Forked from markpundsack/heroku-CVE-2013-0156.rb
Last active
December 10, 2015 23:28
-
-
Save billhorsman/4509024 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## The quick-and-nasty CVE-2013-0156 Heroku inspector! | |
| ## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku | |
| ## Download and run using: | |
| ## ruby heroku-CVE-2013-0156.rb | |
| apps = `heroku list 2> /dev/null`.split("\n") | |
| apps = apps.map {|app| | |
| case app.strip | |
| when /^===/ | |
| # Some "heroku apps" lines have === formatting for grouping. They're not apps. | |
| nil | |
| when /^$/ | |
| # Blank lines can be ommitted. | |
| nil | |
| else | |
| # Some are appended by owner emails | |
| app.split(" ")[0].to_s.strip | |
| end | |
| }.compact | |
| puts "Analyzing #{apps.size} apps " | |
| vulnerable = [] | |
| unknown = [] | |
| up_to_date = [] | |
| apps.each do |app| | |
| rails_path = `heroku run bundle show rails --app #{app} 2> /dev/null`.split("\n")[-1] | |
| rails_version_number = rails_path.split("rails-")[1] | |
| rails_version_number = rails_version_number.strip unless rails_version_number.nil? | |
| if rails_version_number.nil? | |
| unknown << " #{app}" | |
| elsif ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) | |
| up_to_date << " #{app} has #{rails_version_number}" | |
| else | |
| vulnerable << " #{app} has #{rails_version_number}" | |
| end | |
| print "." | |
| STDOUT.flush | |
| end | |
| puts | |
| if vulnerable.size == 0 && unknown.size == 0 | |
| puts "\nCongratulations! No vulnerable apps detected. The following are all good:" | |
| puts up_to_date.join("\n") | |
| else | |
| if up_to_date.size > 0 | |
| puts "\n#{up_to_date.size} good apps:\n " | |
| puts up_to_date.join("\n") | |
| end | |
| if vulnerable.size > 0 | |
| puts "\n#{vulnerable.size} VULNERABLE apps:\n " | |
| puts vulnerable.join("\n") | |
| puts "\nPlease read: http://blog.heroku.com/archives/2013/1/11/rails_security_vulnerability/" | |
| end | |
| if unknown.size > 0 | |
| puts "\n#{unknown.size} apps in an unknown state:\n " | |
| puts unknown.join("\n") | |
| puts "\nPerhaps they aren't running Rails? You should investigate them more closely" | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A slightly longer version of the script that has much nicer output.