logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Debugging enabled in production - Ruby

Need

Disabling debugging mode in production environment

Context

  1. Requirement of Ruby 2.0 or later for executing the code
  2. Usage of Rails framework for building web applications

Description

Insecure Code Example

# config/environments/production.rb
Rails.application.configure do
  # ...
  config.consider_all_requests_local = true
  config.action_controller.perform_caching = false
  config.action_mailer.raise_delivery_errors = false
  config.active_record.migration_error = :page_load
  config.active_support.deprecation = :log
  config.assets.debug = true
  # ...
end

In the above code, you can see that the debug mode is enabled in the production environment. This is a serious security vulnerability because it can expose sensitive data to potential attackers. Here's how each line contributes to the vulnerability: - `config.consider_all_requests_local = true`: This line means that the application will show full error reports for every IP address. In a production environment, this should be set to `false` to prevent error reports from being shown to end users. - `config.action_controller.perform_caching = false`: This line disables caching in the production environment. This can lead to performance issues and can also expose sensitive data if error messages are not properly handled. - `config.action_mailer.raise_delivery_errors = false`: This line means that the application will not raise exceptions for failed email deliveries. This can lead to information being leaked if error messages contain sensitive data. - `config.active_record.migration_error = :page_load`: This line means that the application will show a detailed error page if there is a database migration error. This can expose sensitive database information. - `config.active_support.deprecation = :log`: This line means that the application will log deprecation warnings. This can expose sensitive application information if the logs are not properly secured. - `config.assets.debug = true`: This line enables debugging mode for assets. This can expose sensitive asset information and can also lead to performance issues. In summary, enabling debug mode in a production environment can expose sensitive application, database, and asset information. It can also lead to performance issues.

Steps

  1. Disable debug mode in the production environment.
  2. Set 'config.consider_all_requests_local' to false.
  3. Set 'config.assets.debug' to false.
  4. Ensure that error messages are not displayed to users in production.
  5. Enable error logging instead of displaying error messages.

Secure Code Example

# config/environments/production.rb
Rails.application.configure do
  # ...
  config.consider_all_requests_local = false
  config.action_controller.perform_caching = true
  config.action_mailer.raise_delivery_errors = false
  config.active_record.migration_error = :page_load
  config.active_support.deprecation = :log
  config.assets.debug = false
  # ...
end

The above code is a fixed version of the previous vulnerable code. The changes made are as follows: - `config.consider_all_requests_local` is set to `false`. This means that if your application encounters an error, it will not display a debugging page to the user. Instead, it will render the standard 500 server error page. This is important because the debugging page can contain sensitive information that you do not want to expose to users. - `config.action_controller.perform_caching` is set to `true`. This means that the application will cache views, which can improve performance. - `config.assets.debug` is set to `false`. This means that the application will not generate source maps for your assets. This is important because source maps can reveal a lot of information about your codebase, which can be a security risk. - The other settings remain the same. `config.action_mailer.raise_delivery_errors` is set to `false` to prevent the application from raising exceptions when an email fails to be delivered. `config.active_record.migration_error` is set to `:page_load` to raise an exception when a migration error is encountered during page load. `config.active_support.deprecation` is set to `:log` to log deprecation warnings. By making these changes, you can ensure that your application does not expose sensitive information when an error occurs, which can help to keep your application secure.

References

  • 183 - Debugging enabled in production

    • Last updated

    2023/09/18