我们是如何修复600多个Ruby应用中的依赖混淆漏洞的?
Shopify has grown significantly over the years, and our success makes us an attractive target for malicious actors. We take the safety of our merchants seriously, so we have a good reason to continuously improve the security at Shopify.
多年来,Shopify有了长足的发展,我们的成功使我们成为了对恶意行为者有吸引力的目标。我们非常重视商家的安全,所以我们有充分的理由不断提高Shopify的安全性。
I’ll share how the Ruby Conventions team, which focuses on creating conventions to make Ruby services sustainable, used an iterative approach to solve complex problems at scale while responding to shifting circumstances. In particular, how we solved the dependency confusion vulnerability in over 600 Ruby applications, developed tooling that allows us to do large-scale migration with ease, and made the Ruby community a bit safer.
我将分享Ruby公约团队(专注于创建公约以使Ruby服务可持续发展)如何使用迭代方法来大规模解决复杂问题,同时应对不断变化的环境。特别是,我们如何解决了600多个Ruby应用程序中的依赖性混乱漏洞,开发了允许我们轻松进行大规模迁移的工具,并使Ruby社区变得更加安全。
Understanding the Dependency Confusion Problem
了解依赖性混淆问题
Shopify runs a bug bounty program where we pay people to find vulnerabilities on our platform and learn what we have to improve on. One such report showed that we were vulnerable to a dependency confusion vulnerability that could give an attacker access to our local, continuous integration/continuous deployment (CI/CD), and production environments.
Shopify开展了一个漏洞悬赏计划,我们付钱给人们来发现我们平台上的漏洞,并了解我们需要改进的地方。其中一份报告显示,我们有一个依赖性混乱的漏洞,可以让攻击者进入我们的本地、持续集成/持续部署(CI/CD)和生产环境。
The vulnerability leverages the ambiguity of a package source to install malicious dependencies. If an external package is created with a higher version number under the same name as an internal Shopify package, the external dependency is resolved instead of the internal dependency.
该漏洞利用软件包来源的模糊性来安装恶意的依赖。如果一个外部软件包在与内部Shopify软件包相同的名称下创建了更高的版本号,那么外部依赖将被解决,而不是内部依赖。
In Ruby, developers use Bundler to manage their dependencies and make their environments reproducible. Bundler resolves dependencies so that you use the correct versions and sources for each gem. The Bundler team fixed the issue by introducing a new Gemfile.lock file forma...