Skip to content
This repository has been archived by the owner on Dec 16, 2019. It is now read-only.
/ rubygems_check_replacement_vulnerability Public archive

[NO LONGER MAINTAINED] Check your gems whether affected by "RubyGems.org gem replacement vulnerability and mitigation"

License

MIT license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sue445/rubygems_check_replacement_vulnerability

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

84 Commits

bin

bin

 
 

exe

exe

 
 

lib

lib

 
 

spec

spec

 
 

.coveralls.yml

.coveralls.yml

 
 

.gitignore

.gitignore

 
 

.rspec

.rspec

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Gemfile

Gemfile

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

rubygems_check_replacement_vulnerability.gemspec

rubygems_check_replacement_vulnerability.gemspec

 
 

Repository files navigation

RubygemsCheckReplacementVulnerability

Check your gems whether affected by RubyGems.org gem replacement vulnerability and mitigation

Gem Version Build Status Code Climate Coverage Status

Requirements

  • Ruby 2.1+
  • git

Installation

$ gem install rubygems_check_replacement_vulnerability

Usage

1. Search your vulnerable gems

Run rubygems_check_replacement_vulnerability vulnerable_gems command

$ rubygems_check_replacement_vulnerability vulnerable_gems --username=<USERNAME>

Example

$ rubygems_check_replacement_vulnerability vulnerable_gems --username=sue445
sue445's vulnerable gems
- faker-precure : 0.0.2, 0.0.3
- fluent-plugin-out_chatwork : 0.0.1, 0.0.2, 0.0.3
- pebbles-tokyu_ruby_kaigi : 0.0.2
- rspec-every_item : 0.0.1
- rspec-parameterized : 0.1.2
- rspec-temp_dir : 0.0.1, 0.0.2, 0.0.3

Algorithm

  • Search gem versions that including the conditions of the following
    • name contains a dash (e.g. blank-blank)
    • pushed between June 11th, 2014 and April 2nd, 2016

2. Verify gem

Run rubygems_check_replacement_vulnerability verify_gem command

$ rubygems_check_replacement_vulnerability verify_gem --name=<GEM_NAME> --repo-url=<REPO_URL>

Example

$ rubygems_check_replacement_vulnerability verify_gem --name=rspec-temp_dir --repo-url=git@github.com:sue445/rspec-temp_dir.git
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-dtg1p7/rspec-temp_dir-0.0.1'
[Info] rspec-temp_dir 0.0.1 is safe!
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-1hpgj5i/rspec-temp_dir-0.0.2'
[Info] rspec-temp_dir 0.0.2 is safe!
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-7aquji/rspec-temp_dir-0.0.3'
[Info] rspec-temp_dir 0.0.3 is safe!

Algorithm

  1. Download specified gem file (e.g. rspec-temp_dir-0.0.3.gem) from rubygems.org
  2. Unpack gem to temporary directory
    • e.g. gem unpack rspec-temp_dir-0.0.3.gem
  3. Clone from remote repository to temporary directory
    • e.g. git clone git@github.com:sue445/rspec-temp_dir.git
  4. Checkout version tag
    • e.g. git checkout v0.0.3
    • If version tag is not found, print warning message
      • e.g.[Warn] Not found tag v0.0.3 in repository
  5. Compare all files between unpacked gem files and repository files

Reference

Run help

help

$ rubygems_check_replacement_vulnerability help
Commands:
  rubygems_check_replacement_vulnerability help [COMMAND]                                    # Describe available commands or one specifi...
  rubygems_check_replacement_vulnerability verify_gem n, --name=NAME u, --repo-url=REPO_URL  # Verify whether replacemented gem
  rubygems_check_replacement_vulnerability version                                           # Show version
  rubygems_check_replacement_vulnerability vulnerable_gems u, --username=USERNAME            # Show vulnerable gems

vulnerable_gems

$ rubygems_check_replacement_vulnerability help vulnerable_gems
Usage:
  rubygems_check_replacement_vulnerability vulnerable_gems u, --username=USERNAME

Options:
  u, --username=USERNAME  # Username of rubygems.org
  f, [--format=FORMAT]    # Print format (plain, yaml, json)
                          # Default: plain

Show vulnerable gems

verify_gem

$ rubygems_check_replacement_vulnerability help verify_gem
Usage:
  rubygems_check_replacement_vulnerability verify_gem n, --name=NAME u, --repo-url=REPO_URL

Options:
  n, --name=NAME          # Gem name
  v, [--version=VERSION]  # Version to check (default: all vulnerable versions)
  u, --repo-url=REPO_URL  # Git repository url (e.g. git@github.com:rails/rails.git)
  p, [--prefix=PREFIX]    # gemspec path prefix in repo (e.g. activerecord/)

Verify whether replacemented gem

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment. Run bundle exec rubygems_check_replacement_vulnerability to use the gem in this directory, ignoring other installed copies of this gem.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sue445/rubygems_check_replacement_vulnerability.

License

The gem is available as open source under the terms of the MIT License.

About

[NO LONGER MAINTAINED] Check your gems whether affected by "RubyGems.org gem replacement vulnerability and mitigation"

Topics

gem

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages