Sensitive information sent insecurely - Ruby

Sensitive information sent insecurely - Ruby

Need

Secure transmission of sensitive information

Context

  • Usage of Ruby 2.7 for developing Ruby applications
  • Usage of net-http for handling HTTP requests and responses in Node.js
  • Usage of URI for parsing and manipulating Uniform Resource Identifiers (URIs)
  • Usage of ActiveRecord for Object-Relational Mapping (ORM) in Ruby on Rails

Description

Non compliant code

        def send_data
  user = User.find(params[:id])
  sensitive_data = user.sensitive_data
  uri = URI('http://example.com/api')
  Net::HTTP.post_form(uri, 'data' => sensitive_data)
end
        
        

The above Ruby on Rails code snippet is a representation of the vulnerability "Sensitive information sent insecurely". In this code, we are fetching a user's sensitive data from the database and sending it to an external API.

The vulnerability here is that the sensitive data is being sent over an insecure HTTP connection. HTTP is not secure because it does not encrypt the data being transferred. This means that anyone who can intercept the connection (for example, on a public Wi-Fi network) could potentially read and misuse this sensitive data.

The Net::HTTP.post_form method is used to send a POST request to the specified URI. The second parameter to this method is a Hash that contains the data to be sent. In this case, the Hash contains the sensitive data of the user.

The URI('http://example.com/api') is the insecure endpoint where the data is being sent. As you can see, it uses the http protocol, which is not secure. If this were a real application, this endpoint should be using the https protocol instead, which encrypts the data being sent and ensures its confidentiality and integrity.

The user.sensitive_data is just a placeholder for the actual sensitive data of the user. This could be anything from the user's password, credit card information, personal identifiable information (PII), etc.

Steps

  • Use HTTPS instead of HTTP to ensure secure communication.
  • Implement encryption to protect the sensitive data during transmission.
  • Consider using a secure API endpoint with proper authentication and authorization mechanisms.
  • Implement input validation and sanitization to prevent any potential injection attacks.
  • Avoid sending sensitive data in the request parameters or query strings.
  • Store sensitive data securely in the backend and retrieve it when needed, instead of sending it directly in the request.
  • Follow secure coding practices and guidelines provided by the Ruby on Rails framework.
  • Regularly update and patch the Ruby on Rails framework to address any security vulnerabilities.
  • Perform security testing and code reviews to identify and fix any other potential vulnerabilities.

Compliant code

        require 'net/https'
require 'uri'

def send_data
  user = User.find(params[:id])
  sensitive_data = user.sensitive_data

  uri = URI.parse('https://example.com/api')

  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER

  request = Net::HTTP::Post.new(uri.request_uri)
  request.set_form_data('data' => sensitive_data)

  response = http.request(request)
end
        
        

The updated code now sends the sensitive data over HTTPS, which is a secure protocol that encrypts the data during transmission, ensuring its confidentiality and integrity.

The Net::HTTP library in Ruby is used to send HTTP requests. The use_ssl property is set to true to enable HTTPS. The verify_mode is set to OpenSSL::SSL::VERIFY_PEER to verify the server's SSL certificate.

The Net::HTTP::Post class is used to create a POST request. The sensitive data is included in the form data of the request. The set_form_data method is used to set the form data in the request.

The http.request(request) method is used to send the POST request to the server and the response from the server is stored in the response variable.

This code should be used in a secure environment where the server's SSL certificate can be verified. If the server's SSL certificate cannot be verified, the connection should not be trusted, and the sensitive data should not be sent.

This code does not include any error handling. In a production environment, you should add appropriate error handling code to handle any potential errors or exceptions that may occur when sending the HTTP request.

This code assumes that the sensitive data is a string. If the sensitive data is not a string, you will need to convert it to a string before including it in the form data.

This code does not include any authentication or authorization mechanisms. If the API endpoint requires authentication or authorization, you will need to include the appropriate headers or parameters in the request.

References