PSA: supply chain attacks (aka forking popular gems, changing the name slightly, and adding malicious code) are starting to show up on https://rubygems.org more often. Be cautious when adding a new gem to your project. Check who the author is, check the GitHub repository, look at the commit history, etc.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #rubysec

The so-called "supply chain attacks" (really just typosquatting) are starting to show up on https://rubygems.org. Luckily for the Ruby community all of the good gem names have already been taken🥁 /s.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #infosec #rubysec

Ruby's Bundler dependency manager now has checksum verification built-in to prevent cache poisoning attacks.
https://mensfeld.pl/2025/01/the-silent-guardian-why-bundler-checksums-are-a-game-changer-for-your-applications/

#ruby #rubysec #bundler

Someone found a Gem::SafeMarshal escape in Ruby! (Also, this blog is 🔥 for Ruby security research.)
https://nastystereo.com/security/ruby-safe-marshal-escape.html

#ruby #rubysec #securityresearch #vulnerabilityresearch #deserializationvulnerability

Note: before all of the script kiddies get their hopes up and think they can pwnxorize every Rails app, deserialization vulnerabilities in Ruby are actually quite rare these days due to Marshal.load almost never being used in the wild and YAML.load has been aliased to YAML.safe_load for some time now.
#rubysec #deserialization

Ruby 3.4 Universal RCE Deserialization Gadget Chain
https://nastystereo.com/security/ruby-3.4-deserialization.html

#ruby #rubysec

Catching up on ActiveRecord's new (circa 2023) encrypted column support (aka Encryption at Rest).
https://www.youtube.com/watch?v=IR2demNrMwQ

#rubysec #rails #encryption #encryptedatrest #encryptedstorage

TIL using the <math> tag for XSS with HTML5 parsers.
https://www.youtube.com/watch?v=USPLEASZ0Dc

#rails #html5 #xss #rubysec

If you want to know about the state of security in Ruby on Rails, checkout @gregmolnar's talk.
https://www.youtube.com/watch?v=Z3DgOix0rIg

#rails #rubysec

Liking the new "maintainer" role for rubygem maintainers.
https://blog.rubygems.org/2024/11/07/maintainer-role.html

#rubygems #rubysec

💣 Is your #Ruby app vulnerable? Is it a ticking time bomb or is it safe in production?

If you don’t know, you need a security audit. Find out how many vulnerabilities are present in your code and dependencies. Let's talk!

https://go.fastruby.io/wbw

#RubySec #InfoSec #DevSecOps

Heads Up Everyone. An unpatched CVE for Sinatra was just added to ruby-advisory-db. Currently all versions are affected. Impact is a possible Open Redirect.
https://github.com/advisories/GHSA-hxx2-7vcw-mqr3
#ruby #sinatra #rubysec

Heads Up Everyone: there's an not-yet-patched-and-released security vulnerability in WEBrick. This is going to be added to ruby-advisory-db shortly, so don't be surprised if webrick starts getting flagged; although I'm guessing it's probably only in your Gemfile.lock due to some other gem pulling it in.

Update: webrick 1.8.2 has now been released.

https://github.com/advisories/GHSA-6f62-3596-g6w7

#ruby #rubysec #webrick

Released bundler-audit 0.9.2 fixing a few minor issues.
https://github.com/rubysec/bundler-audit/releases/tag/v0.9.2
https://github.com/rubysec/bundler-audit#readme

#ruby #bundler_audit #bundleraudit #rubysec

Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!

ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1

https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782

PyPI temporarily halted new user signups in response to a surge in malicious typosquating packages. I suspect attackers will turn their sights to NPM and rubygems.org next.
https://arstechnica.com/security/2024/03/pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack/
#rubygems #rubysec

💣 Is your #Ruby app vulnerable? Is it a ticking time bomb or is it safe in production?

https://go.fastruby.io/wbw

#RubySec #InfoSec #DevSecOps

💣 Is your #Ruby app vulnerable? Is it a ticking time bomb or is it safe in production?

If you don’t know, you need a security audit. Find out how many vulnerabilities are present in your code and dependencies. Let's talk!

https://go.fastruby.io/wbw

#RubySec #InfoSec #DevSecOps

Crisis [hopefully] averted: the maintainer added some guard logic for the vulnerability and released 1.16.6. Updated the entry in ruby-advisory-db.

• https://github.com/nov/json-jwt/commit/9c4d842a9465bd7960570ca326c3de79b4abc9d0
• https://my.diffend.io/gems/json-jwt/1.16.5/1.16.6

#rubysec

Plot Twist: the maintainer of json-jwt contests whether it's even possible to create a web app that's vulnerable to CVE-2023-51774, due to the differences between the decoded JWT and JWE objects. I pointed the maintainer to the instructions on how to dispute a CVE.
https://github.com/nov/json-jwt/issues/118#issuecomment-1960614654

I reached out to the original reporter asking them to produce a PoC vulnerable app that can be exploited.
https://github.com/P3ngu1nW/CVE_Request/issues/1

Debating whether to remove the CVE from ruby-advisory-db before GHSA/NVD removes it.
#rubysec