Sensitive information in source code - Dependencies - Ruby

Sensitive information in source code - Dependencies - Ruby

Need

Secure storage of sensitive information in a protected environment

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Rails framework for building web applications

Description

Non compliant code

        # config/initializers/jwt.rb
module MyApp
  class Application < Rails::Application
    config.jwt = {
      private_key: 'YOUR_PRIVATE_KEY'
    }
  end
end
        
        

The above code is a Ruby on Rails application configuration file where a private key is hardcoded directly into the source code. This is a security vulnerability since anyone who has access to the source code can see the private key. This key is used for JWT (JSON Web Token) authentication, and if it's compromised, an attacker could impersonate any user in the system.

The private key is stored in the jwt configuration of the application, which is initialized during the application startup. The key is stored as a string directly in the source code, which is a bad practice from a security standpoint.

Anyone with access to the application's source code or who can reverse engineer the application's dependencies can potentially retrieve this private key. This could lead to unauthorized access to sensitive data or services that rely on this key for authentication.

The private key should be stored in a secure and protected environment, such as environment variables or a secure key management system, not directly in the source code.

Steps

  • Remove the sensitive information from the source code.
  • Store the private key in a protected environment, such as a configuration file or environment variable.
  • Update the code to retrieve the private key from the protected environment instead of hardcoding it.
  • Ensure that the protected environment is properly secured and access to the private key is restricted.
  • Regularly review and update the access controls for the protected environment to prevent unauthorized access to the private key.

Compliant code

        # config/initializers/jwt.rb
module MyApp
  class Application < Rails::Application
    config.jwt = {
      private_key: ENV['JWT_PRIVATE_KEY']
    }
  end
end
        
        

The above code has been modified to remove the hardcoded private key. Instead, it now retrieves the private key from an environment variable named JWT_PRIVATE_KEY. This change ensures that the private key is not exposed in the source code, reducing the risk of it being compromised.

To implement this change, you will need to set the JWT_PRIVATE_KEY environment variable in your production environment. This can typically be done in the settings or configuration for your hosting provider or server. Make sure to keep this environment variable secure and do not expose it in any logs or error messages.

By storing sensitive information such as private keys in environment variables, you can keep them out of your codebase and reduce the risk of them being exposed. This also makes it easier to change the keys if needed, as you can simply update the environment variable without needing to modify and redeploy your application code.

Remember to regularly review and update the access controls for your production environment to ensure that only authorized individuals can access sensitive information like your private key.

References