Skip to content

Instantly share code, notes, and snippets.

@omgitsads

omgitsads/rails-check.sh

Last active December 10, 2015 22:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save omgitsads/4503139 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save omgitsads/4503139 to your computer and use it in GitHub Desktop.
Download ZIP
Look for affected versions of rails, and if they have been patched or not
Raw
rails-check.sh
for i in `find /data -maxdepth 1 -type d ! -name "monit.d" ! -name "nginx" ! -name "lost+found" ! -name "homedirs" ! -name "data"`;
do
appname=`echo ${i} | awk -F/ '{print $3}'`
version=''
if [ -f $i/current/Gemfile.lock ];
then
version=`egrep "^ *rails \([0-9\.]+\)" $i/current/Gemfile.lock | egrep -o "[0-9\.]+"`
else
version=`gem list | egrep -o "^rails \([^,\)]+" | egrep -o "[0-9\.]+"`
fi
if [[ $version != 3.2.11 && $version != 3.1.10 && $version != 3.0.19 && $version != 2.3.15 ]];
then
if [[ -d "$i/current/config/initializers" ]];
then
grep -q "ActiveSupport::XmlMini::PARSING.delete" $i/current/config/initializers/*
patched=$?
if [ $patched != 0 ];
then
echo -e "\033[31mApp: ${appname} - Rails Version: ${version} - Vulnerability Possible"
else
echo -e "\033[33mApp: ${appname} - Rails Version: ${version} - CVE-2013-0156 Looks to be patched"
fi
else
echo -e "\033[33mApp: ${appname} - Rails Version: ${version} - No Initializers dir, may not be a rails app"
fi
else
echo -e "\033[32mApp: ${appname} - Rails Version: ${version} - CVE-2013-0156 Patched"
fi
done
@emachnic
Copy link
Copy Markdown

emachnic commented Jan 10, 2013 

App: appboy - Rails Version: 3.2.11 - Vulnerability Possible
app_master i-4b1a9437 ~ #

Shouldn't 3.2.11 not throw a warning?

@jamez01
Copy link
Copy Markdown

jamez01 commented Jan 10, 2013 

 affected=0
if [[ $affected == 0 && $version < 2.3.15 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.0.19 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.1.10 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.2.11 ]]; then affected=1; fi

It looks like this code will evaluate to affected if $version is < 3.2.11.

Maybe this should be changed to:

if [[ $version != 3.2.11 && $version != 3.1.10 && $version != 3.0.19 && $version != 2.3.15 ]]; then
  affected=1
else
  affected=0
fi

The above should mark affected == 1 if $version does not match any of the "non-effected" versions.

@omgitsads
Copy link
Copy Markdown
Author

omgitsads commented Jan 11, 2013

Patched and we dumped the affected variable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment