In this chapter we will learn about discovering and fixing security
vulnerabilities in a Rails application. The following content is only for
example purposes and needn't be added to granite.
Time to time people discover security vulnerabilities in published software.
Rubysec maintains a plain-text database of such security
vulnerabilities.
ruby-advisory-db maintains a
database of vulnerable Ruby Gems.
If we want to know whether our Ruby application is using any of the versions of
Gems that are vulnerable, then we should run a scan of our Gemfile.lock
against this database. This is exactly what bundler-audit does.
bundler-audit is a utility program which looks at an application's
Gemfile.lock and then looks at ruby-advisory-db to see if we are using a
vulnerable version of Gem or not.
Installing bundle-audit gem
Currently, we don't have to install these gems. But if we were to install it,
then we would have to add the following lines into our Gemfile:
The bundle-audit command which is shown below is only mentioned to
illustrate how auditing works. Do not run this command as it might lead to
automatic version updates of gems to fix the security vulnerabilities that
bundle-audit finds. This can further lead to gem version-specific issues
throughout the flow of the book.
Bundler has a command bundle audit to invoke bundler-audit to do this:
This scan was run on a project, and we can see that one vulnerability is found.
Bundler downloads the Ruby Advisory DB to the local machine from time to time.
We should always be running the scan against the latest copy of the Ruby
Advisory DB.
To update our local copy of the Ruby Advisory DB, we should execute the
following command:
Note that bundle audit update does not do any audit. It only clones the
ruby-advisory-db to the local machine so that next time when we do the audit,
it is performed against this update copy.
Every time we want to do a scan we need to do two things.
- Update the local Ruby Advisory DB
- Run the audit
Both of these operations can be combined to a single command:
Running audit as part of CI
Who is going to run this audit on a regular basis? The best way to do it is to
run this audit as a part of CI.
bundle-audit --update is in our config file for
Wheel.
Let's say that at 10 AM all our tests were passing. Then at 10:05 AM Ruby
Advisory DB added a new vulnerability that was recently detected. Any test that
runs after 10:05 AM will fail the audit check.
Here is what we see in the console for a recent run:
In this case two gems actionpack and rack are found to be vulnerable. The
solution is also printed in the log:
Upgrade the Gems to fix the error.
There is nothing to commit in this chapter since all we had done was
understand the usage of bundler-audit.