postmodernNov 29

Just released bundler-audit 0.9.3, which officially adds support for Ruby 3.4, 3.5, 4.0, and Bundler 4.x.

https://github.com/rubysec/bundler-audit/releases/tag/v0.9.3
https://github.com/rubysec/bundler-audit#readme

#ruby #bundler #rubysec #bundler_audit #bundleraudit

Release 0.9.3 · rubysec/bundler-audit

Officially support Ruby 3.4, 3.5, and 4.0. Added support for Bundler 4.x. Fixed typos in API documentation. CLI Ensure that the bundler-audit check command honors the BUNDLER_AUDIT_DB environment...

GitHub
FastRuby.ioSep 24

💣 Is your #Ruby app vulnerable to known CVEs? Is it safe in production? Is it ready for a #SOC2 audit?

If you don’t know, you need a security audit. Find out how many vulnerabilities are present in your code and dependencies. Let's talk!

https://go.fastruby.io/wbw

#RubySec #InfoSec #DevSecOps

postmodernJun 5, 2025

PSA: supply chain attacks (aka forking popular gems, changing the name slightly, and adding malicious code) are starting to show up on https://rubygems.org more often. Be cautious when adding a new gem to your project. Check who the author is, check the GitHub repository, look at the commit history, etc.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #rubysec

RubyGems.org | your community gem host

postmodernJun 5, 2025

The so-called "supply chain attacks" (really just typosquatting) are starting to show up on https://rubygems.org. Luckily for the Ruby community all of the good gem names have already been taken🥁 /s.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #infosec #rubysec

RubyGems.org | your community gem host

postmodernJan 6, 2025

Ruby's Bundler dependency manager now has checksum verification built-in to prevent cache poisoning attacks.
https://mensfeld.pl/2025/01/the-silent-guardian-why-bundler-checksums-are-a-game-changer-for-your-applications/

#ruby #rubysec #bundler

Bundler 2.6: Enhanced Security with Built-in Checksum Verification

Protect your Ruby projects from supply chain attacks with Bundler 2.6's new checksum verification. Learn how to implement this crucial security feature today.

Closer to Code
postmodernDec 28, 2024

Someone found a Gem::SafeMarshal escape in Ruby! (Also, this blog is 🔥 for Ruby security research.)
https://nastystereo.com/security/ruby-safe-marshal-escape.html

#ruby #rubysec #securityresearch #vulnerabilityresearch #deserializationvulnerability

Gem::SafeMarshal escape / nastystereo.com

Show threadpostmodernNov 25, 2024
Note: before all of the script kiddies get their hopes up and think they can pwnxorize every Rails app, deserialization vulnerabilities in Ruby are actually quite rare these days due to Marshal.load almost never being used in the wild and YAML.load has been aliased to YAML.safe_load for some time now.
#rubysec #deserialization
postmodernNov 25, 2024

Ruby 3.4 Universal RCE Deserialization Gadget Chain
https://nastystereo.com/security/ruby-3.4-deserialization.html

#ruby #rubysec

Ruby 3.4 Universal RCE Deserialization Gadget Chain / nastystereo.com

postmodernNov 11, 2024

Catching up on ActiveRecord's new (circa 2023) encrypted column support (aka Encryption at Rest).
https://www.youtube.com/watch?v=IR2demNrMwQ

#rubysec #rails #encryption #encryptedatrest #encryptedstorage

Kylie Stradley - Everything we learned while Implementing ActiveRecord::Encryption - Rails World

YouTube
postmodernNov 10, 2024

TIL using the <math> tag for XSS with HTML5 parsers.
https://www.youtube.com/watch?v=USPLEASZ0Dc

#rails #html5 #xss #rubysec

Mike Dalessio - Rails::HTML5: the strange and remarkable three-year journey - Rails World 2023

YouTube