Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Your Ruby / Rails App with bundler-audit #8

Open
JuanitoFatas opened this issue Oct 24, 2015 · 0 comments
Open

Secure Your Ruby / Rails App with bundler-audit #8

JuanitoFatas opened this issue Oct 24, 2015 · 0 comments
Labels
Blog

Comments

@JuanitoFatas
Copy link
Contributor

bundler-audit

bundler-audit is a gem which provides patch-level verification for Bundler.

When you use Bundler, a lockfile Gemfile.lock will be generated in your project,
and bundler-audit scans your Gemfile.lock to see if you are:

  • Using a vulnerable version of a gem
  • Installing gems from an insecure source such as http:// or git@

Let's see how we can use bundler-audit.

First, install bundler-audit:

$ gem install bundler-audit

Let's take a look at an example. The following is the output ran against jollygoodcode/dasherize's Gemfile@1eaf973:

$ bundle-audit
Insecure Source URI found: git://github.com/rails/turbolinks.git
Vulnerabilities found!

Note that the command is bundle-audit instead of bundler-audit.

bundler-audit is warning us that an "Insecure Source URI" has been found, and that's because a gem is installed from an insecure source git://github.com which could be subjected to MITM attacks.

The solution is to either install the gem from https:// or use a released gem.

How does bundler-audit knows about all the vulnerabilities?

Beneath the hood, bundler-audit is using data from ruby-advisory-db to check your Gemfile.lock. And while bundler-audit comes with a vendored data, you should update the ruby-advisory-db data everytime before you run bundle-audit:

$ bundle-audit update

Hook bundler-audit to your CI Workflow

It's easy to integrate bundler-audit as part of your CI workflow,
and the following steps work for any Ruby projects (doesn't have to be Rails).

First, add a rake Task:

$ touch lib/bundler/audit/task.rb

With following content:

require "rake/tasklib"

module Bundler
  module Audit
    class Task < Rake::TaskLib
      def initialize
        define
      end

      protected

      def define
        namespace :bundle do
          desc "Updates the ruby-advisory-db then runs bundle-audit"
          task :audit do
            require "bundler/audit/cli"
            %w(update check).each do |command|
              Bundler::Audit::CLI.start [command]
            end
          end
        end
      end
    end
  end
end

If you run your specs or tests with rake, add this to Rakefile:

require_relative "lib/bundler/audit/task"
Bundler::Audit::Task.new

task default: "bundle:audit"

Or any other form of rake file: rakefile, Rakefile, rakefile.rb, Rakefile.rb.

Now when you run rake with this new rake task, rake will first run your tests,
and then update ruby-advisory-db before executing bundle-audit.

Secure your app with bundler-audit today!

The bundler-audit is brought to you by rubysec, kudos to @rubysec & @postmodern.

Thanks for reading!

@JuanitoFatas ✏️ Jolly Good Code

About Jolly Good Code

Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source.
Speak to us about your next big idea, or check out our projects.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Blog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JuanitoFatas