Ruby

Ruby

By DeepSource

Using insecure network protocol source RB-S1000

Security
Autofix

Passing symbol arguments to source (e.g. source :rubygems) is deprecated because they default to using HTTP requests. Instead, specify 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.

Symbol arguments will be replaced with 'https://rubygems.org' when performing Autofix.

Existing sources that use http:// will not be replaced. This may be necessary where HTTPS is not available. For example, where using an internal gem server via an intranet, or where HTTPS is prohibited. However, you should strongly prefer https:// where possible, as it is more secure.

If you do not wish to switch from http:// in any case, consider setting AllowHttpProtocol to false in your .rubocop.yml. This option is true by default for safe autocorrection.

Bad practice

source :gemcutter
source :rubygems
source :rubyforge

Recommended

source 'https://rubygems.org'

References

  1. OWASP A02:2021: Cryptographic Failures
  2. CWE-319: Cleartext Transmission of Sensitive Information