Technical information leak - Credentials - Ruby

Technical information leak - Credentials - Ruby

Need

Protection of sensitive credentials from being exposed

Context

  • Requirement of Ruby 2.0 or later for running the application
  • Usage of Rails framework for building web applications

Description

Non compliant code

        class LoginController < ApplicationController
  def index
    @bot_secret_key = "YOUR_DIRECT_LINE_SECRET_KEY"
  end
end
        
        

In the code above, the BotChat Direct Line Secret Key is being stored in a variable @bot_secret_key in the index method of the LoginController. This secret key is then being passed to the frontend via an instance variable, and is used directly in a script tag within the HTML.

The problem here is that the secret key is exposed in the source code of the HTML page. Anyone who views the page source will be able to see the secret key in plain text. This is a serious security issue as it allows potential attackers to gain unauthorized access to the BotChat Direct Line.

Moreover, the secret key is hardcoded into the controller. This is a bad practice as it makes the key difficult to change and it could be accidentally committed to a version control system, which would further increase the risk of it being exposed.

Steps

  • Remove the direct line secret key from the code.
  • Store the direct line secret key in a secure configuration file or environment variable.
  • Access the secret key from the configuration file or environment variable in the controller.
  • Ensure that the configuration file or environment variable is not accessible to unauthorized users.
  • Consider using encryption or other security measures to protect the secret key.
  • Regularly review and update the secret key to minimize the risk of exposure.

Compliant code

        class LoginController < ApplicationController
  def index
    @bot_secret_key = ENV['BOT_SECRET_KEY']
  end
end
        
        

The original code had a vulnerability where the BotChat Direct Line Secret Key was hardcoded into the code and could be read in plain text. This is a serious security risk as it exposes sensitive information that could be exploited by malicious actors.

The revised code fixes this vulnerability by storing the secret key in an environment variable instead of hardcoding it into the code. This is a more secure practice as it means the secret key is not exposed in the code and can only be accessed by authorized users who have access to the environment variables.

In addition to this change, it is recommended to use encryption or other security measures to further protect the secret key. Regularly reviewing and updating the secret key can also help to minimize the risk of exposure.

Please ensure that the environment variable 'BOT_SECRET_KEY' is set in your application's environment, and it is not accessible to unauthorized users.

References