I'm running a security scanner against an app I'm developing and it's rising red alert, maximum security thread for the gem rotr which uses in its Gemfile source with HTTP protocol revealing a possibility for man in the middle attack that potentially can allow an attacker to inject any code into an application
The link to Gemfile in question - https://github.com/mdp/rotp/blob/master/Gemfile
It states:
source 'http://rubygems.org'
Is it real issue if this gem listed as a dependency and in my Gemfile I'm using:
source 'https://rubygems.org'
I tried to find out how exactly it's working but wasn't able to.
I.e. which way bundler is working:
It pulls all gems I specify from https://rubygems.org, then it pull all dependencies separately for each gem, from the source specified in each Gemfile (for each gem) and in case of ropt gem it pulls from http://rubygems.org (NOT https) - thus opening theoretical possibility for man in the middle attack while installing ropt gem
Bundler pulls all gem from the source specified in MY Gemfile (https://rubygems.org) so even if a Gem specifies http://rubygems.org (NOT https) - it'll be pulled through the secure protocol from the location I specify so there is no theoretical possibility for man in the middle attack
In your example, the gem would be loaded via HTTPS, because the Gemfile
of a dependency will not be loaded at all. From dependencies, only the gemspec
file is evaluated by Bundler. The gem's Gemfile
is only used during the development of that gem. Interesting read in this context: How bundler priorities sources.
The following for the interested reader why it is important to use HTTPS
when downloading gems:
When you load a gem from a non-HTTPS source and there is a man-in-the-middle attacker then this attacker would be able to send you back anything instead of the gem you requested.
Of course, there are man ifs and whens. But let's imagine you are going to download a gem on a non-secure communication channel like pure HTTP. And let's imagine there is a man-in-the-middle attacker that is able to sniff your traffic. This might be possible when using the same WiFi in a café or hotel, or when there are different customers on virtual servers in a data center or they have physical access to your landline.
Because they can read your unencrypted request for a gem then know what gems you are using. Now imagine that they do not just sniff your traffic but instead manipulate the response from the servers to you too. When you, for example, request a new version of a popular gem to handle user authentication and authorization or payments they could send you back their version instead of the original version.
And their version could include some minor changes like:
ENV
variables and/or Rails.credentials
and upload them to a server that is controlled by the attacker. This would certainly git the attacker all your application's passwords.ENV
variables or Rails.credentials
then that means that it could change them too. For example, to connect to another payment provider would mean your customer's payment would be redirected into a different account.tl;dr When an attacker is able to do a man-in-the-middle attack then they can send you malicious versions of a gem. These malicious gems could do almost everything with your application you can imagine. Sure, attacks like this are not simple, but they are not super-hard neither.
The rule of thumb is: Always use HTTPS whenever possible (not just for downloading gem but for all network traffic).