@ledsun blog

Hのキーがhellで、Sのキーがslaveだ、と彼は思った。そしてYのキーがyouだ。

RailsをセキュリティチェックするGem

www.youtube.com

で、紹介されているなかで

を、試してみました。

どちらも使うのはめちゃ簡単です。

Gemfileに次のような記述を追加します。

group :development do
  gem 'brakeman'
  gem 'bundler-audit'
end

あとは

bundle 
bundle exec brakeman
bundle exec bundle audit

とすれば実行できます。

実行結果

つぎのようにズラズラっと情報が出てきます。 試したRailsアプリケーションのRailsのバージョンが古いために出てきている情報が多いです。 まずはRailsのバージョンを上げてから、再度チェックしてみるのがよさそうです。

brakeman

~ bundle exec brakeman
Loading scanner...
Processing application in /Users/shigerunakajima/lodqa-db
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Detecting file types...
Processing initializers...
Processing libs...ed
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCookieSerialization
 - CheckCreateWith
 - CheckCSRFTokenForgeryCVE
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONEntityEscape
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPageCachingCVE
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSprocketsPathTraversal
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTemplateInjection
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckUnsafeReflectionMethods
 - CheckValidationRegex
 - CheckVerbConfusion
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...

== Brakeman Report ==

Application Path: /Users/shigerunakajima/lodqa-db
Rails Version: 5.0.7.2
Brakeman Version: 5.1.1
Scan Date: 2021-10-21 04:40:52 +0900
Duration: 1.512554 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 8
Models: 10
Templates: 25
Errors: 0
Security Warnings: 4

== Warning Types ==

Cross-Site Request Forgery: 2
Redirect: 1
Remote Code Execution: 1

== Warnings ==

Confidence: Medium
Category: Cross-Site Request Forgery
Check: CSRFTokenForgeryCVE
Message: Rails 5.0.7.2 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch
File: Gemfile.lock
Line: 123

Confidence: Medium
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: `protect_from_forgery` should be configured with `with: :exception`
File: app/controllers/application_controller.rb

Confidence: Medium
Category: Remote Code Execution
Check: CookieSerialization
Message: Use of unsafe cookie serialization strategy `:marshal` might lead to remote code execution
Code: Rails.application.config.action_dispatch.cookies_serializer = :marshal
File: config/initializers/cookies_serializer.rb
Line: 5

Confidence: Weak
Category: Redirect
Check: Redirect
Message: Possible unprotected redirect
Code: redirect_to((targets_path + "?grid[f][users.email]=#{User.find_by!(:username => params[:username]).email}"))
File: app/controllers/users_controller.rb
Line: 7

bundler audit

~ bundle exec bundler audit
Download ruby-advisory-db ...
Cloning into '/Users/shigerunakajima/.local/share/ruby-advisory-db'...
remote: Enumerating objects: 7123, done.
remote: Counting objects: 100% (2007/2007), done.
remote: Compressing objects: 100% (1079/1079), done.
remote: Total 7123 (delta 731), reused 1348 (delta 565), pack-reused 5116
Receiving objects: 100% (7123/7123), 1.36 MiB | 11.61 MiB/s, done.
Resolving deltas: 100% (3215/3215), done.
ruby-advisory-db:
  advisories:   522 advisories
  last updated: 2021-10-12 11:21:05 -0700
  commit:   3d02c5e6a0f4ad9416db2e1474a14f6047d1e432
Insecure Source URI found: git://github.com/KishiKyousuke/facebox-rails.git
Name: actionpack
Version: 5.0.7.2
CVE: CVE-2021-22885
GHSA: GHSA-hjg4-8q5f-x6fm
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Name: actionpack
Version: 5.0.7.2
CVE: CVE-2020-8166
GHSA: GHSA-jp5v-5gx4-jmj9
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Name: actionpack
Version: 5.0.7.2
CVE: CVE-2020-8164
GHSA: GHSA-8727-m6gj-mc37
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Name: actionpack
Version: 5.0.7.2
CVE: CVE-2021-22904
GHSA: GHSA-7wjx-3g7j-8584
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Name: actionview
Version: 5.0.7.2
CVE: CVE-2020-15169
GHSA: GHSA-cfjv-5498-mph5
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Name: actionview
Version: 5.0.7.2
CVE: CVE-2020-5267
GHSA: GHSA-65cv-r6x7-79hv
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

Name: actionview
Version: 5.0.7.2
CVE: CVE-2020-8167
GHSA: GHSA-xq5j-gw7f-jgj8
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Name: activerecord
Version: 5.0.7.2
CVE: CVE-2021-22880
GHSA: GHSA-8hc4-xxm3-5ppp
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1

Name: activesupport
Version: 5.0.7.2
CVE: CVE-2020-8165
GHSA: GHSA-2p68-f74v-9wc6
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Name: kaminari
Version: 1.1.1
CVE: CVE-2020-11082
GHSA: GHSA-r5jw-62xg-j433
Criticality: Medium
URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
Solution: upgrade to >= 1.2.1

Vulnerabilities found!