Ruby Hardcoded Encryption Key
Description
Detects hardcoded encryption keys and secrets in Ruby code that could be used with OpenSSL or HMAC operations. Hardcoded cryptographic keys and secrets in source code are a security risk since they can be easily discovered through code access and may be accidentally committed to version control systems.
Detection Strategy
• Checks if the OpenSSL library is imported in the Ruby code
• Identifies variable assignments where encryption keys or secrets are hardcoded as string literals
• Detects HMAC method calls that use hardcoded secret values as parameters
• Reports vulnerability when cryptographic material is found directly embedded in code rather than loaded from secure configuration
Vulnerable code example
require 'openssl'
def encrypt_data(data)
cipher = OpenSSL::Cipher.new('AES-256-CBC')
cipher.encrypt
# VULNERABLE: Hardcoded encryption key directly in source code
cipher.key = "1234567890abcdef1234567890abcdef"
cipher.update(data) + cipher.final...✅ Secure code example
require 'openssl'
def encrypt_data(data)
cipher = OpenSSL::Cipher.new('AES-256-CBC')
cipher.encrypt
# Secure: Load key from environment variable instead of hardcoding
key = ENV['ENCRYPTION_KEY'] || raise('Missing encryption key in environment')
cipher.key = key...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.