├── .gitignore ├── .rspec ├── .travis.yml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CONTRIBUTORS.md ├── Gemfile ├── Gemfile.lock ├── LICENSE.txt ├── README.md ├── Rakefile ├── gems ├── celluloid │ └── 670.yml ├── ethon │ └── 194.yml ├── grape │ ├── 2084.yml │ └── 301.yml ├── net-http-persistent │ └── 300.yml ├── oj │ └── 229.yml ├── redcarpet │ └── 516.yml ├── redis │ └── 612.yml ├── rgeo │ └── 253.yml ├── sidekiq-pro │ └── 4652.yml ├── sidekiq-statistic │ └── 73.yml ├── sidekiq │ └── 2598.yml ├── therubyracer │ └── 336.yml └── zipruby │ └── PRE-SA-2012-02.yml ├── scripts └── post-advisories.sh └── spec ├── advisories_spec.rb ├── advisory_example.rb ├── gem_example.rb ├── library_example.rb ├── ruby_example.rb └── spec_helper.rb /.gitignore: -------------------------------------------------------------------------------- 1 | _site 2 | -------------------------------------------------------------------------------- /.rspec: -------------------------------------------------------------------------------- 1 | --colour 2 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: ruby 2 | 3 | sudo: false 4 | 5 | cache: bundler 6 | 7 | notifications: 8 | irc: chat.freenode.net#rubysec 9 | 10 | env: 11 | global: 12 | - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU= 13 | 14 | rvm: 15 | - 2.4.6 16 | - 2.5.5 17 | - 2.6.3 18 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at hello@ombulabs.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | * All text must be within 80 columns. 4 | * YAML must be indented by 2 spaces. 5 | * Have any questions? Feel free to open an issue. 6 | * Prior to submitting a pull request, run the tests: 7 | 8 | ``` 9 | bundle install 10 | bundle exec rspec 11 | ``` 12 | 13 | * Follow the schema. Here is an example advisory: 14 | 15 | ```yaml 16 | --- 17 | gem: examplegem 18 | cve: 2013-0156 19 | url: https://github.com/rubysec/ruby-advisory-db/issues/123456 20 | title: | 21 | Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing 22 | Remote Code Execution 23 | 24 | description: | 25 | Ruby on Rails contains a flaw in params_parser.rb of the Action Pack. 26 | The issue is triggered when a type casting error occurs during the parsing 27 | of parameters. This may allow a remote attacker to potentially execute 28 | arbitrary code. 29 | 30 | cvss_v2: 10.0 31 | 32 | patched_versions: 33 | - ~> 2.3.15 34 | - ~> 3.0.19 35 | - ~> 3.1.10 36 | - ">= 3.2.11" 37 | unaffected_versions: 38 | - ~> 2.4.3 39 | 40 | related: 41 | cve: 42 | - 2013-1234567 43 | - 2013-1234568 44 | url: 45 | - https://github.com/rubysec/ruby-advisory-db/issues/123457 46 | 47 | ``` 48 | ### Schema 49 | 50 | * `gem` \[String\]: Name of the affected gem. 51 | * `framework` \[String\] (optional): Name of framework gem belongs to. 52 | * `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby) 53 | * `cve` \[String\]: CVE id. 54 | * `osvdb` \[Integer\]: OSVDB id. 55 | * `url` \[String\]: The URL to the full advisory. 56 | * `title` \[String\]: The title of the advisory. 57 | * `date` \[Date\]: Disclosure date of the advisory. 58 | * `description` \[String\]: Multi-paragraph description of the vulnerability. 59 | * `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability. 60 | * `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability. 61 | * `unaffected_versions` \[Array\\] (optional): The version requirements for the 62 | unaffected versions of the Ruby library. 63 | * `patched_versions` \[Array\\]: The version requirements for the 64 | patched versions of the Ruby library. 65 | * `related` \[Hash\\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url` 66 | 67 | 68 | [CVSSv2]: https://www.first.org/cvss/v2/guide 69 | [CVSSv3]: https://www.first.org/cvss/user-guide 70 | -------------------------------------------------------------------------------- /CONTRIBUTORS.md: -------------------------------------------------------------------------------- 1 | ### Acknowledgements 2 | 3 | This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank: 4 | 5 | # Contributors 6 | - [Sergey Alekseev](https://github.com/sergey-alekseev) 7 | - [Graham Conzett @conzett](https://github.com/conzett) 8 | - [Jacob Oakes @oakesja](https://github.com/oakesja) 9 | - [Juan Ignacio Sánchez Lara @juanignaciosl](https://github.com/juanignaciosl) 10 | - [Ilya Vassilevsky @vassilevsky](https://github.com/vassilevsky) 11 | - [Sebastiaan Pouyet @srpouyet](https://github.com/srpouyet) 12 | - [Michal Kulesza @mic-kul](https://github.com/mic-kul) 13 | - [Benoit Tigeot @benoittgt](https://github.com/benoittgt) 14 | - [Jolyon Pawlyn @jpawlyn](https://github.com/jpawlyn) 15 | - [Shai Coleman @shaicoleman](https://github.com/shaicoleman) 16 | - [Ryan Rosenblum @rrosenblum](https://github.com/rrosenblum) 17 | - [Lumir Olivares @lumir](https://github.com/lumir) 18 | - [Stefan Wienert @zealot128](https://github.com/zealot128) 19 | 20 | 21 | The rubymem.com domain is sponsored by [FastRuby.io](https://www.fastruby.io/). 22 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem 'rspec' 4 | gem 'rake' 5 | 6 | group :development do 7 | gem 'pry' 8 | gem 'nokogiri' 9 | end 10 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GEM 2 | remote: https://rubygems.org/ 3 | specs: 4 | coderay (1.1.2) 5 | diff-lcs (1.3) 6 | method_source (0.9.0) 7 | mini_portile2 (2.8.0) 8 | nokogiri (1.13.10) 9 | mini_portile2 (~> 2.8.0) 10 | racc (~> 1.4) 11 | pry (0.11.3) 12 | coderay (~> 1.1.0) 13 | method_source (~> 0.9.0) 14 | racc (1.6.1) 15 | rake (12.3.3) 16 | rspec (3.7.0) 17 | rspec-core (~> 3.7.0) 18 | rspec-expectations (~> 3.7.0) 19 | rspec-mocks (~> 3.7.0) 20 | rspec-core (3.7.1) 21 | rspec-support (~> 3.7.0) 22 | rspec-expectations (3.7.0) 23 | diff-lcs (>= 1.2.0, < 2.0) 24 | rspec-support (~> 3.7.0) 25 | rspec-mocks (3.7.0) 26 | diff-lcs (>= 1.2.0, < 2.0) 27 | rspec-support (~> 3.7.0) 28 | rspec-support (3.7.1) 29 | 30 | PLATFORMS 31 | ruby 32 | 33 | DEPENDENCIES 34 | nokogiri 35 | pry 36 | rake 37 | rspec 38 | 39 | BUNDLED WITH 40 | 2.2.11 41 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain. 2 | 3 | However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license 4 | 5 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ruby Leaky Gems Database 2 | 3 | The [RubyMem](https://www.rubymem.com) Database is a community effort to compile all known memory leaks that are relevant to Ruby gems. 4 | 5 | You can check your own Gemfile.locks against this database by using [bundler-leak](https://github.com/rubymem/bundler-leak). 6 | 7 | ## Support Our RubyMem Initiative! 8 | 9 | This project has been a community effort since the beginning. The more reports we track, the more value we can provide to your future projects! 10 | 11 | ### How You Can Help 12 | 13 | Do you know about a known memory leak that isn't [listed in this database](https://www.rubymem.com/advisories)? Open an issue, submit a PR, or [use this form](https://rubymem.com/advisories/new) which will email the maintainers. 14 | 15 | ## Directory Structure 16 | 17 | The database is a list of directories that match the names of Ruby libraries on 18 | [rubygems.org]. Within each directory are one or more files 19 | for the Ruby library. These files can be named however you want, in this example it is named after the PR number in github. 20 | 21 | gems/: 22 | celluloid/: 23 | 612.yml 24 | 25 | 26 | ## Format 27 | 28 | Each file contains the information in [YAML] format: 29 | 30 | ```yaml 31 | --- 32 | gem: celluloid 33 | url: https://github.com/celluloid/celluloid/issues/670 34 | title: Memory Leak using Celluloid::Future 35 | date: 2015-08-31 36 | description: | 37 | The Celluloid::Group::Spawner appears to never clean up the completed Threads 38 | that it creates. 39 | leaky_versions: 40 | - "> 0.16.0, < 0.17.2" 41 | patched_versions: 42 | - ">= 0.17.3" 43 | ``` 44 | 45 | ### Schema 46 | 47 | * `gem` \[String\]: Name of the affected gem. 48 | * `framework` \[String\] (optional): Name of the framework which the affected 49 | gem belongs to. 50 | * `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby) 51 | * `url` \[String\]: The URL to the full advisory. 52 | * `title` \[String\]: The title of the advisory or individual vulnerability. 53 | * `date` \[Date\]: The public disclosure date of the advisory. 54 | * `description` \[String\]: One or more paragraphs describing the vulnerability. 55 | * `leaky_versions` \[String\]: The version requirement of the gem with a known memory leak. 56 | * `unaffected_versions` \[Array\\] (optional): The version requirements for the 57 | unaffected versions of the Ruby library. 58 | * `patched_versions` \[Array\\]: The version requirements for the 59 | patched versions of the Ruby library. 60 | 61 | ## Tests 62 | 63 | Prior to submitting a pull request, run the tests: 64 | 65 | ``` 66 | bundle install 67 | bundle exec rspec 68 | ``` 69 | 70 | ## Credits 71 | 72 | Please see [CONTRIBUTORS.md]. 73 | 74 | [rubygems.org]: https://rubygems.org/ 75 | [YAML]: http://www.yaml.org/ 76 | [CONTRIBUTORS.md]: https://github.com/rubymem/ruby-mem-advisory-db/blob/master/CONTRIBUTORS.md 77 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'yaml' 2 | 3 | namespace :lint do 4 | begin 5 | require 'rspec/core/rake_task' 6 | 7 | RSpec::Core::RakeTask.new(:yaml) 8 | rescue LoadError => e 9 | task :spec do 10 | abort "Please run `gem install rspec` to install RSpec." 11 | end 12 | end 13 | 14 | task :cve do 15 | Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path| 16 | advisory = YAML.load_file(path) 17 | 18 | unless advisory['cve'] 19 | puts "Missing CVE: #{path}" 20 | end 21 | end 22 | end 23 | end 24 | 25 | task :lint => ['lint:yaml', 'lint:cve'] 26 | task :default => :lint 27 | -------------------------------------------------------------------------------- /gems/celluloid/670.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: celluloid 3 | url: https://github.com/celluloid/celluloid/issues/670 4 | title: Memory Leak using Celluloid::Future 5 | date: 2015-08-31 6 | description: | 7 | The Celluloid::Group::Spawner appears to never clean up the completed Threads 8 | that it creates. 9 | leaky_versions: 10 | - "> 0.16.0, < 0.17.2" 11 | patched_versions: 12 | - ">= 0.17.3" 13 | 14 | -------------------------------------------------------------------------------- /gems/ethon/194.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: ethon 3 | date: 2021-05-28 4 | url: https://github.com/typhoeus/ethon/issues/194 5 | title: Stale socket leak in Ethon 6 | description: Some cleanup code in Ethon is not called when the object is garbage collected, 7 | leaking stale sockets in CLOSE_WAIT state indefinitely. The impact is a memory leak 8 | + file description starvation. 9 | unaffected_versions: 10 | - "<= 0.12.0" 11 | patched_versions: 12 | - ">= 0.15.0" 13 | related_links: 14 | - 'Commit introducing the issue: https://github.com/typhoeus/ethon/commit/b4899b952f85d089358f599c71b0cf7b03db6c39' 15 | - 'First report about stale socket: https://github.com/typhoeus/ethon/issues/194' 16 | - 'Reverted in https://github.com/typhoeus/ethon/pull/195/files' 17 | - 'Second report about memory leak: https://github.com/typhoeus/ethon/issues/198' 18 | -------------------------------------------------------------------------------- /gems/grape/2084.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: grape 3 | date: 2020-07-10 4 | url: https://github.com/ruby-grape/grape/pull/2084 5 | title: Memory leak in grape 6 | description: A flaw in how grape caches paths means that a copy of each unique path 7 | seen was retained. If paths contain a variable (e.g. the id of a resource) this would 8 | lead to unbound memory usage 9 | unaffected_versions: 10 | - "< 1.3.0" 11 | patched_versions: 12 | - ">= 1.4.0" -------------------------------------------------------------------------------- /gems/grape/301.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: grape 3 | url: https://github.com/ruby-grape/grape/issues/301 4 | title: Memory leak in formatter middleware 5 | date: 2012-12-27 6 | description: | 7 | The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse. 8 | leaky_versions: 9 | - "< 0.2.5" 10 | patched_versions: 11 | - ">= 0.10" 12 | -------------------------------------------------------------------------------- /gems/net-http-persistent/300.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: net-http-persistent 3 | url: "https://github.com/drbrain/net-http-persistent/pull/98" 4 | title: Memory leak in thread connection pool of net-http-persistent 5 | date: 2015-04-08 6 | description: | 7 | 3.0.0 introduced a memory leak when it switched to connection pooling. We're 8 | setting a thread local but then never clearing the local. If the pool is used 9 | in the main thread, it will never die and the locals will stick around for 10 | the life of the process. 