENV.to_h.inspect
+          - pattern: ENV.to_hash.inspect
+          - pattern: ENV.inspect
+    severity: WARNING

guarddog/analyzer/sourcecode/shady-links.yml

@@ -43,7 +43,7 @@ rules:
             - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(files\.catbox\.moe)\b)
 
             # top-level domains
-            - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\/)
+            - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\b)
             # IPv4
             - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
             # IPv6

guarddog/ecosystems.py

@@ -7,6 +7,7 @@ class ECOSYSTEM(Enum):
     GO = "go"
     GITHUB_ACTION = "github-action"
     EXTENSION = "extension"
+    RUBYGEMS = "rubygems"
 
 
 def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
@@ -21,5 +22,7 @@ def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
             return "GitHub Action"
         case ECOSYSTEM.EXTENSION:
             return "Extension"
+        case ECOSYSTEM.RUBYGEMS:
+            return "RubyGems"
         case _:
             return ecosystem.value

guarddog/scanners/__init__.py

@@ -9,6 +9,8 @@ from .go_package_scanner import GoModuleScanner
 from .go_project_scanner import GoDependenciesScanner
 from .github_action_scanner import GithubActionScanner
 from .extension_scanner import ExtensionScanner
+from .rubygems_package_scanner import RubyGemsPackageScanner
+from .rubygems_project_scanner import RubyGemsRequirementsScanner
 from .scanner import PackageScanner, ProjectScanner
 from ..ecosystems import ECOSYSTEM
 
@@ -36,6 +38,8 @@ def get_package_scanner(ecosystem: ECOSYSTEM) -> Optional[PackageScanner]:
             return GithubActionScanner()
         case ECOSYSTEM.EXTENSION:
             return ExtensionScanner()
+        case ECOSYSTEM.RUBYGEMS:
+            return RubyGemsPackageScanner()
     return None
 
 
@@ -62,4 +66,6 @@ def get_project_scanner(ecosystem: ECOSYSTEM) -> Optional[ProjectScanner]:
             return GitHubActionDependencyScanner()
         case ECOSYSTEM.EXTENSION:
             return None  # we're not including dependency scanning for this PR
+        case ECOSYSTEM.RUBYGEMS:
+            return RubyGemsRequirementsScanner()
     return None

guarddog/scanners/rubygems_package_scanner.py

@@ -0,0 +1,112 @@
+import logging
+import os
+from typing import Tuple
+
+import requests
+
+from guarddog.analyzer.analyzer import Analyzer
+from guarddog.ecosystems import ECOSYSTEM
+from guarddog.scanners.scanner import PackageScanner
+from guarddog.utils.archives import safe_extract
+
+log = logging.getLogger("guarddog")
+
+RUBYGEMS_API_URL = "https://rubygems.org/api/v1"
+
+
+class RubyGemsPackageScanner(PackageScanner):
+    def __init__(self) -> None:
+        super().__init__(Analyzer(ECOSYSTEM.RUBYGEMS))
+
+    def _extract_archive(self, archive_path: str, target_path: str) -> None:
+        """
+        Override to handle .gem files which are nested tar archives.
+        The outer tar contains data.tar.gz which has the actual source code.
+
+        Args:
+            archive_path (str): path to the .gem file
+            target_path (str): directory to extract the source code into
+        """
+        if not archive_path.endswith(".gem"):
+            # Fall back to default behavior for non-gem archives
+            super()._extract_archive(archive_path, target_path)
+            return
+
+        os.makedirs(target_path, exist_ok=True)
+
+        # Extract outer .gem archive to a temporary location
+        outer_extract = os.path.join(target_path, "_gem_contents")
+        os.makedirs(outer_extract, exist_ok=True)
+
+        log.debug(f"Extracting outer gem archive {archive_path}")
+        safe_extract(archive_path, outer_extract)
+
+        # Find the inner data archive (data.tar.gz or data.tar)
+        data_tar_path = os.path.join(outer_extract, "data.tar.gz")
+        if not os.path.exists(data_tar_path):
+            data_tar_path = os.path.join(outer_extract, "data.tar")
+
+        if not os.path.exists(data_tar_path):
+            raise Exception(f"data.tar.gz not found in gem {archive_path}")
+
+        # Extract the inner data archive to the final target
+        log.debug(f"Extracting inner data archive {data_tar_path}")
+        safe_extract(data_tar_path, target_path)
+
+        log.debug(f"Successfully extracted gem files to {target_path}")
+
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> Tuple[dict, str]:
+        gem_info = self._get_gem_info(package_name)
+
+        if version is None:
+            version = gem_info["version"]
+
+        extract_dir = self._download_gem(package_name, version, directory)
+        return gem_info, extract_dir
+
+    def _get_gem_info(self, package_name: str) -> dict:
+        url = f"{RUBYGEMS_API_URL}/gems/{package_name}.json"
+        log.debug(f"Fetching gem info from {url}")
+        response = requests.get(url)
+        response.raise_for_status()
+        return response.json()
+
+    def _get_gem_version_info(self, package_name: str, version: str) -> dict:
+        url = f"{RUBYGEMS_API_URL}/versions/{package_name}.json"
+        log.debug(f"Fetching version info from {url}")
+        response = requests.get(url)
+        response.raise_for_status()
+
+        versions = response.json()
+        for v in versions:
+            if v["number"] == version:
+                return v
+
+        raise Exception(f"Version {version} for gem {package_name} not found")
+
+    def _download_gem(self, package_name: str, version: str, directory: str) -> str:
+        """
+        Downloads and extracts a RubyGem package.
+
+        Uses the parent class's download_compressed method which will call our
+        overridden _extract_archive method to handle the nested .gem format.
+
+        Args:
+            package_name (str): name of the gem
+            version (str): version of the gem
+            directory (str): directory to download and extract to
+
+        Returns:
+            str: path to the extracted gem contents
+        """
+        gem_url = f"https://rubygems.org/gems/{package_name}-{version}.gem"
+        gem_path = os.path.join(directory, f"{package_name}-{version}.gem")
+        extract_dir = os.path.join(directory, package_name)
+
+        # Use parent class method which handles download and extraction
+        # The extraction will use our overridden _extract_archive method
+        self.download_compressed(gem_url, gem_path, extract_dir)
+
+        return extract_dir

