Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: 2014-1234

Download: http://rubygems.org/gems/paratrooper-newrelic

Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code:

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key to the command line where a malicious user can monitor the process tree and steal the login credentials.

 24       def setup(options = {})
 25         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: {api_key}    "]  
 26       end
 27   
 28       def teardown(options = {})
 29         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}"    ]
 30       end