One Easy Way to Improve Your Ruby Security

Molly Struve (she/her) - Jan 6 '19 - - Dev Community

Many people in the Ruby community have heard of Rubocop, and likely have some sort of love/hate relationship with it. If you haven't heard of this often polarizing gem, here is the gist of what it does straight from the Rubocop docs.

RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide.

However, Rubocop is not just for enforcing style guidelines. Did you know you can use Rubocop to enforce security best practices?!

YEP! That's right! Rubocop has a built in set of Security Cops that can help you write more secure Ruby and Rails code. The cops are:

  • Security/Eval- The use of eval represents a serious security risk.
  • Security/JSONLoad - Prefer usage of JSON.parse over JSON.load due to potential security issues. See ruby docs for more information.
  • Security/MarshalLoad - Avoid using of Marshal.load or Marshal.restore due to potential security issues. See ruby docs for more information.
  • Security/Open - The use of Kernel#open represents a serious security risk.
  • Security/YAMLLoad - Prefer usage of YAML.safe_load over YAML.load due to potential security issues. See ruby docs for more information.

In addition to the security cops, there are also a couple of other cops that can improve your code security.

  • Rails/OutputSafety - The use of html_safe or raw may be a security risk. Often using these can lead to a cross site scripting vulnerability.
  • Style/MutableConstant - Do not assign mutable objects to constants. The security implications of this might be less obvious. For example, if you accidentally update a constant with say user data , and then that constant gets used for another user, suddenly you have a data leak. For this reason, it's best to ensure constants are always immutable.

How to Enable ONLY the Security Cops

If you want to use Rubocop just for the security cops, and not those pesky style cops 😉, here is how you would set it up. First, you need to install the gem.

gem install rubocop
Enter fullscreen mode Exit fullscreen mode

Or if you are using a Gemfile...

gem 'rubocop', require: false
Enter fullscreen mode Exit fullscreen mode

Once the gem is installed you will want to configure it with a rubocop.yml file in your home directory. To just enable the security focused cops your yaml file should look like this 👇

AllCops:
  DisabledByDefault: true

Rails/OutputSafety:
  Enabled: true

Security:
  Enabled: true

Style/MutableConstant:
  Enabled: true
Enter fullscreen mode Exit fullscreen mode

Then all you have to do is run it!

$ rubocop
Enter fullscreen mode Exit fullscreen mode

For more tips on basic usage checkout the rubocop docs.

Happy Coding! 😃

Image
From Good to Great Code with OptimizeIt

opensource, typescript, cli, ai
Image
## Hello, everyone
Image
The Purpose of Computer Processors (CPUs) and How Multiple Cores Improve Speed and Performance

cpu, core, performance
Image
Guide to Viewing User Permissions in GBase 8s

database
Image
25 Must-Read Personal Blogs for Computer Programming Enthusiasts

webdev, programming, news
Image
Using a Public Repository on GitHub for Personal Projects: A Complete Guide

github, publicrepository, repository
Image
Bathtub Refinishing Services in Charlotte, NC
Image
Top 18 Blogs for Embedded Bluetooth Development You Should Follow

programming, ai, database, news
Image
Minecraft Java Edition Free Download For PC 2024

webdev, java, github
Image
PUBG PC Crack Free Download {Latest Version} Fully Unlocked
Image
Solana: Wallet adapter for a web based wallet

100xdevs, superteam, solana
Image
Introduction to Arithmetic Operators in GBase 8a MPP Cluster

database
Image
Top 15 Patreon Creators Revolutionizing Computer Programming

news, git, web
Image
**PHP’s __sleep() and __wakeup() Magic Methods for Serialization! 🧙‍♂️**

webdev, programming, java, development
Image
Problema HackerRank em Python - Base Data Types Lists

python, hackerrank, basedatatypes
Image
#57 — Concatenate Column Titles Corresponding to Empty Cells

productivity, programming, tutorial, beginners
Image
Dream Builder Wealth Society - Revolutionizing Investment with AI Ω
Image
How do I talk to an executive at redBus?

tutorial
Image
What occasions are LED rental screens commonly used for?

led, rental, screen
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player