Technical information leak - Console functions - Ruby

Technical information leak - Console functions - Ruby

Need

Secure logging and information handling

Context

  • Usage of Ruby 2.5.0 as the programming language for development
  • Usage of Rails framework for building web applications
  • Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations

Description

Non compliant code

        class UsersController < ApplicationController
  def show
    @user = User.find(params[:id])
    puts "User found: #{@user.name}"
    rescue ActiveRecord::RecordNotFound
      puts "No user found with the provided ID."
  end
end

In the above Ruby on Rails code, the show action in the UsersController is trying to find a user based on the id passed in the parameters. If the user is found, it logs the user's name to the console using puts. If no user is found, it raises an ActiveRecord::RecordNotFound exception and logs an error message to the console.

The vulnerability lies in the usage of puts for logging sensitive information. In a production environment, these logs can be accessed by unauthorized individuals leading to an information leak. This can reveal sensitive user data and the internal workings of the application, making it susceptible to further attacks.

Steps

  • Remove the usage of console functions (log, info, warning) in production code.
  • Instead of using console functions, use appropriate logging mechanisms provided by the Ruby on Rails framework.
  • Configure the logging mechanism to log the necessary information in a secure and controlled manner.
  • Ensure that sensitive information is not logged or exposed in the logs.
  • Regularly review and monitor the logs to identify any potential information leakages.

Compliant code

        class UsersController < ApplicationController
  def show
    @user = User.find(params[:id])
    Rails.logger.info "User found: #{@user.name}"
    rescue ActiveRecord::RecordNotFound
      Rails.logger.info "No user found with the provided ID."
  end
end

The updated code replaces the puts statements, which print to the console, with Rails.logger.info statements. This is a more secure way to log information in a Ruby on Rails application.

The Rails.logger object is an instance of the ActiveSupport::Logger class, which provides a unified logging interface in Rails. This logger is automatically configured based on the logging settings in your application's configuration.

The info method is one of the severity level methods provided by the logger. It's used to write info level messages to the log. Other severity level methods include debug, error, fatal, and warn.

In the updated code, when a user is found, the message "User found: [user name]" is written to the log. If no user is found, the message "No user found with the provided ID." is written to the log.

This change ensures that the application does not leak information through the console in a production environment. Instead, the necessary information is logged in a secure and controlled manner.

Remember to configure your logger appropriately to ensure that sensitive information is not logged. Also, regularly review and monitor your logs to identify any potential information leakages.

References