Making Open Source Safer for Everyone with Shopify’s Bug Bounty Program

Zack Deveau, Senior Application Security Engineer at Shopify, shares the details behind a recent contribution to the Rails library, inspired by a bug bounty report we received. He'll go over the report and its root cause, how we fixed it in our system, and how we took it a step further to make Rails more secure by updating the default serializer for a few classes to use safe defaults.

Zack Deveau
5 min readbeginner
--
View Original

Overview

Shopify's Bug Bounty Program aims to enhance open source security by addressing vulnerabilities discovered through bug reports. This article details a specific contribution to the Rails library, stemming from a deserialization vulnerability, and outlines the steps taken to improve security defaults in Rails applications.

What You'll Learn

1

How to identify and fix deserialization vulnerabilities in Ruby applications

2

Why switching from Marshal to JSON improves security in Rails applications

3

How to implement a patch to deprecate Marshal in production environments

Prerequisites & Requirements

  • Understanding of Ruby on Rails and serialization concepts
  • Familiarity with Git and GitHub for contributing to open source projects(optional)

Key Questions Answered

What vulnerability was discovered in the Rails library?
A bug bounty report revealed a deserialization vulnerability in the Rails MessageEncryptor class, allowing untrusted data to escalate a leaked application secret into a Remote Code Execution (RCE) vulnerability in development environments. This issue was traced back to the use of the Marshal library for serialization.
How did Shopify address the deserialization vulnerability in Rails?
Shopify patched the vulnerability by changing the default serializer for the MessageEncryptor class from Marshal to JSON. This change enhances security by ensuring that only safe, text-based serialization is used, reducing the risk of RCE vulnerabilities.
What steps did Shopify take to deprecate Marshal in production environments?
Shopify implemented a patch that hooks into the Marshal load and dump methods to track their usage. This patch raises exceptions for unexpected calls, encouraging developers to use safer serialization alternatives and helping to phase out Marshal in their applications.
Why is it important to contribute to open source projects based on bug bounty findings?
Contributing to open source projects based on bug bounty findings not only enhances the security of widely used libraries but also helps developers sharpen their skills and give back to the community. It creates a safer environment for all users of open source software.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Framework
Rails
Used for building web applications and implementing security improvements through the Bug Bounty Program.
Data Format
JSON
Adopted as the new default serializer to enhance security in Rails applications.
Data Format
Marshal
Previously used as the default serializer in Rails, now being deprecated due to security vulnerabilities.

Key Actionable Insights

1
Consider implementing JSON as the default serializer in your Rails applications to enhance security.
By switching to JSON, you mitigate risks associated with deserialization vulnerabilities that can lead to Remote Code Execution, especially in development environments.
2
Utilize the patch provided by Shopify to track and deprecate the use of Marshal in your Ruby applications.
This proactive approach helps maintain application security and encourages the adoption of safer serialization practices across the Ruby community.
3
Engage with your bug bounty program to identify opportunities for open source contributions.
This not only increases the impact of your program but also fosters collaboration and improvement within the open source ecosystem.

Common Pitfalls

1
Relying on unsafe serialization methods like Marshal can lead to serious security vulnerabilities.
Many developers may not recognize the risks associated with deserialization vulnerabilities, which can result in Remote Code Execution if untrusted data is processed. It's crucial to adopt safer alternatives like JSON.

Related Concepts

Open Source Security Practices
Bug Bounty Programs
Serialization Techniques In Ruby