Skip to content

Instantly share code, notes, and snippets.

@omgitsads

omgitsads/rails-check.sh

Last active December 10, 2015 22:38
Show Gist options
  • Save omgitsads/4503139 to your computer and use it in GitHub Desktop.
Save omgitsads/4503139 to your computer and use it in GitHub Desktop.
Download ZIP
Look for affected versions of rails, and if they have been patched or not
Raw
rails-check.sh
for i in `find /data -maxdepth 1 -type d ! -name "monit.d" ! -name "nginx" ! -name "lost+found" ! -name "homedirs" ! -name "data"`;
do
appname=`echo ${i} | awk -F/ '{print $3}'`
version=''
if [ -f $i/current/Gemfile.lock ];
then
version=`egrep "^ *rails \([0-9\.]+\)" $i/current/Gemfile.lock | egrep -o "[0-9\.]+"`
else
version=`gem list | egrep -o "^rails \([^,\)]+" | egrep -o "[0-9\.]+"`
fi
if [[ $version != 3.2.11 && $version != 3.1.10 && $version != 3.0.19 && $version != 2.3.15 ]];
then
if [[ -d "$i/current/config/initializers" ]];
then
grep -q "ActiveSupport::XmlMini::PARSING.delete" $i/current/config/initializers/*
patched=$?
if [ $patched != 0 ];
then
echo -e "\033[31mApp: ${appname} - Rails Version: ${version} - Vulnerability Possible"
else
echo -e "\033[33mApp: ${appname} - Rails Version: ${version} - CVE-2013-0156 Looks to be patched"
fi
else
echo -e "\033[33mApp: ${appname} - Rails Version: ${version} - No Initializers dir, may not be a rails app"
fi
else
echo -e "\033[32mApp: ${appname} - Rails Version: ${version} - CVE-2013-0156 Patched"
fi
done
@emachnic
Copy link 

App: appboy - Rails Version: 3.2.11 - Vulnerability Possible
app_master i-4b1a9437 ~ #

Shouldn't 3.2.11 not throw a warning?

@jamez01
Copy link

jamez01 commented Jan 10, 2013 

 affected=0
if [[ $affected == 0 && $version < 2.3.15 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.0.19 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.1.10 ]]; then affected=1; fi
if [[ $affected == 0 && $version < 3.2.11 ]]; then affected=1; fi

It looks like this code will evaluate to affected if $version is < 3.2.11.

Maybe this should be changed to:

if [[ $version != 3.2.11 && $version != 3.1.10 && $version != 3.0.19 && $version != 2.3.15 ]]; then
  affected=1
else
  affected=0
fi

The above should mark affected == 1 if $version does not match any of the "non-effected" versions.

@omgitsads
Copy link
Author

Patched and we dumped the affected variable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment