← Back to changelog

Security Monitor Improvements -- February 2014

Last week we rolled out a number of improvements to Security Monitor, which will make scans more accurate, more comprehensive, and much quicker than previously. In addition to the speed improvements, here’s a list of some of the specific improvements that were rolled out:

New Checks

  • If you’re in danger of showing stack traces to end users, you will get a warning in a new category “Information Disclosure”. For example, consider_all_requests_local should be set to false in production.
  • XSS vulnerability in the i18n gem. When the gem is unable to provide a translation for a given string, it creates a fallback HTML string which can contain user input in some configurations.
  • Denial of service vulnerability in some versions of Rails in which specially-craft headers are cached indefinitely.
  • Certain calls to the number_to_currency helper make applications vulnerable to an XSS attack. Specifically, the method’s “unit” parameter was not being escaped properly.
  • Calls to simple_format which supply HTML attributes can be vulnerable to an XSS attack in some versions of Rails:

    simple_format(some_text, class: params[:class])
    
  • Looks for unsafe uses of the strong parameters permit! method that could expose a mass assignment vulnerability when models aren’t properly protected:

    attributes = params.permit!
    @user = User.new(attributes) # mass assignment vulnerability
    
  • SSL verification bypass for when the verify_mode on HTTPS connections is set to OpenSSL::SSL::VERIFY_NONE. Bypassing SSL verification leaves these connections vulnerable to man in the middle attacks.

  • Many more SQL injection checks, including when using raw connection objects, when unsafe values are used in delete_all and destroy_all calls.

False Positives

  • Redirects using FriendlyId models as parameters will no longer create redirect warnings.
  • Fewer false positives for command injection when interpolating string literals in commands.
  • Do not warn on redirects models created with create/create! methods.
  • Avoids flagging non-ActiveRecord models as having SQL injection vulnerabilities even if methods names match AR methods (find_by_sql, e.g.).

Accuracy

  • Rails versions are detected more accurately than previously.
  • Blocks, especially blocks inside of controllers, are more accurately scanned now.
  • More Ruby code can be parsed than previously because the underlying ruby_parser was updated.
Actionable metrics for engineering leaders. Try Velocity Free