Security Monitor Improvements -- February 2014
Last week we rolled out a number of improvements to Security Monitor, which will make scans more accurate, more comprehensive, and much quicker than previously. In addition to the speed improvements, here's a list of some of the specific improvements that were rolled out:
- If you're in danger of showing stack traces to end users, you will get a warning in a new category "Information Disclosure". For example,
consider_all_requests_localshould be set to false in production.
- XSS vulnerability in the i18n gem. When the gem is unable to provide a translation for a given string, it creates a fallback HTML string which can contain user input in some configurations.
- Denial of service vulnerability in some versions of Rails in which specially-craft headers are cached indefinitely.
- Certain calls to the
number_to_currencyhelper make applications vulnerable to an XSS attack. Specifically, the method's "unit" parameter was not being escaped properly.
simple_formatwhich supply HTML attributes can be vulnerable to an XSS attack in some versions of Rails:
simple_format(some_text, class: params[:class])
Looks for unsafe uses of the strong parameters
permit!method that could expose a mass assignment vulnerability when models aren't properly protected:
attributes = params.permit! @user = User.new(attributes) # mass assignment vulnerability
SSL verification bypass for when the verify_mode on HTTPS connections is set to
OpenSSL::SSL::VERIFY_NONE. Bypassing SSL verification leaves these connections vulnerable to man in the middle attacks.
Many more SQL injection checks, including when using raw connection objects, when unsafe values are used in
- Redirects using FriendlyId models as parameters will no longer create redirect warnings.
- Fewer false positives for command injection when interpolating string literals in commands.
- Do not warn on redirects models created with
- Avoids flagging non-ActiveRecord models as having SQL injection vulnerabilities even if methods names match AR methods (
- Rails versions are detected more accurately than previously.
- Blocks, especially blocks inside of controllers, are more accurately scanned now.
- More Ruby code can be parsed than previously because the underlying ruby_parser was updated.