We are proud to announce that Checkmarx SCA now allows for vulnerability analysis in Ruby code dependencies. For us, supporting another programming language allows the coverage of a wider range of vulnerabilities. This also provides our customers the required security knowledge of their code and its dependencies since you can now detect vulnerabilities in code dependencies that were undetected before. With this announcement, we would like to give a small introduction to the Ruby language and explain some of the most dangerous vulnerabilities we have observed when using this language.
Ruby is…
A dynamic, open-source programming language with a focus on simplicity and productivity. It was developed by Yukihiro Matsumoto and released in 1995. Its syntax allows for a natural understanding of the code and it’s easy to write. Ruby is ranked 15 in PYPL PopularitY of Programming Language, which is an analysis for how often language tutorials are searched on Google. This is an indicator that Ruby is in the top 20 of programming languages that people want to learn.
Ruby is based on other programming languages like Perl, Eiffel, and Ada. It is a pure object-oriented language, and in Ruby, everything appears as an object. It is used in typical scripting language applications and to connect different software components—being also considered a glue language.
The main uses of Ruby are web development, higher-level server management projects, and data science.
Ruby Gems
Like many other programming languages, Ruby allows for third-party libraries or packages to be invoked by a program. In Ruby, these packages are called Gems and they can be obtained through Ruby’s default package manager, RubyGems.
A Gem is a collection of code, libraries, dependencies, and metadata which is compressed into a “.gem” file to be used as a dependency in your code. Ruby gems are the primary target of Checkmarx SCA in finding code dependencies vulnerabilities, so we’ve had to find a generalized way to search the source code of each Gem. We looked at the structure of Ruby gems and quickly found that a gem package file is simply a tarball file which consists of three “.gz” files.
— shiny.gem
|
— checksum.yaml.gz
|
— metadata.gz
|
— data.tar.gz
The “checksum.yaml.gz” file contains the gem hashes that ensure the integrity of the package.
The “metadata.gz” file is the result of the “gemspec” file. A “gemspec” is where all the metadata information for the gem is defined. You can find the name of the package, version, dependencies, and a list of all the source code files there. It basically tells you what’s in the gem, who made it, and the version of the gem. It’s also the interface to the RubyGems package manager.
The “data.tar.gz” file contains the actual gem code. This is the file we’re looking for in order to search what versions are vulnerable to a specific CVE.
Each Gem used in our customers code will be scanned by our SCA to provide you with the most accurate security knowledge of your code.
Ruby on Rails
We can’t talk about Ruby without mentioning its most famous web framework, Ruby on Rails.
Rails is a web development framework, written in Ruby. It helps developers build websites and applications, because it abstracts and simplifies common repetitive tasks. Since Ruby is one of the simplest languages to understand, while also being powerful enough for experienced programmers, it makes sense that Ruby on Rails would be one of the most popular web development frameworks.
Ruby on Rails works seamlessly alongside HTML, JavaScript, and CSS. It follows the MVC architecture and has design philosophy of “Don’t Repeat Yourself” (DRY), which emphasizes not writing repetitive code. It also follows the “Convention Over Configuration” (CoC) philosophy, meaning you should focus on whatever makes the programmer’s life easier. Being this popular doesn’t come without a cost. There are a lot of vulnerabilities associated with Ruby on Rails. Here are a few examples of the CVEs with the highest CVSS score for Ruby on Rails covered by Checkmarx SCA.
CVE-2008-4094
This CVE is a multiple SQL injection vulnerability in Ruby on Rails in versions prior to 2.1.1. Attackers are able to execute arbitrary SQL commands via “:limit” and “:offset” parameters. The affected Ruby on Rails components are ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. This CVE has a CVSS version 2.0 score of 7.5.
CVE-2013-0277
This CVE is a DoS vulnerability in the Active Record component of Ruby on Rails. Active Record is the M in MVC – the model – which is the layer of the system responsible for representing business data and logic. It affects versions prior to 2.3.17 and 3.x prior to 3.1.0 and allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the “+serialize+” helper to deserialize arbitrary YAML. This CVE has a CVSS version 2.0 score of 10.
CVE-2019-5420
In development mode Rails versions 5.2.0 prior to 5.2.2.1, there is a RCE vulnerability that allows an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate up to a remote code execution exploit. This CVE has a CVSS score of 9.8.
What we’ve seen so far with Ruby
Since we’ve supported Ruby code dependencies scans with SCA, we’ve seen a few CVEs that have been detected the most by our customers. Here are a few examples of the most dangerous Ruby vulnerabilities detected when using Checkmarx SCA.
CVE-2020-36599
The OmniAuth Ruby gem is a library that standardizes multi-provider authentication for web applications. It contains a vulnerability in versions prior to 1.9.2 and 2.0.0.pre.rc1, where the environment variable “message_key” is not properly escaped, which could lead to malicious content being replaced by the intended content. This CVE has a CVSS score of 9.8.
CVE-2022-25765
This CVE affects the PDFKit Ruby gem. The package is used to create PDF files using HTML and CSS. It uses the well-known “wkhtmltopdf” library on the back end which renders HTML using Webkit. The vulnerability has a CVSS score of 9.8 and is a command injection vulnerability in versions through 0.8.6, where a URL parameter is not properly sanitized. If the URL contains any user input, it could lead to commands being executed by the user.
CVE-2022-39281
This CVE affects the Fat Free CRM package. This package is a well-known open-source Ruby on Rails-based customer relationship management platform. In versions prior to 0.20.1, an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. This CVE has a CVSS score of 6.5.
Final remarks
As we’ve seen in the blog, with Checkmarx SCA supporting the Ruby language, we can assure you that your Ruby code will not be left behind when it comes to security. There are a lot of known Ruby vulnerabilities and our SCA team will keep highlighting them to provide you the best vulnerability coverage of your Ruby code. You can learn more about Checkmarx SCA here.
