RubyGems security

One recent problem with RubyGems security was a Request hijacking vulnerability. As described by the vulnerability researchers, RubyGems has a “Gem Server Discovery” functionality, which relies on DNS SRV records to finding a gem server. These records may contain any URL, so it was vulnerable to DNS hijacking attacks. Update your RubyGems version to the latest: gem update --system

Other RubyGems security measures

  • Use only HTTPS gem sources. Run gem sources to check the sources and use the --add and --remove instructions to add and remove sources from the list.
  • Check the gem source in the beginning of your Gemfile, it should be HTTPS: source "https://rubygems.org"
  • Also, you shouldn’t use the git:// protocol as a gem source because it’s using HTTP, replace it with the HTTPS version.
  • You shouldn’t use the :github parameter until Bundler 2 comes out as right now that will also use the git:// protocol.
    However, if you still want to use that handy shortcut to centralize the gem sources, you can override the :github shortcut with your own HTTPS git source at the beginning of your Gemfile: See the “custom git sources” section in the bundler doc.
    git_source(:github) do |repos_name|
     repos_name = "#{repos_name}/#{repos_name}" unless repos_name.include?("/")
     "https://github.com/#{repos_name}.git"
    end
  • Also, if you use more than one source in your Gemfile, use source blocks instead of source attributes. So no gem "personal-gem", source: "http://privategems.com", but
     
    source "http://privategems.com" do
      gem "personal-gem"
    end
     
    This is until bundler solves this problem.