Zack Deveau, Senior Application Security Engineer at Shopify, shares the details behind a recent contribution to the Rails library, inspired by a bug bounty report we received. He'll go over the report and its root cause, how we fixed it in our system, and how we took it a step further to make Rails more secure by updating the default serializer for a few classes to use safe defaults.
Overview
Shopify's Bug Bounty Program aims to enhance open source security by addressing vulnerabilities discovered through bug reports. This article details a specific contribution to the Rails library, stemming from a deserialization vulnerability, and outlines the steps taken to improve security defaults in Rails applications.
What You'll Learn
How to identify and fix deserialization vulnerabilities in Ruby applications
Why switching from Marshal to JSON improves security in Rails applications
How to implement a patch to deprecate Marshal in production environments
Prerequisites & Requirements
- Understanding of Ruby on Rails and serialization concepts
- Familiarity with Git and GitHub for contributing to open source projects(optional)
Key Questions Answered
What vulnerability was discovered in the Rails library?
How did Shopify address the deserialization vulnerability in Rails?
What steps did Shopify take to deprecate Marshal in production environments?
Why is it important to contribute to open source projects based on bug bounty findings?
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Consider implementing JSON as the default serializer in your Rails applications to enhance security.By switching to JSON, you mitigate risks associated with deserialization vulnerabilities that can lead to Remote Code Execution, especially in development environments.
2Utilize the patch provided by Shopify to track and deprecate the use of Marshal in your Ruby applications.This proactive approach helps maintain application security and encourages the adoption of safer serialization practices across the Ruby community.
3Engage with your bug bounty program to identify opportunities for open source contributions.This not only increases the impact of your program but also fosters collaboration and improvement within the open source ecosystem.