Skip to content

Instantly share code, notes, and snippets.

@markpundsack
Forked from elliottkember/heroku-CVE-2013-0156.rb
Last active November 27, 2023 15:44
Show Gist options
  • Star 36 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save markpundsack/4506402 to your computer and use it in GitHub Desktop.
Save markpundsack/4506402 to your computer and use it in GitHub Desktop.
Forked from https://gist.github.com/4489689 by elliottkember. CVE-2013-0156 is a nasty vulnerability in many versions of Rails. This script checks all your Heroku apps for this vulnerability in one quick (slow) move. More info: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
## The quick-and-nasty CVE-2013-0156 Heroku inspector!
## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku
## Download and run using:
## ruby heroku-CVE-2013-0156.rb
`heroku list`.split("\n").each do |app|
app = app.strip
# Some "heroku apps" lines have === formatting for grouping. They're not apps.
next if app[0..2] == "==="
# Some are appended by owner emails
app = app.split(" ")[0].to_s.strip
# Blank lines can be ommitted.
next if app == ""
rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1]
rails_version_number = rails_path.split("rails-")[1]
rails_version_number = rails_version_number.strip unless rails_version_number.nil?
unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number.nil?
puts "Uh oh! #{app} has #{rails_version_number}."
else
puts "..."
end
end
@markpundsack
Copy link
Author

Thanks @aghilmort!

Copy link

ghost commented Jan 11, 2013

Thank you!

@ismaelga
Copy link

+1 Thanks!

@hayksaakian
Copy link

It would be nice if it also told you what version to use instead

@hayksaakian
Copy link

otherwise +1

@andreortiz82
Copy link

+1 Dig it!

@Vladimirusinov
Copy link

Thank you!

@tahse
Copy link

tahse commented Jan 18, 2013

@smholloway
Copy link

Great stuff! I was hoping to find a similar script for the recent Psych YAML issue on Heroku, but I couldn't. So, I created a simple YAML vulnerability checker: https://gist.github.com/smholloway/11001788. If there's a better version, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment