Forked from elliottkember/heroku-CVE-2013-0156.rb
Last active
November 27, 2023 15:44
-
-
Save markpundsack/4506402 to your computer and use it in GitHub Desktop.
Forked from https://gist.github.com/4489689 by elliottkember. CVE-2013-0156 is a nasty vulnerability in many versions of Rails. This script checks all your Heroku apps for this vulnerability in one quick (slow) move. More info: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## The quick-and-nasty CVE-2013-0156 Heroku inspector! | |
## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku | |
## Download and run using: | |
## ruby heroku-CVE-2013-0156.rb | |
`heroku list`.split("\n").each do |app| | |
app = app.strip | |
# Some "heroku apps" lines have === formatting for grouping. They're not apps. | |
next if app[0..2] == "===" | |
# Some are appended by owner emails | |
app = app.split(" ")[0].to_s.strip | |
# Blank lines can be ommitted. | |
next if app == "" | |
rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1] | |
rails_version_number = rails_path.split("rails-")[1] | |
rails_version_number = rails_version_number.strip unless rails_version_number.nil? | |
unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number.nil? | |
puts "Uh oh! #{app} has #{rails_version_number}." | |
else | |
puts "..." | |
end | |
end |
Thanks @aghilmort!
Thank you!
+1 Thanks!
It would be nice if it also told you what version to use instead
otherwise +1
+1 Dig it!
Thank you!
+1, @wwvuillemot!
Great stuff! I was hoping to find a similar script for the recent Psych YAML issue on Heroku, but I couldn't. So, I created a simple YAML vulnerability checker: https://gist.github.com/smholloway/11001788. If there's a better version, please let me know.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Windows version forked to https://gist.github.com/4512454
P.S. includes curl equivalent inspired by @wwvuillemot