Last active
December 10, 2015 20:38
-
-
Save elliottkember/4489689 to your computer and use it in GitHub Desktop.
CVE-2013-0156 is a nasty vulnerability in many versions of Rails. This script checks all your Heroku apps for this vulnerability in one quick (slow) move. More info: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## The quick-and-nasty CVE-2013-0156 Heroku inspector! | |
| ## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku | |
| ## Download and run using: | |
| ## ruby heroku-CVE-2013-0156.rb | |
| `heroku list`.split("\n").each do |app| | |
| app = app.strip | |
| # Some "heroku apps" lines have === formatting for grouping. They're not apps. | |
| next if app[0..2] == "===" | |
| # Some are appended by owner emails | |
| app = app.split(" ")[0].to_s.strip | |
| # Blank lines can be ommitted. | |
| next if app == "" | |
| rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1] | |
| rails_version_number = rails_path.split("rails-")[1] | |
| rails_version_number = rails_version_number.strip unless rails_version_number.nil? | |
| unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number.nil? | |
| puts "Uh oh! #{app} has #{rails_version_number}." | |
| else | |
| puts "..." | |
| end | |
| end |
Great idea, will - updated!
If you've got non-rails apps, you get a lot of false positives with this. How about checking for rails_version_number.nil? instead of ""?
Thanks Mark - much better idea. Updated with your changes!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'd suggest using
heroku run bundle show railsinstead