Use of an insecure channel - FTP - Ruby

Use of an insecure channel - FTP - Ruby

Need

Secure transmission of customer information

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of net/ftp for FTP (File Transfer Protocol) operations

Description

Non compliant code

        require 'net/ftp'

ftp = Net::FTP.new('example.com')
ftp.login(user = 'username', passwd = 'password')
ftp.chdir('pub/lang/ruby/contrib')
files = ftp.list('n*')
ftp.getbinaryfile('nif.rb-0.91.gz', 'nif.gz', 1024)
ftp.close
        
        

This code is using the Net::FTP library in Ruby to connect to an FTP server, authenticate, change directories, list files, download a file, and finally close the connection.

The vulnerability here is that FTP does not use encryption, so all the transmitted data including the username and password, are sent in plain text across the network. This can be intercepted and read by anyone who is able to capture the network traffic. This is a serious security risk, especially when dealing with sensitive data like customer information.

The ftp.login(user = 'username', passwd = 'password') line is where the user credentials are sent in plain text. The ftp.getbinaryfile('nif.rb-0.91.gz', 'nif.gz', 1024) line is where a file is downloaded from the server, and this data is also transmitted in plain text.

Using an unencrypted protocol like FTP for transferring sensitive data exposes the data to potential eavesdropping attacks. An attacker with access to the network can capture the FTP traffic and gain access to the transmitted data. This could lead to unauthorized access to the system or disclosure of sensitive information.

Steps

  • Replace the use of FTP with a secure protocol such as SFTP or FTPS.
  • Ensure that the server supports the chosen secure protocol.
  • Use encryption to protect the transmission of sensitive information.
  • Avoid transmitting credentials and confidential information in plain text.
  • Implement secure authentication mechanisms such as SSL/TLS certificates.
  • Regularly update and patch the server and client software to address any security vulnerabilities.
  • Perform security testing and vulnerability assessments to identify and mitigate any potential risks.

Compliant code

        require 'net/sftp'

Net::SFTP.start('example.com', 'username', :password => 'password') do |sftp|
  sftp.dir.chdir('pub/lang/ruby/contrib')
  files = sftp.dir.entries('n*')
  sftp.download!('nif.rb-0.91.gz', 'nif.gz')
end
        
        

The original code was using the FTP protocol to connect to a server, change directory, list files, download a file, and then close the connection. FTP is an insecure protocol because it does not encrypt the data being transmitted. This means that sensitive information such as usernames, passwords, and file contents can be intercepted and read in plain text.

The revised code uses the SFTP protocol instead of FTP. SFTP, or Secure File Transfer Protocol, is a protocol that uses SSH to transfer files. Unlike FTP, SFTP encrypts the data being transferred, protecting it from being read if it is intercepted.

In the revised code, we start an SFTP session using the Net::SFTP.start method. This method takes three arguments: the name of the server, the username, and a hash of options. In this case, the only option we are providing is the password.

Inside the SFTP session, we change directory, list files, and download a file just like in the original code. However, because we are inside an SFTP session, all of these operations are performed securely.

Finally, because the SFTP session is started inside a block, it is automatically closed when the block finishes executing. This means we don't need to manually close the session like in the original code.

By using SFTP instead of FTP, the revised code ensures that customer information is transmitted over a secure channel.

References