Ruby

Ruby

By DeepSource

Require Multi-Factor Authentication (MFA) in Gemspec RB-S1001

Anti-pattern
Autofix

Multi-Factor Authentication (MFA) is recommended for accounts to be able to perform privileged operations on a gem.

MFA helps restrict administrative actions on gems, these actions (as defined by RubyGems' documentation for the full list of privileged operations) are:

  • gem push
  • gem yank
  • gem owner --add/remove
  • adding or removing owners using gem ownership page.

This helps make your gem be more secure, as users can be more confident that gem updates were pushed by maintainers.

Bad practice

Gem::Specification.new do |spec|
  # no `rubygems_mfa_required` metadata specified
end

Gem::Specification.new do |spec|
  spec.metadata = {
    'rubygems_mfa_required' => 'false'
  }
end

Gem::Specification.new do |spec|
  spec.metadata['rubygems_mfa_required'] = 'false'
end

Recommended

Gem::Specification.new do |spec|
  spec.metadata = {
    'rubygems_mfa_required' => 'true'
  }
end

Gem::Specification.new do |spec|
  spec.metadata['rubygems_mfa_required'] = 'true'
end

Gem::Specification.new do |spec|
  spec.metadata = {
    'rubygems_mfa_required' => 'true'
  }
end

Gem::Specification.new do |spec|
  spec.metadata['rubygems_mfa_required'] = 'true'
end

References

  1. CWE-308: Use of Single-factor Authentication