← Back to changelog

Another Round of Security Monitor Updates

A couple weeks ago, we rolled out a new version of Security Monitor. The latest version has more checks, removes some duplicate warnings, produces less false positives, and has more code coverage than the previous version. Here’s a more detailed breakdown:

Additional Checks

  • In addition to unsafe YAML de-serialization, you will now also be warned about unsafe calls to CSV.load and Marshal.load.

Removed Duplicate Warnings

  • In certain cases, warnings were being generated for every reference to the same unsafe code, and not just the original vulnerability. These duplicate warnings – for checks to dangerous sends, unsafe ruby reflection (aka unsafe constantize calls) and symbol Denial of Service attacks – have been removed.

Less False Positives

  • Security Monitor no longer warns on safe calls to Model#id or Model#to_json, such as when your Rails configuration specifies to escape JSON.

More Code Coverage

  • Now handles some nested classes (previously ignored them all)
  • Handles stabby lamdas with no arguments such as:

    -> { #rubycode }
  • Handles block argument destructuring, such as:

    your_method_call do | arg_a, ( arg_b, arg_c ) |
       # do something

Overall, we’re seeing stabler and more accurate Security Monitor scans, but please do let us know if you find any issues or have any questions.