Rails Secret Key Base
ID |
rails_secret_key_base |
Severity |
high |
Vendor |
Ruby On Rails |
Family |
Password |
Description
Ruby on Rails is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller framework, providing default structures for a database, a web service, and web pages.
The config/secrets.yml file contains a secret_key_base property that is used for cookies encryption and integrity protection, and for deriving keys used in message verification. Any leakage of the secret_key_base might compromise the security of the Ruby on Rails application.
By default, Rails encrypt secrets before storing them in a credentials.yml.enc file. This file contains at least the secret_key_base of the application that is used to encrypt cookies as well as any other secret useful to your application such as API keys. To encrypt the credentials.yml.enc file, Rails uses a key stored in a master.key file.
Security
Any hardcoded Rails Secret Key Base in unencrypted files is a potential secret reported by this detector.
Accidentally checking-in the key to source control repositories could compromise your credentials in your production environment.
Examples
[secrets.yml] production: secret_key_base: 457ebe461d2219d7dd32cfe65b1c6ac7916f96205778c8ab23ffdb58b6cfbb79a78d11da3137478d7d311125c3d52a25bd98d223dca0e88fcc9f730f692f0511
Mitigation / Fix
-
Remove the
Keyfrom the source code or committed configuration file. -
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |