Assignment 6

01022012 · May 18, 2012 · 0809758 · 0809758
1 parent 6536a35
commit 0809758
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 86 deletions.
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'http://rubygems.org'
 
-gem 'rails', '3.1.1'
+gem 'rails', '3.2.3'
 
 # Bundle edge Rails instead:
 # gem 'rails',     :git => 'git://github.com/rails/rails.git'
@@ -21,8 +21,8 @@ gem 'http_accept_language'
 # Gems used only for assets and not required
 # in production environments by default.
 group :assets do
-  gem 'sass-rails',   '~> 3.1.4'
-  gem 'coffee-rails', '~> 3.1.1'
+  gem 'sass-rails',   '~> 3.2.3'
+  gem 'coffee-rails', '~> 3.2.1'
   gem 'uglifier', '>= 1.0.3'
 end
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -8,164 +8,160 @@ GIT
 
 GIT
   remote: git://github.com/rails/pjax_rails.git
-  revision: 755b2988184607af87186046612efb0c9c2d99ba
+  revision: d7cb0dd98f38e4f0801f7ebce93d640d29dda632
   specs:
-    pjax_rails (0.2.0)
+    pjax_rails (0.2.1)
       jquery-rails
 
 GIT
   remote: git://github.com/seyhunak/twitter-bootstrap-rails.git
-  revision: 2b119e7a83f34202b6ea7f61cd3da59b170ebdd8
+  revision: db0b1a64be4f81ec2d2b322d965dfe21614015c4
   branch: static
   specs:
-    twitter-bootstrap-rails (2.0.1)
-      actionpack
-      railties
+    twitter-bootstrap-rails (2.0.7)
+      actionpack (>= 3.1)
+      railties (>= 3.1)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.1.1)
-      actionpack (= 3.1.1)
-      mail (~> 2.3.0)
-    actionpack (3.1.1)
-      activemodel (= 3.1.1)
-      activesupport (= 3.1.1)
+    actionmailer (3.2.3)
+      actionpack (= 3.2.3)
+      mail (~> 2.4.4)
+    actionpack (3.2.3)
+      activemodel (= 3.2.3)
+      activesupport (= 3.2.3)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      i18n (~> 0.6)
-      rack (~> 1.3.2)
-      rack-cache (~> 1.1)
-      rack-mount (~> 0.8.2)
+      journey (~> 1.0.1)
+      rack (~> 1.4.0)
+      rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.0.2)
-    activemodel (3.1.1)
-      activesupport (= 3.1.1)
+      sprockets (~> 2.1.2)
+    activemodel (3.2.3)
+      activesupport (= 3.2.3)
       builder (~> 3.0.0)
-      i18n (~> 0.6)
-    activerecord (3.1.1)
-      activemodel (= 3.1.1)
-      activesupport (= 3.1.1)
-      arel (~> 2.2.1)
+    activerecord (3.2.3)
+      activemodel (= 3.2.3)
+      activesupport (= 3.2.3)
+      arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.1)
-      activemodel (= 3.1.1)
-      activesupport (= 3.1.1)
-    activesupport (3.1.1)
+    activeresource (3.2.3)
+      activemodel (= 3.2.3)
+      activesupport (= 3.2.3)
+    activesupport (3.2.3)
+      i18n (~> 0.6)
       multi_json (~> 1.0)
-    addressable (2.2.6)
-    arel (2.2.1)
+    addressable (2.2.8)
+    arel (3.0.2)
     bcrypt-ruby (3.0.1)
     builder (3.0.0)
-    coffee-rails (3.1.1)
+    coffee-rails (3.2.2)
       coffee-script (>= 2.2.0)
-      railties (~> 3.1.0)
+      railties (~> 3.2.0)
     coffee-script (2.2.0)
       coffee-script-source
       execjs
-    coffee-script-source (1.1.3)
+    coffee-script-source (1.3.3)
     erubis (2.7.0)
-    execjs (1.2.9)
+    execjs (1.3.2)
       multi_json (~> 1.0)
-    factory_girl (3.1.1)
+    factory_girl (3.3.0)
       activesupport (>= 3.0.0)
-    factory_girl_rails (3.1.0)
-      factory_girl (~> 3.1.0)
+    factory_girl_rails (3.3.0)
+      factory_girl (~> 3.3.0)
       railties (>= 3.0.0)
     ffi (1.0.11)
-    guard (1.0.1)
+    guard (1.0.3)
       ffi (>= 0.5.0)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6)
     guard-test (0.4.3)
       guard (>= 0.4)
       test-unit (~> 2.2)
-    haml (3.1.4)
-    heroku (2.14.0)
+    haml (3.1.6)
+    heroku (2.25.0)
       launchy (>= 0.3.2)
+      netrc (~> 0.7.1)
       rest-client (~> 1.6.1)
       rubyzip
-      term-ansicolor (~> 1.0.5)
     hike (1.2.1)
     http_accept_language (1.0.2)
     i18n (0.6.0)
     jasminerice (0.0.8)
       haml
-    jquery-rails (1.0.17)
-      railties (~> 3.0)
+    journey (1.0.3)
+    jquery-rails (2.0.2)
+      railties (>= 3.2.0, < 5.0)
       thor (~> 0.14)
-    json (1.6.1)
-    launchy (2.0.5)
+    json (1.7.3)
+    launchy (2.1.0)
       addressable (~> 2.2.6)
     libv8 (3.3.10.4)
-    mail (2.3.0)
+    mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.17.2)
-    mocha (0.11.1)
+    mime-types (1.18)
+    mocha (0.11.4)
       metaclass (~> 0.0.1)
-    multi_json (1.0.3)
-    pg (0.11.0)
+    multi_json (1.3.5)
+    netrc (0.7.1)
+    pg (0.13.2)
     polyglot (0.3.3)
-    rack (1.3.5)
-    rack-cache (1.1)
+    rack (1.4.1)
+    rack-cache (1.2)
       rack (>= 0.4)
-    rack-mount (0.8.3)
-      rack (>= 1.0.0)
     rack-ssl (1.3.2)
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.1.1)
-      actionmailer (= 3.1.1)
-      actionpack (= 3.1.1)
-      activerecord (= 3.1.1)
-      activeresource (= 3.1.1)
-      activesupport (= 3.1.1)
+    rails (3.2.3)
+      actionmailer (= 3.2.3)
+      actionpack (= 3.2.3)
+      activerecord (= 3.2.3)
+      activeresource (= 3.2.3)
+      activesupport (= 3.2.3)
       bundler (~> 1.0)
-      railties (= 3.1.1)
-    railties (3.1.1)
-      actionpack (= 3.1.1)
-      activesupport (= 3.1.1)
+      railties (= 3.2.3)
+    railties (3.2.3)
+      actionpack (= 3.2.3)
+      activesupport (= 3.2.3)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (~> 0.14.6)
     rake (0.9.2.2)
-    rdoc (3.11)
+    rdoc (3.12)
       json (~> 1.4)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rubyzip (0.9.4)
-    sass (3.1.10)
-    sass-rails (3.1.4)
-      actionpack (~> 3.1.0)
-      railties (~> 3.1.0)
-      sass (>= 3.1.4)
-      sprockets (~> 2.0.0)
-      tilt (~> 1.3.2)
+    rubyzip (0.9.8)
+    sass (3.1.18)
+    sass-rails (3.2.5)
+      railties (~> 3.2.0)
+      sass (>= 3.1.10)
+      tilt (~> 1.3)
     shoulda (3.0.1)
       shoulda-context (~> 1.0.0)
       shoulda-matchers (~> 1.0.0)
     shoulda-context (1.0.0)
     shoulda-matchers (1.0.0)
-    sprockets (2.0.3)
+    sprockets (2.1.3)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.4)
-    term-ansicolor (1.0.7)
+    sqlite3 (1.3.6)
     test-unit (2.4.8)
-    therubyracer (0.9.9)
+    therubyracer (0.10.1)
       libv8 (~> 3.3.10)
     thor (0.14.6)
     tilt (1.3.3)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.31)
-    uglifier (1.0.4)
+    tzinfo (0.3.33)
+    uglifier (1.2.4)
       execjs (>= 0.3.0)
       multi_json (>= 1.0.2)
 
@@ -174,7 +170,7 @@ PLATFORMS
 
 DEPENDENCIES
   bcrypt-ruby (~> 3.0.0)
-  coffee-rails (~> 3.1.1)
+  coffee-rails (~> 3.2.1)
   execjs
   factory_girl_rails
   guard-test
@@ -187,8 +183,8 @@ DEPENDENCIES
   mocha
   pg
   pjax_rails!
-  rails (= 3.1.1)
-  sass-rails (~> 3.1.4)
+  rails (= 3.2.3)
+  sass-rails (~> 3.2.3)
   shoulda
   sqlite3
   therubyracer

diff --git a/README b/README
@@ -1,3 +1,33 @@
 Library Application
 ===================
 
+Assignment  6
+Some security vulnerabilities found on rails 3.1.1 and above
+=============================================================
+Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
+
+Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
+
+Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
+
+Rails upgrade from 3.1.1 to 3.2.3
+=================================
+rails upgraded to rails 3.2.3 following instructions from
+http://guides.rubyonrails.org/3_2_release_notes.html
+
+Ruby 1.9.x vulnerability
+The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
+
+The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
+
+The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
+
+The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
+
+
+Sources:
+http://www.cvedetails.com/vulnerability-list/vendor_id-4954/product_id-8446/version_id-116921/Ruby-On-Rails-Ruby-On-Rails-3.1.1.html
+
+http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/version_id-105451/Ruby-lang-Ruby-1.9.2.html
+
+http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/version_id-105452/Ruby-lang-Ruby-1.9.3.html
diff --git a/config/environment.rb b/config/environment.rb
@@ -1,5 +1,14 @@
 # Load the rails application
 require File.expand_path('../application', __FILE__)
 
+#both ruby 1.9.1, 1.9.2 and 1.9.3 have vulnerabilities, assuming 1.9.3 is better
+accepted_version = "1.9.3"
+your_version = "#{RUBY_VERSION}"
+if your_version < accepted_version
+   abort <<-end_message
+     Error has occured!. I refuse to run on Ruby version: #{your_version}. Get Ruby version: #{accepted_version} or later.
+   end_message
+end
+
 # Initialize the rails application
 Library::Application.initialize!
diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -27,4 +27,12 @@
 
   # Expands the lines which load the assets
   config.assets.debug = true
+
+  # Raise exception on mass assignment protection for Active Record models
+  config.active_record.mass_assignment_sanitizer = :strict
+
+  # Log the query plan for queries taking more than this (works
+  # with SQLite, MySQL, and PostgreSQL)
+  config.active_record.auto_explain_threshold_in_seconds = 0.5
+
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -36,4 +36,7 @@
 
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
+
+  # Raise exception on mass assignment protection for Active Record models
+  config.active_record.mass_assignment_sanitizer = :strict
 end