logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Enabled default configuration - Ruby

Need

Disable default configurations to prevent unauthorized access and information leakage.

Context

  1. Usage of Ruby for building dynamic and object-oriented applications
  2. Usage of Rails framework for building web applications

Description

Insecure Code Example

# config/environments/production.rb

Rails.application.configure do
  # ...
  config.serve_static_files = true
  config.public_file_server.enabled = true
  # ...
end

In the above code, the `config.public_file_server.enabled` is set to `true` in the production environment. This means that Rails will serve static files from the `public` directory. This directory is accessible by default in Rails and is typically used to serve static assets. However, if an attacker knows the exact path to a file in this directory, they can access it directly via the browser. Furthermore, `config.serve_static_files` is also set to `true`. This configuration is an older version of `config.public_file_server.enabled` and has the same implications. By enabling these configurations, you are potentially exposing sensitive information to attackers. For example, if there is a file in the `public` directory that contains sensitive information, an attacker could potentially access this file and extract the information. Additionally, the server's default page might contain information about the server itself such as the server's software version. This information could be used by an attacker to exploit known vulnerabilities in that software version. In a production environment, it is recommended to disable these configurations or to at least ensure that no sensitive information is stored in the `public` directory.

Steps

  1. Disable serving static files in the production environment.
  2. Disable the public file server in the production environment.

Secure Code Example

# config/environments/production.rb

Rails.application.configure do
  # ...
  config.serve_static_files = false
  config.public_file_server.enabled = false
  # ...
end

The above code disables the serving of static files and the public file server in the production environment of a Ruby on Rails application. This is done by setting the `config.serve_static_files` and `config.public_file_server.enabled` to `false`. The previous configuration was a vulnerability because it allowed an attacker to access the server's default page and obtain relevant technical information about the server. By disabling these features, we are preventing unauthorized access to this information, thus enhancing the security of the application.

References

  • 308 - Enabled default configuration

    • Last updated

    2023/09/18