logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Technical information leak - Console functions - Ruby

Need

Secure logging and information handling

Context

  1. Usage of Ruby 2.5.0 as the programming language for development
  2. Usage of Rails framework for building web applications
  3. Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations

Description

Insecure Code Example

class UsersController < ApplicationController
  def show
    @user = User.find(params[:id])
    puts "User found: #{@user.name}"
    rescue ActiveRecord::RecordNotFound
      puts "No user found with the provided ID."
  end
end

In the above Ruby on Rails code, the `show` action in the `UsersController` is trying to find a user based on the `id` passed in the parameters. If the user is found, it logs the user's name to the console using `puts`. If no user is found, it raises an `ActiveRecord::RecordNotFound` exception and logs an error message to the console. The vulnerability lies in the usage of `puts` for logging sensitive information. In a production environment, these logs can be accessed by unauthorized individuals leading to an information leak. This can reveal sensitive user data and the internal workings of the application, making it susceptible to further attacks.

Steps

  1. Remove the usage of console functions (log, info, warning) in production code.
  2. Instead of using console functions, use appropriate logging mechanisms provided by the Ruby on Rails framework.
  3. Configure the logging mechanism to log the necessary information in a secure and controlled manner.
  4. Ensure that sensitive information is not logged or exposed in the logs.
  5. Regularly review and monitor the logs to identify any potential information leakages.

Secure Code Example

class UsersController < ApplicationController
  def show
    @user = User.find(params[:id])
    Rails.logger.info "User found: #{@user.name}"
    rescue ActiveRecord::RecordNotFound
      Rails.logger.info "No user found with the provided ID."
  end
end

The updated code replaces the `puts` statements, which print to the console, with `Rails.logger.info` statements. This is a more secure way to log information in a Ruby on Rails application. The `Rails.logger` object is an instance of the `ActiveSupport::Logger` class, which provides a unified logging interface in Rails. This logger is automatically configured based on the logging settings in your application's configuration. The `info` method is one of the severity level methods provided by the logger. It's used to write info level messages to the log. Other severity level methods include `debug`, `error`, `fatal`, and `warn`. In the updated code, when a user is found, the message "User found: [user name]" is written to the log. If no user is found, the message "No user found with the provided ID." is written to the log. This change ensures that the application does not leak information through the console in a production environment. Instead, the necessary information is logged in a secure and controlled manner. Remember to configure your logger appropriately to ensure that sensitive information is not logged. Also, regularly review and monitor your logs to identify any potential information leakages.

References

  • 066 - Technical information leak - Console functions

    • Last updated

    2023/09/18