Enabled default credentials - Ruby

Enabled default credentials - Ruby

Need

Implementation of strong and unique credentials for all system resources

Context

  • Usage of Ruby programming language for web development
  • Usage of PostgreSQL for database management and data storage

Description

Non compliant code

        # config/database.yml
development:
  adapter: postgresql
  encoding: unicode
  database: myapp_development
  pool: 5
  username: postgres
  password: postgres
        
        

In the above code snippet, the database.yml file in a Ruby on Rails application is configured to connect to a PostgreSQL database with the username postgres and password postgres. These are default credentials that are commonly used in PostgreSQL installations.

The vulnerability here is that these default credentials are low-strength and can be easily guessed or brute-forced by an attacker. If an attacker is able to guess these credentials, they would have full access to the database including all data stored within it. They could read sensitive information, modify data, or even drop tables and databases.

This is a critical security issue as it directly affects the confidentiality, integrity, and availability of the data in the database. It is also a violation of the principle of least privilege, which states that a user should have the minimum levels of access necessary to perform their tasks. In this case, the postgres user has full administrative access to the database.

To fix this vulnerability, you should use strong, unique credentials for your database and avoid using default credentials. You should also limit the privileges of your database user to the minimum necessary for your application to function.

Steps

  • Change the default username and password in the database configuration file.
  • Use strong and unique credentials for the database user.
  • Avoid using common or easily guessable usernames and passwords.
  • Consider using environment variables or a secure credentials management system to store sensitive information.
  • Regularly review and update the credentials to ensure they remain secure.

Compliant code

        # config/database.yml
development:
  adapter: postgresql
  encoding: unicode
  database: myapp_development
  pool: 5
  username: <%= ENV['DATABASE_USERNAME'] %>
  password: <%= ENV['DATABASE_PASSWORD'] %>
        
        

The previous code was vulnerable due to the use of default credentials for the database. This could allow unauthorized users to gain access to the system resources.

The updated code now uses environment variables to store the database username and password. This is a more secure method as it prevents the credentials from being exposed in the code.

The ENV['DATABASE_USERNAME'] and ENV['DATABASE_PASSWORD'] are placeholders for the actual environment variables that you should set in your application environment. These environment variables should contain the actual username and password for your database.

Remember to use strong and unique credentials for your database user. Avoid using common or easily guessable usernames and passwords. Regularly review and update the credentials to ensure they remain secure.

Also, never commit sensitive data such as credentials to your version control system. Always use environment variables or a secure credentials management system to store sensitive information.

References