postmodernJun 5

PSA: supply chain attacks (aka forking popular gems, changing the name slightly, and adding malicious code) are starting to show up on https://rubygems.org more often. Be cautious when adding a new gem to your project. Check who the author is, check the GitHub repository, look at the commit history, etc.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #rubysec

RubyGems.org | your community gem host

postmodernJun 5

The so-called "supply chain attacks" (really just typosquatting) are starting to show up on https://rubygems.org. Luckily for the Ruby community all of the good gem names have already been takenšŸ„ /s.
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

#ruby #security #infosec #rubysec

RubyGems.org | your community gem host

postmodernJan 6

Ruby's Bundler dependency manager now has checksum verification built-in to prevent cache poisoning attacks.
https://mensfeld.pl/2025/01/the-silent-guardian-why-bundler-checksums-are-a-game-changer-for-your-applications/

#ruby #rubysec #bundler

Bundler 2.6: Enhanced Security with Built-in Checksum Verification

Protect your Ruby projects from supply chain attacks with Bundler 2.6's new checksum verification. Learn how to implement this crucial security feature today.

Closer to Code
postmodernDec 28

Someone found a Gem::SafeMarshal escape in Ruby! (Also, this blog is šŸ”„ for Ruby security research.)
https://nastystereo.com/security/ruby-safe-marshal-escape.html

#ruby #rubysec #securityresearch #vulnerabilityresearch #deserializationvulnerability

Gem::SafeMarshal escape / nastystereo.com

Show threadpostmodernNov 25, 2024
Note: before all of the script kiddies get their hopes up and think they can pwnxorize every Rails app, deserialization vulnerabilities in Ruby are actually quite rare these days due to Marshal.load almost never being used in the wild and YAML.load has been aliased to YAML.safe_load for some time now.
#rubysec #deserialization
postmodernNov 25, 2024

Ruby 3.4 Universal RCE Deserialization Gadget Chain
https://nastystereo.com/security/ruby-3.4-deserialization.html

#ruby #rubysec

Ruby 3.4 Universal RCE Deserialization Gadget Chain / nastystereo.com

postmodernNov 11, 2024

Catching up on ActiveRecord's new (circa 2023) encrypted column support (aka Encryption at Rest).
https://www.youtube.com/watch?v=IR2demNrMwQ

#rubysec #rails #encryption #encryptedatrest #encryptedstorage

Kylie Stradley - Everything we learned while Implementing ActiveRecord::Encryption - Rails World

YouTube
postmodernNov 10, 2024

TIL using the <math> tag for XSS with HTML5 parsers.
https://www.youtube.com/watch?v=USPLEASZ0Dc

#rails #html5 #xss #rubysec

Mike Dalessio - Rails::HTML5: the strange and remarkable three-year journey - Rails World 2023

YouTube
postmodernNov 9, 2024

If you want to know about the state of security in Ruby on Rails, checkout @gregmolnar's talk.
https://www.youtube.com/watch?v=Z3DgOix0rIg

#rails #rubysec

Greg Molnar - The state of security in Rails 8 - Rails World 2024

YouTube
postmodernNov 8, 2024

Liking the new "maintainer" role for rubygem maintainers.
https://blog.rubygems.org/2024/11/07/maintainer-role.html

#rubygems #rubysec

Maintainer Role - RubyGems Blog