A common approach to modern Ruby on Rails development includes continuous integration checks, such as:
- Static code analytics (flog, rails_best_practices)
- Code style checkers, linters and formatters (Rubocop, Standard)
- Light security audits (Brakeman)
- Automated code review with Danger
- Pull Request that automatically gets installed on separate test instances for manual verification. (Heroku Review Apps)
But companies don’t often put constraints and policies on system dependencies, which for smaller companies is fine, but when it comes to a larger engineering team it becomes more problematic due to increased possibility of RCE vulnerability. Therefore, the bigger the engineering team - the bigger the problem.
We witnessed multiple demonstrations of such vulnerabilities that are introduced through dependency injections – these types of vulnerabilities are called Remote Code Execution vulnerability (RCE).
Here are just some of examples of where this has occurred:
- https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/
- https://portswigger.net/daily-swig/popular-ruby-gem-strong-password-backdoored
One of the main committers to Rubygems also openly admitted that RubyGems is far from being safe and showed how to take over a Ruby gem at a RubyKaigi conference.
- https://www.youtube.com/watch?v=wePVhZeZTNM&t=628s
In light of this, we found tools that could help manage dependencies and safeguard from possible, hard to notice RCE attacks that could cause leaks of private keys and other secret information.
Dependabot
It’s generally important to not update your dependencies blindly, one should at least go through CHANGELOG to understand possible impacts of such an update.
We’ve adopted dependabot in all our projects. It’s completely free to use, and without much hassle. It:
- automatically creates a Pull Request to update dependencies that have had a known security issue, and offers an available fix for them. So a security fix is just a click away, literally, all you have to do is hit the ‘merge’ button.
- routinely updates your other dependencies, based on your configuration settings, of course. But every dependency update comes with an amazing summary in a Pull Request description - including changelog and code diff.
Gemfilelint
This little utility deserves to be in Gemfile’s core functionality, but unfortunately it’s not there yet. Gemfilelint checks sources that you’ve listed against trusted sources that are commonly used in RubyGems, ensuring that codebase will not end up with RCE vulnerability issues due to typos in your Gemfile.
StrongVersions
StrongVersion is a gem that enforces strict policy for your Gemfile. It helps with the maintainability of a project, saving you from dependency hell in the future. But It will help prevent accidental gem updates as well.
This gem could be integrated with your CI pipeline and used in automatic code review – and could efficiently enforce dependency policies on a whole team.
So, if you’re a small team, it’s always worth keeping an eye on your dependencies manually. But for bigger teams there’s always a bigger chance that something could slip through unchecked. Having a tool that can manage your dependencies automatically will provide peace of mind to the entire team.