Rails quick tips #4: Keep your bundle secure with bundler-audit

- ruby rails bundler security

bundler-audit is a small utility which can check your Gemfile’s contents against the Ruby Advisory Database.

You can simply run it via bundle audit and it will report insecure gem sources as well as library versions that have known vulnerabilities:

$ bundle audit
Insecure Source URI found: git://github.com/compass/compass-rails.git
Insecure Source URI found: git://github.com/sinatra/sinatra.git
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: paperclip
Version: 4.3.7
Advisory: CVE-2017-0889
Criticality: High
URL: https://github.com/thoughtbot/paperclip/pull/2435
Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
Solution: upgrade to >= 5.2.0

Vulnerabilities found!

To update your local copy of the Ruby Advisory DB you can use the following command:

$ bundle audit update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Current branch master is up to date.
Updated ruby-advisory-db
ruby-advisory-db: 317 advisories

You can also combine both of these operations via the bundle audit check --update command, which we execute as part of our CI pipeline.

Bonus tip: when updating your vulnerable gem you may want to keep changes to a minimum and bundle update has a useful --conservative option which will not update any shared dependencies.