Need

Protection of sensitive technical information

Context

• Usage of Ruby for building dynamic and object-oriented applications
• Usage of Rails framework for building web applications

Description

Non compliant code

        # config/environments/production.rb
Rails.application.configure do
  # ...
  config.assets.debug = true
  config.assets.raise_runtime_errors = true
  # ...
end
        
        

In the above code, the config.assets.debug = true and config.assets.raise_runtime_errors = true configurations in the production environment of a Ruby on Rails application are problematic. These settings are typically used in development environments to aid debugging by generating source maps and providing detailed error messages.

However, when used in a production environment, they can expose sensitive information. Specifically, setting config.assets.debug = true causes Rails to generate source maps for your assets. These source maps are then accessible to anyone who knows where to look for them, potentially exposing your application's source code.

Similarly, config.assets.raise_runtime_errors = true can lead to detailed error messages being displayed to users, which can provide malicious actors with clues about your application's inner workings. This is a form of technical information leakage, which is a serious security vulnerability.

Steps

• Disable debug mode for assets in the production environment.
• Remove the line 'config.assets.debug = true' from the 'config/environments/production.rb' file.
• Set 'config.assets.debug = false' in the 'config/environments/production.rb' file.
• Restart the application to apply the changes.

Compliant code

        # config/environments/production.rb
Rails.application.configure do
  # ...
  config.assets.debug = false
  config.assets.raise_runtime_errors = true
  # ...
end
        
        

The above code is a fixed version of the previous vulnerable code. The vulnerability was that the application was leaking technical information through the .map files. This was because the debug mode for assets was enabled in the production environment.

In the fixed code, the debug mode for assets has been disabled in the production environment. This is done by setting config.assets.debug = false in the config/environments/production.rb file. This change will prevent the .map files from being exposed, thus mitigating the risk of a malicious actor analyzing the application.

After making these changes, remember to restart the application to apply them. This is a crucial step as the changes made in the configuration files will not take effect until the application is restarted.

References

• 236. Technical information leak - SourceMap