Security Monitor Improvements -- February 2014
Last week we rolled out a number of improvements to Security Monitor, which will make scans more accurate, more comprehensive, and much quicker than previously. In addition to the speed improvements, here’s a list of some of the specific improvements that were rolled out:
New Checks
- If you’re in danger of showing stack traces to end users, you will get a warning in a new category “Information Disclosure”. For example,
consider_all_requests_local
should be set to false in production. - XSS vulnerability in the i18n gem. When the gem is unable to provide a translation for a given string, it creates a fallback HTML string which can contain user input in some configurations.
- Denial of service vulnerability in some versions of Rails in which specially-craft headers are cached indefinitely.
- Certain calls to the
number_to_currency
helper make applications vulnerable to an XSS attack. Specifically, the method’s “unit” parameter was not being escaped properly. Calls to
simple_format
which supply HTML attributes can be vulnerable to an XSS attack in some versions of Rails:simple_format(some_text, class: params[:class])
Looks for unsafe uses of the strong parameters
permit!
method that could expose a mass assignment vulnerability when models aren’t properly protected:attributes = params.permit! @user = User.new(attributes) # mass assignment vulnerability
SSL verification bypass for when the verify_mode on HTTPS connections is set to
OpenSSL::SSL::VERIFY_NONE
. Bypassing SSL verification leaves these connections vulnerable to man in the middle attacks.Many more SQL injection checks, including when using raw connection objects, when unsafe values are used in
delete_all
anddestroy_all
calls.
False Positives
- Redirects using FriendlyId models as parameters will no longer create redirect warnings.
- Fewer false positives for command injection when interpolating string literals in commands.
- Do not warn on redirects models created with
create
/create!
methods. - Avoids flagging non-ActiveRecord models as having SQL injection vulnerabilities even if methods names match AR methods (
find_by_sql
, e.g.).
Accuracy
- Rails versions are detected more accurately than previously.
- Blocks, especially blocks inside of controllers, are more accurately scanned now.
- More Ruby code can be parsed than previously because the underlying ruby_parser was updated.