Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Forked from https://gist.github.com/4489689 by elliottkember. CVE-2013-0156 is a nasty vulnerability in many versions of Rails. This script checks all your Heroku apps for this vulnerability in one quick (slow) move. More info: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
## The quick-and-nasty CVE-2013-0156 Heroku inspector!
## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku
## Download and run using:
## ruby heroku-CVE-2013-0156.rb
`heroku list`.split("\n").each do |app|
app = app.strip
# Some "heroku apps" lines have === formatting for grouping. They're not apps.
next if app[0..2] == "==="
# Some are appended by owner emails
app = app.split(" ")[0].to_s.strip
# Blank lines can be ommitted.
next if app == ""
rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1]
rails_version_number = rails_path.split("rails-")[1]
rails_version_number = rails_version_number.strip unless rails_version_number.nil?
unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number.nil?
puts "Uh oh! #{app} has #{rails_version_number}."
else
puts "..."
end
end
@schneems
Copy link

schneems commented Jan 11, 2013

❤️

@34code
Copy link

34code commented Jan 11, 2013

ty for making it easier

@malachaifrazier
Copy link

malachaifrazier commented Jan 11, 2013

Lovely!

@rodrigoalvesvieira
Copy link

rodrigoalvesvieira commented Jan 11, 2013

Thanks 🆒

@mike-park
Copy link

mike-park commented Jan 11, 2013

+1 thanks

@wwvuillemot
Copy link

wwvuillemot commented Jan 11, 2013

If you are lazy, ahem, then try from your command-line to run

 curl https://gist.github.com/raw/4506402/aa4af289faf37f3403933f3ff24b203c0eb04838/heroku-CVE-2013-0156.rb | ruby

@markpundsack
Copy link
Author

markpundsack commented Jan 11, 2013

Nice tip @wwvuillemot!

@markpundsack
Copy link
Author

markpundsack commented Jan 11, 2013

I also turned this into a proper Heroku repo: https://github.com/heroku/heroku-CVE-2013-0156

@jdan
Copy link

jdan commented Jan 11, 2013

👍 god's work, etc

@ethagnawl
Copy link

ethagnawl commented Jan 11, 2013

@simlegate
Copy link

simlegate commented Jan 11, 2013

Thanks!

@s2k
Copy link

s2k commented Jan 11, 2013

Well done, thanks.

@temiyemi
Copy link

temiyemi commented Jan 11, 2013

thanks!

@dinks
Copy link

dinks commented Jan 11, 2013

👍

@macler
Copy link

macler commented Jan 11, 2013

@eatbas
Copy link

eatbas commented Jan 11, 2013

+1 thanks

@silasjmatson
Copy link

silasjmatson commented Jan 11, 2013

+1 for the 'laziness', @wwvuillemot

@DotDotJames
Copy link

DotDotJames commented Jan 11, 2013

Windows version forked to https://gist.github.com/4512454

P.S. includes curl equivalent inspired by @wwvuillemot

@markpundsack
Copy link
Author

markpundsack commented Jan 11, 2013

Thanks @aghilmort!

Copy link

ghost commented Jan 11, 2013

Thank you!

@ismaelga
Copy link

ismaelga commented Jan 12, 2013

+1 Thanks!

@hayksaakian
Copy link

hayksaakian commented Jan 15, 2013

It would be nice if it also told you what version to use instead

@hayksaakian
Copy link

hayksaakian commented Jan 15, 2013

otherwise +1

@andreortiz82
Copy link

andreortiz82 commented Jan 15, 2013

+1 Dig it!

@Vladimirusinov
Copy link

Vladimirusinov commented Jan 15, 2013

Thank you!

@tahse
Copy link

tahse commented Jan 18, 2013

@smholloway
Copy link

smholloway commented Apr 17, 2014

Great stuff! I was hoping to find a similar script for the recent Psych YAML issue on Heroku, but I couldn't. So, I created a simple YAML vulnerability checker: https://gist.github.com/smholloway/11001788. If there's a better version, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment