Hacker News new | ask | show | jobs
by dwheeler 2322 days ago
If you're using Ruby on Rails, you should be using a static code analyzer to look for vulnerabilities. Please take a look at Railroader, an OSS tool I maintain that does this (and contributors are wanted!): https://railroader.org/

I recommend that you also use a web application scanner like OWASP ZAP and something to scan your dependencies for known vulnerabilities (e.g., bundle audit or GitHub's scanner).

That is in addition to normal software development tools like a style checker (like Rubocop) and a test suite with good coverage (e.g., minitest).

If you develop software, it's going to get attacked. There are some pretty straightforward ways to help resist attacks, but you have to use them.
2 comments
Polylactic_acid 2322 days ago
Static code analyzers don't seem to find too much interesting in my experience. They could basically only find string interpol in queries and uses of constantize. Ruby is just too dynamic to find any really interesting issues.
link
tprynn 2322 days ago
Really? I find that brakeman is a pretty amazing tool which finds a number of surprising issues. Of course, these days the vast majority of Rails apps already have brakeman set up, so it's used more as part of the commit process and less of a "wow, here's a few dozen potentially high-impact web vulns". I wouldn't hesitate to say that it's the most high-signal SCA tool I've used across any language/framework.

(source: a few years of webapp pentesting and Rails app dev)

link
Polylactic_acid 2322 days ago
I ran brakeman on our app and it found a bunch of things that were almost vulnerabilities because it was unable to work out the source of some data going in to a potentially unsafe function but after I inspected all of them, none of them were actual vulnerabilities. Meanwhile a bunch of real issues go undetected that could have been spotted in a language like rust.
link
thrownaway954 2322 days ago
https://github.com/presidentbeef/brakeman

link to mentioned app for those interested.

link
slimed 2322 days ago
The bar is low for such tools regardless of programming language. In a language as dynamic as Ruby it's several miles into the Earth's crust. The tool won't be able to tell you much of anything you shouldn't already know. "Potentially high-impact web vulns" is a next to useless metric when provided by such a tool. The rate of false positives is high. A distraction such as this when your application surely has more serious vulnerabilities is not helpful.
link
dwheeler 2320 days ago
Railroader and Brakeman compensate for this by not being generic analysis tools for Ruby, but instead focusing specifically only on Ruby on Rails. Because Ruby on Rails has a lot of additional conventions, it's much easier to build a specialized tool to look for violations of those conventions.
link
SmileyJames 2322 days ago
I installed and ran railroader.

It encountered an error: /var/lib/gems/2.5.0/gems/sexp_processor-4.13.0/lib/sexp.rb:222:in `line': setting s(:args).line nil (ArgumentError)

ruby 2.5.1p57

link