Another Round of Security Monitor Updates
A couple weeks ago, we rolled out a new version of Security Monitor. The latest version has more checks, removes some duplicate warnings, produces less false positives, and has more code coverage than the previous version. Here’s a more detailed breakdown:
Additional Checks
- In addition to unsafe YAML de-serialization, you will now also be warned about unsafe calls to
CSV.load
andMarshal.load
.
Removed Duplicate Warnings
- In certain cases, warnings were being generated for every reference to the same unsafe code, and not just the original vulnerability. These duplicate warnings – for checks to dangerous
send
s, unsafe ruby reflection (aka unsafeconstantize
calls) and symbol Denial of Service attacks – have been removed.
Less False Positives
- Security Monitor no longer warns on safe calls to
Model#id
orModel#to_json
, such as when your Rails configuration specifies to escape JSON.
More Code Coverage
- Now handles some nested classes (previously ignored them all)
Handles stabby lamdas with no arguments such as:
-> { #rubycode }
Handles block argument destructuring, such as:
your_method_call do | arg_a, ( arg_b, arg_c ) | # do something end
Overall, we’re seeing stabler and more accurate Security Monitor scans, but please do let us know if you find any issues or have any questions.