Rails Master Key
ID |
rails_master_key |
Severity |
high |
Vendor |
Ruby On Rails |
Family |
Password |
Description
Ruby on Rails is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller framework, providing default structures for a database, a web service, and web pages.
By default, Rails encrypt secrets before storing them in a credentials.yml.enc file. This file contains at least the secret_key_base of the application that is used to encrypt cookies as well as any other secret useful to your application such as API keys. To encrypt the credentials.yml.enc file, Rails uses a key stored in a master.key file.
Security
Any hardcoded Rails Master Key is a potential secret reported by this detector.
The Rails documentation for custom credentials is clear:
| Keep your master key safe. Do not commit your master key. |
Accidentally checking-in the key to source control repositories could compromise the credentials used by Ruby-on-Rails applications in your production environment.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s) affected. In fact, all secrets found in the
credentials.yml.encfile for the leaked master key.You may edit the credentials with the command
rails credentials:edit, which generates a new master key. Remember not to commit the master key file to version control. -
Remove the
Keyfrom the source code or committed configuration file.You should consider any sensitive data in commits with secrets as compromised.
Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.