stackoom
  简体   繁体   中英

Ruby on Rails 3.2.13 - Brakeman - Session secret should not be included in version control

 原文  2013-05-25 13:11:37       ruby-on-rails/ security/ brakeman

Question

I have installed the latest version of the Brakeman gem to help me with Rails application security.

I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability. 

Session secret should not be included in version control near line 7

This is the first time I have seen this error since I ran an older version of Brakeman months ago.

From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.

One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.

Any help would be appreciated.

2 answers

solution1
 12 ACCPTED  2013-05-26 00:02:51

That particular message in Brakeman was silenced for me when I put secret information into ENV variables, as you mentioned. Personally, I like to use the Figaro gem for this, but I think dotenv is popular as well.

Some other resources that may be of interest to you regarding this are:

solution2
 1  2013-05-25 16:52:46

I'm not sure how moving the session secret to a different file would make a difference. Essentially, the secret token should be treated just like a password.

This blog post from Phusion explores a few different options for providing the session key at deploy time.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Ruby On Rails - Brakeman: Session cookies should be set to HTTP only Trouble upgrading Ruby on Rails from version 3.2.13 to 4.0.0 Should vendor assets be included in version control with bower + rails? ruby on rails brakeman gem and owasp top 10 Regex, devise & brakeman. Ruby on rails 5.2.2 Ruby On Rails - What do these Brakeman warnings mean? Ruby on Rails - Undefined Method - Rails 3.2.13 bcrypt error: Devise ruby 2.0 and rails 3.2.13 Install RVM with the latest Ruby (2.0.0) and Rails (3.2.13) Which Ruby on Rails version should I upgrade to?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM