We’re happy to announce new updates to the Ruby analyzer. It now covers all the OWASP Top 10 issues and detects and autofixes more issues than ever before.
Issues derived from OWASP Top 10:
- Broken Authentication
- XML External Entities (XXE)
- Broken Access Control
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
New rules:
DeepSourceRails/BasicAuthTimingAttack (RB-A1006):
[CVE-2015-7576] → Detects rails gem versions susceptible to timing attack in basic auth.
# Gemfile
# bad
gem 'rails', '4.1.1'
# good
gem 'rails', '4.1.14.1'
DeepSourceRails/CheckXMLDos (RB-A1002):
[CVE-2015-3227] → Detects rails gem versions suspectible to XML denial of service vulnerability.
# Gemfile
# bad
gem 'rails', '3.0.1'
# good
gem 'rails', '3.2.22'
DeepSourceRails/CheckSymbolDos (RB-A1004):
[CVE-2013-1854] → Detects rails gem versions vulnerable to ActiveRecord symbol denial of service attacks.
# Gemfile
# bad
gem 'rails', '3.2.1'
# good
gem 'rails', '3.2.13'
… and 8 more rules which are:
DeepSourceRails/CheckCSRFTokenForgery(RB-A1001) →[CVE-2020-8166]DeepSourceRails/CheckFileDisclosure(RB-A1003) →[CVE-2014-7829]DeepSourceRails/SafeBufferManipulation(RB-A1005)DeepSourceRails/CheckI18nXss(RB-A1007) →[CVE-2013-4491]DeepSourceRails/MimeTypeDos(RB-A1008) →[CVE-2016-0751]DeepSourceRails/CheckSprocketsPathTraversal(RB-A1009) →[CVE-2018-3760]DeepSourceRails/CheckJSONEncoding(RB-A1010) →[CVE-2015-3226]DeepSourceRails/CheckRenderDOS(RB-A1011) →[CVE-2014-0082]
New autofixes:
Rails/Delegate (RB-RL1015):
Use the
delegatekeyword for Rails delegations.
Lint/UnderscorePrefixedVariableName (RB-LI1070):
Removes prefixed underscore for variables being used.
Lint/DuplicateRequire (RB-LI1096)
Removes any duplicate
requireorrequire_relativestatements.
Performance/CompareWithBlock (RB-PR1005)
Replace
sort,maxandminwith the respective_bymethods.
… and 34 more autofixes for Rails & Performance cops.