guarddog/scanners/rubygems_project_scanner.py

@@ -0,0 +1,75 @@
+import logging
+import os
+import re
+from typing import List
+
+from guarddog.scanners.rubygems_package_scanner import RubyGemsPackageScanner
+from guarddog.scanners.scanner import ProjectScanner, Dependency, DependencyVersion
+
+log = logging.getLogger("guarddog")
+
+
+class RubyGemsRequirementsScanner(ProjectScanner):
+    """
+    Scans all gems in the Gemfile.lock file of a project
+    """
+
+    def __init__(self) -> None:
+        super().__init__(RubyGemsPackageScanner())
+
+    def parse_requirements(self, raw_requirements: str) -> List[Dependency]:
+        """
+        Parses Gemfile.lock and extracts gem names and versions.
+
+        Gemfile.lock format:
+        GEM
+          remote: https://rubygems.org/
+          specs:
+            actioncable (7.0.4)
+              actionpack (= 7.0.4)
+            rails (7.0.4)
+              ...
+        """
+        dependencies: List[Dependency] = []
+        lines = raw_requirements.splitlines()
+
+        in_gem_specs = False
+        gem_pattern = re.compile(r"^    (\S+) \(([^)]+)\)$")
+
+        for idx, line in enumerate(lines):
+            if line.strip() == "GEM":
+                continue
+            elif line.strip() == "specs:":
+                in_gem_specs = True
+                continue
+            elif line and not line.startswith(" "):
+                in_gem_specs = False
+                continue
+
+            if not in_gem_specs:
+                continue
+
+            match = gem_pattern.match(line)
+            if match:
+                name = match.group(1)
+                version = match.group(2)
+
+                dep = next(
+                    filter(lambda d: d.name == name, dependencies),
+                    None,
+                )
+                if not dep:
+                    dep = Dependency(name=name, versions=set())
+                    dependencies.append(dep)
+
+                dep.versions.add(DependencyVersion(version=version, location=idx + 1))
+
+        return dependencies
+
+    def find_requirements(self, directory: str) -> list[str]:
+        requirement_files = []
+        for root, dirs, files in os.walk(directory):
+            for name in files:
+                if name == "Gemfile.lock":
+                    requirement_files.append(os.path.join(root, name))
+        return requirement_files

guarddog/scanners/scanner.py

@@ -187,24 +187,50 @@ class PackageScanner:
                 name, tmpdirname, version, rules, write_package_info
             )
 
-    def download_compressed(self, url, archive_path, target_path):
-        """Downloads a compressed file and extracts it
+    def _fetch_archive(self, url: str, archive_path: str) -> None:
+        """Downloads an archive file from a URL.
+
+        This method can be overridden by subclasses if custom download logic is needed.
 
         Args:
             url (str): download link
-            archive_path (str): path to download compressed file
-            target_path (str): path to unzip compressed file
+            archive_path (str): path to save the downloaded file
         """
-
-        log.debug(f"Downloading package archive from {url} into {target_path}")
+        log.debug(f"Downloading package archive from {url}")
         response = requests.get(url, stream=True)
 
         with open(archive_path, "wb") as f:
             f.write(response.raw.read())
 
+    def _extract_archive(self, archive_path: str, target_path: str) -> None:
+        """Extracts an archive file to a target directory.
+
+        This method can be overridden by subclasses to handle special archive formats
+        (e.g., nested archives like .gem files).
+
+        Args:
+            archive_path (str): path to the archive file
+            target_path (str): directory to extract files into
+        """
+        safe_extract(archive_path, target_path)
+        log.debug(f"Successfully extracted files to {target_path}")
+
+    def download_compressed(self, url, archive_path, target_path):
+        """Downloads a compressed file and extracts it.
+
+        This is a template method that orchestrates the download, extraction, and cleanup
+        process. Subclasses can override individual steps (_fetch_archive, _extract_archive)
+        to customize behavior.
+
+        Args:
+            url (str): download link
+            archive_path (str): path to download compressed file
+            target_path (str): path to unzip compressed file
+        """
+        self._fetch_archive(url, archive_path)
+
         try:
-            safe_extract(archive_path, target_path)
-            log.debug(f"Successfully extracted files to {target_path}")
+            self._extract_archive(archive_path, target_path)
         finally:
             log.debug(f"Removing temporary archive file {archive_path}")
             os.remove(archive_path)