Ruby analyzer updates - OWASP top 10 coverage, new issues and autofixes

We’re happy to announce new updates to the Ruby analyzer. It now covers all the OWASP Top 10 issues and detects and autofixes more issues than ever before.

Issues derived from OWASP Top 10:

  1. Broken Authentication
  2. XML External Entities (XXE)
  3. Broken Access Control
  4. Cross-Site Scripting (XSS)
  5. Insecure Deserialization
  6. Using Components with Known Vulnerabilities

New rules:

DeepSourceRails/BasicAuthTimingAttack (RB-A1006):

[CVE-2015-7576] → Detects rails gem versions susceptible to timing attack in basic auth.

# Gemfile
# bad
gem 'rails', '4.1.1'

# good
gem 'rails', ''

DeepSourceRails/CheckXMLDos (RB-A1002):

[CVE-2015-3227] → Detects rails gem versions suspectible to XML denial of service vulnerability.

# Gemfile
# bad
gem 'rails', '3.0.1'

# good
gem 'rails', '3.2.22'

DeepSourceRails/CheckSymbolDos (RB-A1004):

[CVE-2013-1854] → Detects rails gem versions vulnerable to ActiveRecord symbol denial of service attacks.

# Gemfile
# bad
gem 'rails', '3.2.1'

# good
gem 'rails', '3.2.13'

… and 8 more rules which are:

  • DeepSourceRails/CheckCSRFTokenForgery (RB-A1001)[CVE-2020-8166]
  • DeepSourceRails/CheckFileDisclosure (RB-A1003)[CVE-2014-7829]
  • DeepSourceRails/SafeBufferManipulation (RB-A1005)
  • DeepSourceRails/CheckI18nXss (RB-A1007)[CVE-2013-4491]
  • DeepSourceRails/MimeTypeDos (RB-A1008)[CVE-2016-0751]
  • DeepSourceRails/CheckSprocketsPathTraversal (RB-A1009)[CVE-2018-3760]
  • DeepSourceRails/CheckJSONEncoding (RB-A1010)[CVE-2015-3226]
  • DeepSourceRails/CheckRenderDOS (RB-A1011)[CVE-2014-0082]

New autofixes:

Rails/Delegate (RB-RL1015):

Use the delegate keyword for Rails delegations.

Lint/UnderscorePrefixedVariableName (RB-LI1070):

Removes prefixed underscore for variables being used.

Lint/DuplicateRequire (RB-LI1096)

Removes any duplicate require or require_relative statements.

Performance/CompareWithBlock (RB-PR1005)

Replace sort, max and min with the respective _by methods.

… and 34 more autofixes for Rails & Performance cops.