Project

rubygems_check_replacement_vulnerability

0.0
Repository is archived
No commit activity in last 3 years
No release in over 3 years
rubygems_check_replacement_vulnerabilitysue445/rubygems_check_replacement_vulnerabilityHomepageDocumentationSource CodeBug TrackerWiki
Check your gems whether affected by "RubyGems.org gem replacement vulnerability and mitigation" http://blog.rubygems.org/2016/04/06/gem-replacement-vulnerability-and-mitigation.html
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
11,716
Stars
6
Forks
0
Watchers
3
 Releases
Current version
0.2.0
Total releases
5
First release
2016-04-14
Latest release
2016-04-16
 Issues
Open Issues
0
Closed Issues
3
Total Issues
3
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
17
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2017-06-20
Reverse Dependencies
0

 Dependencies

Development

bundler
>= 0
codeclimate-test-reporter
>= 0
coveralls
>= 0
rake
~> 10.0
rspec
~> 3.0
rspec-its
>= 0
rspec-power_assert
>= 0
rspec-temp_dir
>= 0

Runtime

thor
>= 0
 Project Readme

RubygemsCheckReplacementVulnerability

Check your gems whether affected by RubyGems.org gem replacement vulnerability and mitigation

Gem Version Build Status Code Climate Coverage Status

Requirements

  • Ruby 2.1+
  • git

Installation

$ gem install rubygems_check_replacement_vulnerability

Usage

1. Search your vulnerable gems

Run rubygems_check_replacement_vulnerability vulnerable_gems command

$ rubygems_check_replacement_vulnerability vulnerable_gems --username=<USERNAME>

Example

$ rubygems_check_replacement_vulnerability vulnerable_gems --username=sue445
sue445's vulnerable gems
- faker-precure : 0.0.2, 0.0.3
- fluent-plugin-out_chatwork : 0.0.1, 0.0.2, 0.0.3
- pebbles-tokyu_ruby_kaigi : 0.0.2
- rspec-every_item : 0.0.1
- rspec-parameterized : 0.1.2
- rspec-temp_dir : 0.0.1, 0.0.2, 0.0.3

Algorithm

  • Search gem versions that including the conditions of the following
    • name contains a dash (e.g. blank-blank)
    • pushed between June 11th, 2014 and April 2nd, 2016

2. Verify gem

Run rubygems_check_replacement_vulnerability verify_gem command

$ rubygems_check_replacement_vulnerability verify_gem --name=<GEM_NAME> --repo-url=<REPO_URL>

Example

$ rubygems_check_replacement_vulnerability verify_gem --name=rspec-temp_dir --repo-url=git@github.com:sue445/rspec-temp_dir.git
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-dtg1p7/rspec-temp_dir-0.0.1'
[Info] rspec-temp_dir 0.0.1 is safe!
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-1hpgj5i/rspec-temp_dir-0.0.2'
[Info] rspec-temp_dir 0.0.2 is safe!
Unpacked gem: '/var/folders/mx/mmp8n_lx48v8_fr294_zjggw0000gn/T/gem-20160414-51500-7aquji/rspec-temp_dir-0.0.3'
[Info] rspec-temp_dir 0.0.3 is safe!

Algorithm

  1. Download specified gem file (e.g. rspec-temp_dir-0.0.3.gem) from rubygems.org
  2. Unpack gem to temporary directory
    • e.g. gem unpack rspec-temp_dir-0.0.3.gem
  3. Clone from remote repository to temporary directory
    • e.g. git clone git@github.com:sue445/rspec-temp_dir.git
  4. Checkout version tag
    • e.g. git checkout v0.0.3
    • If version tag is not found, print warning message
      • e.g.[Warn] Not found tag v0.0.3 in repository
  5. Compare all files between unpacked gem files and repository files

Reference

Run help

help

$ rubygems_check_replacement_vulnerability help
Commands:
  rubygems_check_replacement_vulnerability help [COMMAND]                                    # Describe available commands or one specifi...
  rubygems_check_replacement_vulnerability verify_gem n, --name=NAME u, --repo-url=REPO_URL  # Verify whether replacemented gem
  rubygems_check_replacement_vulnerability version                                           # Show version
  rubygems_check_replacement_vulnerability vulnerable_gems u, --username=USERNAME            # Show vulnerable gems

vulnerable_gems

$ rubygems_check_replacement_vulnerability help vulnerable_gems
Usage:
  rubygems_check_replacement_vulnerability vulnerable_gems u, --username=USERNAME

Options:
  u, --username=USERNAME  # Username of rubygems.org
  f, [--format=FORMAT]    # Print format (plain, yaml, json)
                          # Default: plain

Show vulnerable gems

verify_gem

$ rubygems_check_replacement_vulnerability help verify_gem
Usage:
  rubygems_check_replacement_vulnerability verify_gem n, --name=NAME u, --repo-url=REPO_URL

Options:
  n, --name=NAME          # Gem name
  v, [--version=VERSION]  # Version to check (default: all vulnerable versions)
  u, --repo-url=REPO_URL  # Git repository url (e.g. git@github.com:rails/rails.git)
  p, [--prefix=PREFIX]    # gemspec path prefix in repo (e.g. activerecord/)

Verify whether replacemented gem

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment. Run bundle exec rubygems_check_replacement_vulnerability to use the gem in this directory, ignoring other installed copies of this gem.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sue445/rubygems_check_replacement_vulnerability.

License

The gem is available as open source under the terms of the MIT License.