Ruby Error Information Disclosure
Description
This detector identifies Ruby code that explicitly enables error information disclosure by setting error-related configuration values to true. Exposing detailed error information in production environments can leak sensitive data like file paths, database schemas, and internal application structure to attackers.
Detection Strategy
• Scans Ruby source code files (excluding test files) for variable assignments
• Identifies assignments where the value of consider_all_requests_local is explicitly set to the boolean 'true'
• Reports vulnerabilities when error-related settings are enabled that could expose sensitive information in production environments
Vulnerable code example
# VULNERABLE: Enables detailed error pages in production
Rails.application.configure do
config.consider_all_requests_local = true # Exposes sensitive debug info
end✅ Secure code example
# SAFE: Disabled detailed error pages for production security
Rails.application.configure do
config.consider_all_requests_local = false # Prevents debug info leakage
endSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.