Technical information leak - Ruby

Technical information leak - Ruby

Need

Protection of sensitive technical information

Context

  • Requirement of Ruby 2.0 or higher for running the application
  • Usage of Rails framework for building web applications

Description

Non compliant code

        # config/environments/production.rb

Rails.application.configure do
  #...

  # Expose version information in HTTP headers
  config.x.send_version_header = true

  # Expose detailed exception information in HTTP responses
  config.consider_all_requests_local = true

  #...
end
        
        

In the above code, we are configuring a Rails application in the config/environments/production.rb file.

The config.x.send_version_header = true line is a custom configuration that tells the application to include version information in the HTTP headers of its responses. This could expose the version of Rails or other components being used, which could potentially help an attacker identify known vulnerabilities to exploit.

The config.consider_all_requests_local = true line tells Rails to provide detailed exception information in HTTP responses when an error occurs. While this can be helpful for debugging, it can also expose sensitive information about the application's internal workings, such as file paths, database queries, and configuration details. In a production environment, this information should not be exposed to end users or potential attackers.

Steps

  • Disable sending version information in HTTP headers
  • Disable exposing detailed exception information in HTTP responses

Compliant code

        # config/environments/production.rb

Rails.application.configure do
  #...

  # Disable sending version information in HTTP headers
  config.x.send_version_header = false

  # Disable exposing detailed exception information in HTTP responses
  config.consider_all_requests_local = false

  #...
end
        
        

The above code is a fixed version of the previous vulnerable code. The vulnerability was that the application was leaking technical information such as system component versions and specific information about the configuration of server components. This was happening because the application was configured to send version information in HTTP headers and expose detailed exception information in HTTP responses.

In the fixed code, we have disabled sending version information in HTTP headers by setting config.x.send_version_header to false. This means that the application will no longer include version information in the HTTP headers of its responses.

We have also disabled exposing detailed exception information in HTTP responses by setting config.consider_all_requests_local to false. This means that the application will no longer include detailed exception information in the HTTP responses when an error occurs.

These changes will help to prevent potential attackers from obtaining valuable technical information about the application and its environment.

References