Use of software with known vulnerabilities - Ruby

Use of software with known vulnerabilities - Ruby

Need

Updating software and dependencies to versions without known vulnerabilities

Context

  • Usage of Ruby 2.6.3 as the programming language for development
  • Usage of Rails for building web applications
  • Usage of SQLite3 for database management and querying
  • Usage of Puma for high-performance Ruby web applications
  • Usage of sass-rails for compiling Sass stylesheets in a Rails application
  • Usage of Uglifier for minifying JavaScript code
  • Usage of coffee-rails for integrating CoffeeScript with Rails
  • Usage of Turbolinks for faster navigation and page loading in web applications
  • Usage of jbuilder for building JSON responses in a structured and efficient manner
  • Usage of byebug for debugging and troubleshooting in a Node.js application
  • Usage of web-console for debugging and monitoring web applications
  • Usage of listen for starting a server and listening for incoming requests
  • Usage of Spring framework for building Java applications
  • Usage of spring-watcher-listen for file system monitoring and event handling

Description

Non compliant code

        # Gemfile
source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }

ruby '2.6.3'

# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem 'rails', '~> 5.2.3'
# Use sqlite3 as the database for Active Record
gem 'sqlite3'
# Use Puma as the app server
gem 'puma', '~> 3.11'
# Use SCSS for stylesheets
gem 'sass-rails', '~> 5.0'
# Use Uglifier as compressor for JavaScript assets
gem 'uglifier', '>= 1.3.0'
# See https://github.com/rails/execjs#readme for more supported runtimes
# gem 'mini_racer', platforms: :ruby

# Use CoffeeScript for .coffee assets and views
gem 'coffee-rails', '~> 4.2'
# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
gem 'turbolinks', '~> 5'
# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
gem 'jbuilder', '~> 2.5'
# Use Redis adapter to run Action Cable in production
# gem 'redis', '~> 4.0'
# Use ActiveModel has_secure_password
# gem 'bcrypt', '~> 3.1.7'

# Use ActiveStorage variant
# gem 'mini_magick', '~> 4.8'

# Use Capistrano for deployment
# gem 'capistrano-rails', group: :development

group :development, :test do
  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
  gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
end

group :development do
  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
  gem 'web-console', '>= 3.3.0'
  gem 'listen', '>= 3.0.5', '< 3.2'
  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
  gem 'spring'
  gem 'spring-watcher-listen', '~> 2.0.0'
end

This Ruby on Rails application's Gemfile specifies the versions of the dependencies that the application requires. The gems specified in this file have known vulnerabilities. For instance, the Rails gem version 5.2.3 has several known vulnerabilities that can expose the application to various types of attacks. Other gems such as 'puma', 'sass-rails', and 'uglifier' may also have known vulnerabilities depending on their versions.

The application might be exposed to risks such as:

- Remote code execution
- SQL injection
- Cross-site scripting
- Denial of service

It's crucial to keep the dependencies updated and use versions that do not have known vulnerabilities. Regularly checking for updates and vulnerabilities can help in maintaining the security of the application. Services like 'bundler-audit' or 'Snyk' can be used to check for known vulnerabilities in the dependencies.

Steps

  • Identify the specific software or dependency with known vulnerabilities
  • Update the version of the software or dependency to a version that does not have known vulnerabilities
  • Check the release notes or security advisories for the software or dependency to ensure that the new version does not introduce any breaking changes or compatibility issues
  • Update the Gemfile with the new version of the software or dependency
  • Run bundle install to install the updated software or dependency
  • Test the application to ensure that it functions correctly with the updated software or dependency

Compliant code

        # Gemfile
source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }

ruby '2.6.3'

# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem 'rails', '~> 6.1.4' # Updated version
# Use sqlite3 as the database for Active Record
gem 'sqlite3'
# Use Puma as the app server
gem 'puma', '~> 5.5.2' # Updated version
# Use SCSS for stylesheets
gem 'sass-rails', '~> 6.0.0' # Updated version
# Use Uglifier as compressor for JavaScript assets
gem 'uglifier', '>= 4.2.0' # Updated version
# See https://github.com/rails/execjs#readme for more supported runtimes
# gem 'mini_racer', platforms: :ruby

# Use CoffeeScript for .coffee assets and views
gem 'coffee-rails', '~> 5.0.0' # Updated version
# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
gem 'turbolinks', '~> 5'
# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
gem 'jbuilder', '~> 2.11.2' # Updated version
# Use Redis adapter to run Action Cable in production
# gem 'redis', '~> 4.0'
# Use ActiveModel has_secure_password
# gem 'bcrypt', '~> 3.1.7'

# Use ActiveStorage variant
# gem 'mini_magick', '~> 4.8'

# Use Capistrano for deployment
# gem 'capistrano-rails', group: :development

group :development, :test do
  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
  gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
end

group :development do
  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
  gem 'web-console', '>= 4.1.0' # Updated version
  gem 'listen', '>= 3.3.1', '< 3.5' # Updated version
  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
  gem 'spring'
  gem 'spring-watcher-listen', '~> 2.0.1' # Updated version
end

The original code was using outdated versions of several gems, which had known vulnerabilities. The updated code now uses the latest, secure versions of these gems.

The gems that were updated include:

- rails was updated from version 5.2.3 to 6.1.4
- puma was updated from version 3.11 to 5.5.2
- sass-rails was updated from version 5.0 to 6.0.0
- uglifier was updated from version 1.3.0 to 4.2.0
- coffee-rails was updated from version 4.2 to 5.0.0
- jbuilder was updated from version 2.5 to 2.11.2
- web-console was updated from version 3.3.0 to 4.1.0
- listen was updated from version 3.0.5 to 3.3.1
- spring-watcher-listen was updated from version 2.0.0 to 2.0.1

After updating the Gemfile, run bundle install to install the updated gems. Then, test the application to ensure that it functions correctly with the updated gems.

References