11 | leaky_versions: 12 | - "= 3.0.0" 13 | patched_versions: 14 | - "> 3.0.0" 15 | -------------------------------------------------------------------------------- /gems/oj/229.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: oj 3 | url: https://github.com/ohler55/oj/issues/229 4 | title: Memory Leak using Oj::Doc.open 5 | date: 2015-04-18 6 | description: | 7 | Oj::Doc.open steadily increases memory usage. 8 | leaky_versions: 9 | - "< 2.12.4" 10 | patched_versions: 11 | - ">= 2.12.4" 12 | -------------------------------------------------------------------------------- /gems/redcarpet/516.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: redcarpet 3 | url: https://github.com/vmg/redcarpet/pull/516 4 | title: Memory Leak in Redcarpet::Render::Base 5 | date: 2015-09-11 6 | description: | 7 | rb_redcarpet_rbase_alloc used to allocate a struct rb_redcarpet_rndr instance 8 | which was never freed. 9 | 10 | This caused 312 leaked bytes (on a 64-bit machine) on every render call 11 | leaky_versions: 12 | - "< 3.3.3" 13 | patched_versions: 14 | - ">= 3.3.3" 15 | -------------------------------------------------------------------------------- /gems/redis/612.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: redis 3 | url: https://github.com/redis/redis-rb/issues/612 4 | title: Memory leak due to Timeout creating threads on each invocation. 5 | date: 2016-04-25 6 | description: | 7 | write_timeout results in lots of short-lived threads created, since each timeout block creates a separate thread. Now every write to Redis requires the creation of a new Thread. 8 | leaky_versions: 9 | - "= 3.2.2" 10 | - "= 3.3.0" 11 | patched_versions: 12 | - ">= 3.3.1" 13 | -------------------------------------------------------------------------------- /gems/rgeo/253.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: rgeo 3 | url: https://github.com/rgeo/rgeo/pull/253 4 | title: Memory Leak using `#invalid_reason` 5 | date: 2021-04-15 6 | description: | 7 | invalid_reason string is not garbage collected in the C extension, which steadily increases memory usage. 8 | leaky_versions: 9 | - "< 2.3.0" 10 | patched_versions: 11 | - ">= 2.3.0" 12 | -------------------------------------------------------------------------------- /gems/sidekiq-pro/4652.yml: -------------------------------------------------------------------------------- 1 | gem: sidekiq-pro 2 | date: 2020-06-24 3 | url: https://github.com/mperham/sidekiq/issues/4652 4 | title: Leak in sidekiq when workers have unhandled exceptions 5 | description: | 6 | When a job raises an exception and it is handled by Sidekiq itself, when using Sidekiq Pro, a reference leak occurs. 7 | patched_versions: 8 | - ">= 5.2.0" -------------------------------------------------------------------------------- /gems/sidekiq-statistic/73.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: sidekiq-statistic 3 | url: https://github.com/davydovanton/sidekiq-statistic/issues/73 4 | title: Memory Leak since timeslist does not expire 5 | date: 2015-09-15 6 | description: | 7 | The timeslist should be expired after some amount of time and the times aggregated into a much more compact form. 8 | leaky_versions: 9 | - "<= 1.2" 10 | -------------------------------------------------------------------------------- /gems/sidekiq/2598.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: sidekiq 3 | url: https://github.com/mperham/sidekiq/pull/2598 4 | title: Memory Leak in Sidekiq::Manager#real_thread 5 | date: 2015-10-09 6 | description: | 7 | Before starting to execute the task, Processor does an async call to Manager (real_thread method) to add processor's thread to @threads hash in Manager 8 | leaky_versions: 9 | - "< 3.5.1" 10 | patched_versions: 11 | - ">= 3.5.1" 12 | -------------------------------------------------------------------------------- /gems/therubyracer/336.