The method of string comparison is used that does not protect against timing attacks.

Common methods of string comparison terminate the operation after handling the first non-equal pair of characters. Thus, the operating time of the method depends on the length of the matching prefixes. An attacker can use this information to compromise valuable data. When working with the valuable data, such as encryption keys, secure methods of comparison must be used.

In Ruby on Rails for secure string comparison use secure_compare or implement your own method. Typical idea of secure comparison: compute XOR for each pair of elements of the two arrays and return true if the resulting vector consists of zeros. This comparison takes the same amount of time regardless of the values of the arguments.

Also exists gem with a fast C implementation.

Ruby : Undocumented feature: hidden functionality

DerScanner Severity Score

Do you want to fix Ruby : Undocumented feature: hidden functionality in your application?

See also