Ruby: Add rb/insecure-dependency query#8598
Conversation
This query looks for places in a Gemfile where URLs with insecure protocols (HTTP or FTP) are specified.
|
QHelp previews: ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelpDependency download using unencrypted communication channelUsing an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack. This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts. RecommendationAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL. ExampleThe below example shows a source "http://rubygems.org"
gem "my-gem-a", "1.2.3"The fix is to change the protocol to HTTPS. source "https://rubygems.org"
gem "my-gem-a", "1.2.3"References
|
nickrolfe
left a comment
There was a problem hiding this comment.
Very nice. I have just a few small comments.
ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelp
Outdated
Show resolved
Hide resolved
This tests that we recognise kwargs in hashrocket style:
gem "foo", "1.2.3", :git => "..."
as well as the modern style:
gem "foo", "1.2.3", git: "..."
|
QHelp previews: ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelpDependency download using unencrypted communication channelUsing an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack. This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts. RecommendationAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL. ExampleThe below example shows a source "http://rubygems.org"
gem "my-gem-a", "1.2.3"The fix is to change the protocol to HTTPS. source "https://rubygems.org"
gem "my-gem-a", "1.2.3"References
|
Only look at the first component of strings for the prefix. Co-authored-by: Nick Rolfe <nickrolfe@github.com>
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
|
QHelp previews: ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelpDependency download using unencrypted communication channelUsing an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack. This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts. RecommendationAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from a URL. ExampleThe below example shows a source "http://rubygems.org"
gem "my-gem-a", "1.2.3"The fix is to change the protocol to HTTPS. source "https://rubygems.org"
gem "my-gem-a", "1.2.3"References
|
|
QHelp previews: ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelpDependency download using unencrypted communication channelUsing an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack. This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts. RecommendationAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from a URL. ExampleThe below example shows a source "http://rubygems.org"
gem "my-gem-a", "1.2.3"The fix is to change the protocol to HTTPS. source "https://rubygems.org"
gem "my-gem-a", "1.2.3"References
|
This is a port of the JS query of the same name. It looks for places in a
Gemfilewhere ahttporftpURL is specified. The tests are written using inline expectations.