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: therubyracer 3 | url: https://github.com/cowboyd/therubyracer/pull/336 4 | title: Memory leak in WeakValueMap 5 | date: 2015-03-31 6 | description: | 7 | Entries were not being cleaned up correctly from the backing store. 8 | leaky_versions: 9 | - "< 0.12.2" 10 | unaffected_versions: 11 | - "~> 0.12.3" 12 | patched_versions: 13 | - "~> 0.12.3" 14 | -------------------------------------------------------------------------------- /gems/zipruby/PRE-SA-2012-02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | gem: zipruby 3 | url: https://packetstormsecurity.com/files/111242/libzip-0.10-Heap-Overflow-Information-Leak.html 4 | title: Heap overflow, information leak 5 | date: 2012-03-21 6 | description: | 7 | libzip has two vulnerabilities that may lead to a heap overflow or an information leak via corrupted zip files. 8 | leaky_versions: 9 | - "<= 0.3.6" 10 | -------------------------------------------------------------------------------- /scripts/post-advisories.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit -o nounset 4 | 5 | REPO="https://${GH_TOKEN}@github.com/rubysec/rubysec.github.io.git" 6 | DIR="_site" 7 | 8 | git clone $REPO $DIR 9 | 10 | cd $DIR 11 | 12 | git config user.name "RubySec CI" 13 | git config user.email "ci@rubysec.com" 14 | 15 | bundle install --jobs=3 --retry=3 16 | bundle exec rake advisories 17 | 18 | git push -q 19 | -------------------------------------------------------------------------------- /spec/advisories_spec.rb: -------------------------------------------------------------------------------- 1 | load File.join(File.dirname(__FILE__), 'spec_helper.rb') 2 | require 'gem_example' 3 | require 'library_example' 4 | require 'ruby_example' 5 | 6 | describe "gems" do 7 | Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*')) do |path| 8 | include_examples 'Gem Advisory', path 9 | end 10 | end 11 | 12 | describe "libraries" do 13 | Dir.glob(File.join(File.dirname(__FILE__), '../libraries/*/*')) do |path| 14 | include_examples 'Libraries Advisory', path 15 | end 16 | end 17 | 18 | describe "rubies" do 19 | Dir.glob(File.join(File.dirname(__FILE__), '../rubies/*/*')) do |path| 20 | include_examples 'Rubies Advisory', path 21 | end 22 | end 23 | 24 | -------------------------------------------------------------------------------- /spec/advisory_example.rb: -------------------------------------------------------------------------------- 1 | load File.join(File.dirname(__FILE__), 'spec_helper.rb') 2 | require 'yaml' 3 | 4 | shared_examples_for 'Advisory' do |path| 5 | advisory = YAML.load_file(path) 6 | 7 | describe path do 8 | let(:filename) { File.basename(path) } 9 | 10 | it "should be correctly named" do 11 | expect(filename). 12 | to match(/^.+\.yml$/) 13 | end 14 | 15 | describe "framework" do 16 | subject { advisory['framework'] } 17 | 18 | it "may be nil or a String" do 19 | expect(subject).to be_kind_of(String).or(be_nil) 20 | end 21 | end 22 | 23 | describe "platform" do 24 | subject { advisory['platform'] } 25 | 26 | it "may be nil or a String" do 27 | expect(subject).to be_kind_of(String).or(be_nil) 28 | end 29 | end 30 | 31 | 32 | describe "url" do 33 | subject { advisory['url'] } 34 | 35 | it { is_expected.to be_kind_of(String) } 36 | it { is_expected.not_to be_empty } 37 | end 38 | 39 | describe "title" do 40 | subject { advisory['title'] } 41 | 42 | it { is_expected.to be_kind_of(String) } 43 | it { is_expected.not_to be_empty } 44 | end 45 | 46 | describe "date" do 47 | subject { advisory['date'] } 48 | 49 | it { is_expected.to be_kind_of(Date) } 50 | end 51 | 52 | describe "description" do 53 | subject { advisory['description'] } 54 | 55 | it { is_expected.to be_kind_of(String) } 56 | it { is_expected.not_to be_empty } 57 | end 58 | 59 | describe "patched_versions" do 60 | subject { advisory['patched_versions'] } 61 | 62 | it "may be nil or an Array" do 63 | expect(subject).to be_kind_of(Array).or(be_nil) 64 | end 65 | 66 | describe "each patched version" do 67 | if advisory['patched_versions'] 68 | advisory['patched_versions'].each do |version| 69 | describe version do 70 | subject { version.split(', ') } 71 | 72 | it "should contain valid RubyGem version requirements" do 73 | expect { 74 | Gem::Requirement.new(*subject) 75 | }.not_to raise_error 76 | end 77 | end 78 | end 79 | end 80 | end 81 | end 82 | 83 | describe "unaffected_versions" do 84 | subject { advisory['unaffected_versions'] } 85 | 86 | it "may be nil or an Array" do 87 | expect(subject).to be_kind_of(Array).or(be_nil) 88 | end 89 | 90 | case advisory['unaffected_versions'] 91 | when Array 92 | advisory['unaffected_versions'].each do |version| 93 | describe version do 94 | subject { version.split(', ') } 95 | 96 | it "should contain valid RubyGem version requirements" do 97 | expect { 98 | Gem::Requirement.new(*subject) 99 | }.not_to raise_error 100 | end 101 | end 102 | end 103 | end 104 | end 105 | 106 | describe "related" do 107 | subject { advisory['related'] } 108 | 109 | it "may be nil or a Hash" do 110 | expect(subject).to be_kind_of(Hash).or(be_nil) 111 | end 112 | 113 | case advisory["related"] 114 | when Hash 115 | advisory["related"].each_pair do |name, values| 116 | describe name do 117 | it "should be either a url" do 118 | expect(["url"]).to include(name) 119 | end 120 | 121 | it "should always contain an array" do 122 | expect(values).to be_kind_of(Array) 123 | end 124 | end 125 | end 126 | end 127 | end 128 | 129 | 130 | end 131 | end 132 | -------------------------------------------------------------------------------- /spec/gem_example.rb: -------------------------------------------------------------------------------- 1 | load File.join(File.dirname(__FILE__), 'spec_helper.rb') 2 | require 'advisory_example' 3 | 4 | shared_examples_for "Gem Advisory" do |path| 5 | include_examples 'Advisory', path 6 | 7 | advisory = YAML.load_file(path) 8 | 9 | describe path do 10 | let(:gem) { File.basename(File.dirname(path)) } 11 | 12 | describe "gem" do 13 | subject { advisory['gem'] } 14 | 15 | it { is_expected.to be_kind_of(String) } 16 | it "should be equal to filename (case-insensitive)" do 17 | expect(subject.downcase).to eq(gem.downcase) 18 | end 19 | end 20 | 21 | describe "versions" do 22 | it "assumes that future versions will be patched" do 23 | unaffected_versions = advisory['unaffected_versions'] || [] 24 | patched_versions = advisory['patched_versions'] || [] 25 | 26 | versions = (unaffected_versions + patched_versions).sort_by do |v| 27 | Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0]) 28 | end 29 | 30 | # If a gem is unpatched this test makes no sense 31 | unless patched_versions.none? 32 | expect(versions.last.match(/^>=|^>|^~>/)).to be_truthy 33 | end 34 | end 35 | end 36 | end 37 | end 38 | -------------------------------------------------------------------------------- /spec/library_example.rb: -------------------------------------------------------------------------------- 1 | load File.join(File.dirname(__FILE__), 'spec_helper.rb') 2 | require 'advisory_example' 3 | 4 | shared_examples_for "Libraries Advisory" do |path| 5 | include_examples 'Advisory', path 6 | 7 | advisory = YAML.load_file(path) 8 | 9 | describe path do 10 | let(:library) { File.basename(File.dirname(path)) } 11 | 12 | describe "library" do 13 | subject { advisory['library'] } 14 | 15 | it { is_expected.to be_kind_of(String) } 16 | it "should be equal to filename (case-insensitive)" do 17 | expect(subject.downcase).to eq(library.downcase) 18 | end 19 | end 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /spec/ruby_example.rb: -------------------------------------------------------------------------------- 1 | load File.join(File.dirname(__FILE__), 'spec_helper.rb') 2 | require 'advisory_example' 3 | 4 | shared_examples_for "Rubies Advisory" do |path| 5 | include_examples 'Advisory', path 6 | 7 | advisory = YAML.load_file(path) 8 | 9 | describe path do 10 | let(:engine) { File.basename(File.dirname(path)) } 11 | 12 | describe "engine" do 13 | subject { advisory['engine'] } 14 | 15 | it { is_expected.to be_kind_of(String) } 16 | it "should be equal to filename (case-insensitive)" do 17 | expect(subject.downcase).to eq(engine.downcase) 18 | end 19 | end 20 | end 21 | end 22 | 23 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'rspec' 2 | --------------------------------------------------------------------------------