Home Security Ruby security issues you should avoid

Ruby security issues you should avoid

Author

Date

Category

In order to make sure your Ruby on Rails application is secure, we can look at some Ruby security patterns (that you can enforce with Codacy today).

Most of these patterns come from Brakeman, a vulnerability scanner for Ruby on Rails applications.

Many of them pertain OWASP top 10 vulnerabilities, but many don’t (just because there’s a top 10 doesn’t mean that there isn’t a long tail you shouldn’t care about).

OWASP Top 10

The OWASP Top 10 list is by far the one list of vulnerabilities that most people are concerned with; you shouldn’t stop there, of course, but you do have to start somewhere:

Injection

Injection is mostly associated with SQL, but it is a bit broader than that. Here are some patterns that identify SQL and command injection vulnerabilities:

Broken Authentication and Session Management

For an application to know whether authentication has been implemented properly can be tricky; still, here’s a simple way to check for that:

Cross-Site Scripting (XSS)

Cross-Site Scripting allows for scripts to be executed in the victim’s browser; it makes session hijacking possible, along with defacing a website or redirecting the user to a malicious website.

It’s such a common vulnerability that there are several patterns to deal with it:

Insecure Direct Object References

Direct object references can allow an attacker to access restricted information. An example of this is an unscoped find:

Sensitive Data Exposure

Cross-Site Request Forgery (CSRF)

Unvalidated Redirects and Forwards

Other types of vulnerabilities

Other than top 10 vulnerabilities, there are of course many others.

DoS

There are, for instance, several ways of creating a denial of service; these are some patterns that protect us from just that:

Others

Codacy has almost 40 more patterns that check for vulnerabilities of all kinds, from JSON to XML, passing regexes and many more subjects:

Caveat

All that being said, a quote from Edsger Dijkstra comes to mind:

Program testing can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence.

Just the same, running security tools can also be an effective way of showing the presence of vulnerabilities, but never assume that they’re showing their absence.

Related Reading: Review of Ruby Static Analysis Tools

How to check for these vulnerabilities

All of these patterns are integrated with Codacy, which means you can start using them right now.


Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

February’s Product Update: 1-Click Autofixes for GitHub, New People Experience and more 🚀

Welcome to our monthly product update! We’ve been working hard over the past month and have some exciting updates for you below. 🥳 We want...

Interview with Daniel Pfeiffer, CTO at Firstbird

We had a very nice talk with Daniel Pfeiffer, CTO at Firstbird; it was an informal conversation in which we looked to understand the reasons why...

Add a Custom Host to Kubernetes

I’ve been working with different MicroK8s instances a lot in the last months. Microk8s, from my point of view, it’s the absolutely perfect abstraction for deploying...

Deciphering Javascript Checkers: Know Why and When You Might Use Them

We’re all familiar with rules of grammar, which aid in communication by letting us know when to use a comma, how to spell a...

Interview with Felipe Adorno, CTO at Monkey Exchange

We have talked with Felipe Adorno, CTO at Monkey Exchange, to better understand what made the company opt for an automated code review tool...