Keeping Your Gems in Check

A common approach to modern Ruby on Rails development includes continuous integration checks, such as:

But companies don’t often put constraints and policies on system dependencies, which for smaller companies is fine, but when it comes to a larger engineering team it becomes more problematic due to increased possibility of RCE vulnerability. Therefore, the bigger the engineering team - the bigger the problem.

We witnessed multiple demonstrations of such vulnerabilities that are introduced through dependency injections – these types of vulnerabilities are called Remote Code Execution vulnerability (RCE).

Here are just some of examples of where this has occurred:

One of the main committers to Rubygems also openly admitted that RubyGems is far from being safe and showed how to take over a Ruby gem at a RubyKaigi conference.

In light of this, we found tools that could help manage dependencies and safeguard from possible, hard to notice RCE attacks that could cause leaks of private keys and other secret information.

Dependabot

It’s generally important to not update your dependencies blindly, one should at least go through CHANGELOG to understand possible impacts of such an update.

We’ve adopted dependabot in all our projects. It’s completely free to use, and without much hassle. It:

Gemfilelint

This little utility deserves to be in Gemfile’s core functionality, but unfortunately it’s not there yet. Gemfilelint checks sources that you’ve listed against trusted sources that are commonly used in RubyGems, ensuring that codebase will not end up with RCE vulnerability issues due to typos in your Gemfile.

StrongVersions

StrongVersion is a gem that enforces strict policy for your Gemfile. It helps with the maintainability of a project, saving you from dependency hell in the future. But It will help prevent accidental gem updates as well.

This gem could be integrated with your CI pipeline and used in automatic code review – and could efficiently enforce dependency policies on a whole team.

So, if you’re a small team, it’s always worth keeping an eye on your dependencies manually. But for bigger teams there’s always a bigger chance that something could slip through unchecked. Having a tool that can manage your dependencies automatically will provide peace of mind to the entire team.