In order to make sure your Ruby on Rails application is secure, we can look at some Ruby security patterns (that you can enforce with Codacy today).
Most of these patterns come from Brakeman, a vulnerability scanner for Ruby on Rails applications.
Many of them pertain OWASP top 10 vulnerabilities, but many don’t (just because there’s a top 10 doesn’t mean that there isn’t a long tail you shouldn’t care about).
OWASP Top 10
The OWASP Top 10 list is by far the one list of vulnerabilities that most people are concerned with; you shouldn’t stop there, of course, but you do have to start somewhere:
Injection
Injection is mostly associated with SQL, but it is a bit broader than that. Here are some patterns that identify SQL and command injection vulnerabilities:
- Prohibits instances of command injection
- Prohibits SQL injection vulnerabilities
- Prohibits quote_table_name vulnerability
- Prohibits several SQL CVEs
Broken Authentication and Session Management
For an application to know whether authentication has been implemented properly can be tricky; still, here’s a simple way to check for that:
- Prohibits storing password in controller
Cross-Site Scripting (XSS)
Cross-Site Scripting allows for scripts to be executed in the victim’s browser; it makes session hijacking possible, along with defacing a website or redirecting the user to a malicious website.
It’s such a common vulnerability that there are several patterns to deal with it:
- Prohibits Cross Site Scripting in i18n
- Prohibits mail_to XSS vulnerability
- Prohibits simple_format XSS vulnerability
- Prohibits XSS in link_to
- Prohibits XSS vulnerability in translate
- Prohibits cross-site scripting in render calls
Insecure Direct Object References
Direct object references can allow an attacker to access restricted information. An example of this is an unscoped find:
- Prohibits unscoped ActiveRecord queries
Sensitive Data Exposure
- Prohibits unauthorized file access
- Prohibits unauthorized file access with user input
Cross-Site Request Forgery (CSRF)
- Prohibits skipping CSRF or authentication checks
Unvalidated Redirects and Forwards
- Prohibits redirect_to with user input arguments
Other types of vulnerabilities
Other than top 10 vulnerabilities, there are of course many others.
DoS
There are, for instance, several ways of creating a denial of service; these are some patterns that protect us from just that:
- Prohibits Active Record symbol DoS
- Prohibits header DoS
- Prohibits symbol DoS vulnerabilities
- Prohibits XML denial of service
- Prohibits digest authentication DoS
- Prohibits denial of service with render
Others
Codacy has almost 40 more patterns that check for vulnerabilities of all kinds, from JSON to XML, passing regexes and many more subjects:
- Enforces hrefs sanitized with :url_safe_method
- Enforces protect_from_forgery enabled
- Eval Usage — Rubocop
- Prohibits dangerous attributes in attr_accessible whitelist
- Prohibits default routes
- Prohibits disclosure vulnerability
- Prohibits evaluation of user input
- Prohibits filter skipping vulnerabilities
- Prohibits information disclosure via exceptions
- Prohibits JRuby XML parsing backend
- Prohibits JSON parsing vulnerabilities
- Prohibits mass assignments to models
- Prohibits missing JSON encoding
- Prohibits models vulnerabilities
- Prohibits nested attributes vulnerability
- Prohibits OpenSSL::SSL::VERIFY_NONE
- Prohibits response splitting
- Prohibits strip_tags vulnerabilities
- Prohibits strong params bypass
- Prohibits unescaped output in views
- Prohibits unescaped values in content_tag
- Prohibits unsafe deserialization of objects
- Prohibits unsafe Object#send
- Prohibits unsafe reflection
- Prohibits unsafe regexes
- Prohibits unsafe select()
- Prohibits unsafe select_tag()
- Prohibits unsafe session key and http_only
- Prohibits unsafe validates_format_of
- Prohibits use of serialize in vulnerable versions
- Prohibits using without_protection
- Prohibits versions not escaping single quotes
- Prohibits versions with SafeBuffer bug
- Prohibits vulnerable escape method
- Prohibits vulnerable sanitize and sanitize_css
- Prohibits YAML parsing vulnerabilities
Caveat
All that being said, a quote from Edsger Dijkstra comes to mind:
Program testing can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence.
Just the same, running security tools can also be an effective way of showing the presence of vulnerabilities, but never assume that they’re showing their absence.
Related Reading: Review of Ruby Static Analysis Tools
How to check for these vulnerabilities
All of these patterns are integrated with Codacy, which means you can start using them right now.
Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!
About Codacy
Codacy is used by thousands of developers to analyze billions of lines of code every day!
Getting started is easy – and free! Just use your GitHub, Bitbucket or Google account to sign up.
