Permalink
Browse files

Security Fix, thanks to Yasin Soliman

  • Loading branch information...
PierreRambaud committed Nov 14, 2017
1 parent 3c8a245 commit 8acfb9ce9774128d535e2795d583242bb86d6ea8
Showing with 27 additions and 14 deletions.
  1. +6 −4 Gemfile.lock
  2. +1 −0 gemirro.gemspec
  3. +10 −0 lib/gemirro/server.rb
  4. +6 −6 views/gem.erb
  5. +4 −4 views/index.erb
@@ -1,9 +1,10 @@
PATH
remote: .
specs:
gemirro (0.13.5)
gemirro (0.14.0)
builder (~> 3.2)
confstruct (~> 1.0)
erubis (~> 2.7)
httpclient (~> 2.8)
parallel (~> 1.12)
sinatra (~> 2.0)
@@ -20,15 +21,16 @@ GEM
daemons (1.2.5)
diff-lcs (1.3)
docile (1.1.5)
erubis (2.7.0)
eventmachine (1.2.5)
fakefs (0.11.3)
hashie (3.5.6)
httpclient (2.8.3)
json (2.1.0)
mustermann (1.0.1)
parallel (1.12.0)
parser (2.4.0.0)
ast (~> 2.2)
parser (2.4.0.2)
ast (~> 2.3)
powerpack (0.1.1)
rack (2.0.3)
rack-protection (2.0.0)
@@ -37,7 +39,7 @@ GEM
rack (>= 1.0, < 3)
rainbow (2.2.2)
rake
rake (12.1.0)
rake (12.2.1)
rspec (3.7.0)
rspec-core (~> 3.7.0)
rspec-expectations (~> 3.7.0)
@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
s.add_dependency 'builder', '~>3.2'
s.add_dependency 'confstruct', '~>1.0'
s.add_dependency 'erubis', '~>2.7'
s.add_dependency 'httpclient', '~>2.8'
s.add_dependency 'parallel', '~>1.12'
s.add_dependency 'sinatra', '~>2.0'
@@ -261,6 +261,16 @@ def spec_for(gemname, version, platform = 'ruby')
Marshal.load(::Gem.inflate(uz_file.read))
end
end
##
# Escape string
#
# @param [String] string
# @return [String]
#
def escape(string)
Rack::Utils.escape_html(string)
end
end
end
end
@@ -10,19 +10,19 @@
<div class="panel panel-info">
<div class="panel-heading">
<a href="<%= url("gem/#{name}") %>">
<h2 class="panel-title"><%= name %> <span class="badge pull-right"><%= versions.newest.number %></span></h2>
<h2 class="panel-title"><%= escape(name) %> <span class="badge pull-right"><%= escape(versions.newest.number) %></span></h2>
</a>
</div>
<div class="panel-body">
<% newest_gem = versions.newest %>
<% if spec = spec_for(name, newest_gem.number, newest_gem.platform) %>
<p><%= spec.description %></p>
<p><%= escape(spec.description) %></p>
<h3>Dependencies</h3>
<ul class="list-group">
<% spec.dependencies.each do |dependency| %>
<li class="list-group-item">
<a href="<%= url("gem/#{dependency.name}") %>"><%= [dependency.name, dependency.requirement].join(' ') %></a>
<a href="<%= url("gem/#{dependency.name}") %>"><%= escape([dependency.name, dependency.requirement].join(' ')) %></a>
</li>
<% end %>
</ul>
@@ -31,7 +31,7 @@
<ul class="list-group">
<% spec.authors.each do |author| %>
<li class="list-group-item">
<a href="<%= spec.homepage %>"><%= author %></a>
<a href="<%= escape(spec.homepage) %>"><%= escape(author) %></a>
</li>
<% end %>
</ul>
@@ -42,9 +42,9 @@
<% versions.each.reverse_each do |version| %>
<li class="list-group-item clearfix">
<p class="pull-left">
<code>gem install <%= version.name %> -v "<%= version.number %>"</code>
<code>gem install <%= escape(version.name) %> -v "<%= escape(version.number) %>"</code>
<% unless version.platform =~ /^ruby/i %>
<small class="platform"><%= version.platform %></small>
<small class="platform"><%= escape(version.platform) %></small>
<% end %>
</p>
<div class="pull-right">
@@ -12,21 +12,21 @@
<div class="panel panel-info">
<div class="panel-heading">
<a href="<%= url("gem/#{name}") %>">
<h2 class="panel-title"><%= name %> <span class="badge pull-right"><%= versions.newest.number %></span></h2>
<h2 class="panel-title"><%= escape(name) %> <span class="badge pull-right"><%= escape(versions.newest.number) %></span></h2>
</a>
</div>
<div class="panel-body">
<% spec = spec_for(name, versions.newest.number) %>
<% if spec.is_a?(::Gem::Specification) %>
<%= spec.description %>
<%= escape(spec.description) %>
<% end %>
<% versions.reverse_each.first(5).each do |version| %>
<p>
<code>gem install <%= version.name %> <%= "--prerelease" if version.number.to_s.match(/[a-z]/i) %> -v "<%= version.number %>"</code>
<code>gem install <%= escape(version.name) %> <%= "--prerelease" if version.number.to_s.match(/[a-z]/i) %> -v "<%= escape(version.number) %>"</code>
<% unless version.platform =~ /^ruby/i %>
<small class="platform"><%= version.platform %></small>
<small class="platform"><%= escape(version.platform) %></small>
<% end %>
</p>
<% end %>

0 comments on commit 8acfb9c

Please sign in to comment.