Security Audit of Ruby on Rails

X41 performed a source code audit of Ruby on Rails (“Rails”), a full-stack web development framework, sponsored and organized once again by the Open Source Technology Improvement Fund. GitLab also directly supported the assessment by sponsoring participation of the GitLab Security Research Lab Team in the audit. The report, including the Threat Model and Test Plan, is released now that the development team addressed the issues identified.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-Rails-Audit-Final-Report-PUBLIC.pdf
OSTIF Blogpost: https://ostif.org/ruby-on-rails-audit-complete/

Rails

The Rails web framework includes many tools needed for both front and back end development, including the rendering of HTML templates, updating of databases, sending and receiving of emails, or security protections for common attacks. Vulnerabilities in the framework could allow attacks on websites using it or their users.

Audit Results and Notable Findings

Our security source code audit identified one high and six low severity security issues. Additionally, six issues without a direct security impact (“informational findings”) were identified. The source code of Ruby on Rails was inspected for vulnerabilities by the security experts Eric Sesterhenn, Joern Schneeweisz, J.M., Markus Vervier, and Robert Femmer using manual code review and code analysis tools.

The most severe issue identified in this audit could potentially allow an attacker to achieve code execution by abusing an incomplete fix for a vulnerability in the image_processing Gem that is part of ActiveStorage. Other issues include the lack of comprehensive deauthentication mechanisms in ActionCable, potential parsing vulnerabilities for different formats like JSON and HTTP, and logical bugs in ActiveStorage that could lead to dangerous file accesses.

Conclusion

The review highlights third-party dependency handling as an area requiring further investigation due to its critical role in security. X41 recommends performing follow-up tests such as code audits of these third-party dependencies and assessing popular Gems within the Ruby on Rails ecosystem. Aside from that, the code review showed that over the recent years, the maturity of the Rails code base has grown significantly in regards to security.

If you are interested in working with us on such projects in the future, remote or in-office, ping us!.