Directory listing - Ruby

Directory listing - Ruby

Need

Prevention of directory listing and unauthorized access to sensitive files

Context

  • Requirement of Ruby 2.0 or higher for running the application
  • Usage of Rails framework for building web applications

Description

Non compliant code

        # config/environments/production.rb
Rails.application.configure do
  # ...
  config.serve_static_files = true
  config.public_file_server.enabled = true
  # ...
end
        
        

In the above code, the application is configured to serve static files from the public directory. This is done by setting config.serve_static_files = true and config.public_file_server.enabled = true in the config/environments/production.rb file.

This configuration is generally used for debugging purposes and should not be enabled in a production environment. When enabled, it allows anyone to access and list the directories and files in the public directory.

An attacker could exploit this to view sensitive information that should not be publicly accessible, such as configuration files, source code, or data files. This could lead to further attacks, such as code execution, data theft, or denial of service.

Steps

  • Disable directory listing in the web server configuration.
  • Ensure that the web server does not serve static files directly from the application's directories.
  • Configure the web server to only serve specific files or directories as needed.
  • Implement proper access controls and authentication mechanisms to restrict unauthorized access to sensitive files.
  • Regularly update and patch the web server software to address any security vulnerabilities.

Compliant code

        # config/environments/production.rb
Rails.application.configure do
  # ...
  config.serve_static_files = false
  config.public_file_server.enabled = false
  # ...
end
        
        

The above code disables the serving of static files in the production environment of a Ruby on Rails application. This is done by setting the config.serve_static_files and config.public_file_server.enabled to false.

This change will prevent the web server from directly serving files from the application's directories, which in turn disables directory listing. This is a crucial step in preventing potential attackers from gaining knowledge about the content of the files stored on the server.

In addition to this, it is recommended to implement proper access controls and authentication mechanisms to further restrict unauthorized access to sensitive files. Regularly updating and patching the web server software is also important to address any potential security vulnerabilities.

References