From 6097ed327eedc088db940046db88b010c7f114f4 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Mon, 1 Jun 2026 11:26:07 -0400
Subject: [PATCH] Add "double reported" advisory check

---
 gems/yard/CVE-2026-41493.yml      |  3 ++-
 gems/yard/GHSA-3jfp-46x4-xgfj.yml | 37 -------------------------------
 spec/advisories_spec.rb           |  9 ++++++++
 spec/advisory_dir_example.rb      | 27 ++++++++++++++++++++++
 4 files changed, 38 insertions(+), 38 deletions(-)
 delete mode 100644 gems/yard/GHSA-3jfp-46x4-xgfj.yml
 create mode 100644 spec/advisory_dir_example.rb

diff --git a/gems/yard/CVE-2026-41493.yml b/gems/yard/CVE-2026-41493.yml
index e22a42d015..442800611f 100644
--- a/gems/yard/CVE-2026-41493.yml
+++ b/gems/yard/CVE-2026-41493.yml
@@ -2,7 +2,7 @@
 gem: yard
 cve: 2026-41493
 ghsa: 3jfp-46x4-xgfj
-url: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-41493
 title: Possible arbitrary path traversal and file access via yard server
 date: 2026-04-17
 description: |
@@ -37,6 +37,7 @@ related:
   url:
     - https://nvd.nist.gov/vuln/detail/CVE-2026-41493
     - https://github.com/lsegal/yard/releases/tag/v0.9.42
+    - https://my.diffend.io/gems/yard/0.9.41/0.9.42
     - https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
     - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
     - https://github.com/advisories/GHSA-3jfp-46x4-xgfj
diff --git a/gems/yard/GHSA-3jfp-46x4-xgfj.yml b/gems/yard/GHSA-3jfp-46x4-xgfj.yml
deleted file mode 100644
index 698faf9483..0000000000
--- a/gems/yard/GHSA-3jfp-46x4-xgfj.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-gem: yard
-ghsa: 3jfp-46x4-xgfj
-url: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
-title: yard - Possible arbitrary path traversal and file access via yard server
-date: 2026-04-17
-description: |
-  ### Impact
-
-  A path traversal vulnerability was discovered in YARD <= 0.9.41 when
-  using yard server to serve documentation. This bug would allow
-  unsanitized HTTP requests to access arbitrary files on the machine
-  of a yard server host under certain conditions.
-
-  The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr)
-  was incorrectly applied.
-
-  ### Patches
-
-  Please upgrade to YARD v0.9.42 immediately if you are relying on yard
-  server to host documentation in any untrusted environments without
-  WEBrick and rely on `--docroot`.
-
-  ### Workarounds
-
-  For users who cannot upgrade, it is possible to perform path sanitization
-  of HTTP requests at your webserver level. WEBrick, for example, can
-  perform such sanitization by default (which you can use via yard
-  server -s webrick), as can certain rules in your webserver configuration.
-patched_versions:
-  - ">= 0.9.42"
-related:
-  url:
-    - https://my.diffend.io/gems/yard/0.9.41/0.9.42
-    - https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
-    - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
-    - https://github.com/advisories/GHSA-3jfp-46x4-xgfj
diff --git a/spec/advisories_spec.rb b/spec/advisories_spec.rb
index f8d8229734..27550788a9 100644
--- a/spec/advisories_spec.rb
+++ b/spec/advisories_spec.rb
@@ -1,12 +1,17 @@
 require 'spec_helper'
 require 'gem_advisory_example'
 require 'ruby_advisory_example'
+require 'advisory_dir_example'
 
 describe "gems" do
   Dir.glob(File.join(ROOT,'gems/*/*')) do |path|
     include_examples 'Gem Advisory', path
   end
 
+  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*')) do |dir|
+    include_examples 'Advisory Directory', dir
+  end
+
   let(:dir)           { File.join(ROOT,'gems') }
   let(:advisory_dirs) { Dir.glob('*', base: dir) }
 
@@ -31,4 +36,8 @@
   Dir.glob(File.join(ROOT, 'rubies/*/*')) do |path|
     include_examples 'Rubies Advisory', path
   end
+
+  Dir.glob(File.join(File.dirname(__FILE__), '../rubies/*')) do |dir|
+    include_examples 'Advisory Directory', dir
+  end
 end
diff --git a/spec/advisory_dir_example.rb b/spec/advisory_dir_example.rb
new file mode 100644
index 0000000000..8ab8fee9e5
--- /dev/null
+++ b/spec/advisory_dir_example.rb
@@ -0,0 +1,27 @@
+require 'rspec'
+require 'date'
+
+shared_examples_for "Advisory Directory" do |dir|
+  describe dir do
+    let(:advisory_paths) { Dir.glob(File.join(dir,'*.yml')) }
+    let(:advisories) do
+      advisory_paths.map do |path|
+        YAML.safe_load_file(path, permitted_classes: [Date])
+      end
+    end
+
+    it "must not contain duplicate CVE IDs" do
+      cve_ids = advisories.map { |advisory| advisory['cve'] }
+      cve_ids.compact!
+
+      expect(cve_ids).to eq(cve_ids.uniq)
+    end
+
+    it "must not contain duplicate GHSA IDs" do
+      ghsa_ids = advisories.map { |advisory| advisory['ghsa'] }.compact
+      ghsa_ids.compact!
+
+      expect(ghsa_ids).to eq(ghsa_ids.uniq)
+    end
+  end
+end