RubyGems security

One recent problem with RubyGems security was a Request hijacking vulnerability. As described by the vulnerability researchers, RubyGems has a “Gem Server Discovery” functionality, which relies on DNS SRV records to finding a gem server. These records may contain any URL, so it was vulnerable to DNS hijacking attacks. Update your RubyGems version to the latest: gem update --system

Other RubyGems security measures

• Use only HTTPS gem sources. Run gem sources to check the sources and use the --add and --remove instructions to add and remove sources from the list.
• Check the gem source in the beginning of your Gemfile, it should be HTTPS: source "https://rubygems.org"
• Also, you shouldn’t use the git:// protocol as a gem source because it’s using HTTP, replace it with the HTTPS version.
• You shouldn’t use the :github parameter until Bundler 2 comes out as right now that will also use the git:// protocol.
  However, if you still want to use that handy shortcut to centralize the gem sources, you can override the :github shortcut with your own HTTPS git source at the beginning of your Gemfile: See the “custom git sources” section in the bundler doc.
  git_source(:github) do |repos_name|
 repos_name = "#{repos_name}/#{repos_name}" unless repos_name.include?("/")
 "https://github.com/#{repos_name}.git"
end

• Also, if you use more than one source in your Gemfile, use source blocks instead of source attributes. So no gem "personal-gem", source: "http://privategems.com", but
   
  source "http://privategems.com" do
    gem "personal-gem"
  end
   
  This is until bundler solves this problem.