Ruby Hardcoded Password In Connection

Description

Detects hardcoded passwords in Ruby database connection configurations using ActiveRecord's establish_connection method. This vulnerability could expose database credentials if source code is compromised, as passwords are stored in plaintext within the codebase rather than using secure configuration management.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Identifies calls to 'establish_connection' method in Ruby code

• Verifies the method is called on an ActiveRecord::Base class or subclass

• Examines the method arguments to check if they contain hardcoded password values

• Reports a vulnerability when hardcoded credentials are found in connection configuration

Vulnerable code example

# Database connection with hardcoded credentials - SECURITY RISK
ActiveRecord::Base.establish_connection(
  adapter:  "postgresql",
  host:     "localhost", 
  username: "db_admin",
  password: "ProdPassword123"  # Vulnerable: Hardcoded database password in source code
)

✅ Secure code example

# Use environment variables instead of hardcoding credentials
ActiveRecord::Base.establish_connection(
  adapter:  "postgresql",
  host:     ENV["DB_HOST"],        # Load host from environment variable
  username: ENV["DB_USERNAME"],     # Load username from environment variable
  password: ENV["DB_PASSWORD"]      # Load password from environment variable - never hardcode
)

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.