Sensitive information in source code - Credentials - Ruby

Sensitive information in source code - Credentials - Ruby

Need

Protection of sensitive information in source code

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Ruby for building dynamic and object-oriented applications

Description

Non compliant code

        class ApplicationController < ActionController::Base
  # Hardcoded credentials
  USER = 'admin'
  PASSWORD = 'password123'
  EMAIL = 'admin@example.com'
  API_KEY = '1234567890abcdef'
end
        
        

The above code is a Ruby on Rails controller that has sensitive information hard-coded in it. This is a security vulnerability because anyone who has access to this source code can see these credentials.

- USER is the username for an administrative user.
- PASSWORD is the password for that user.
- EMAIL is the email address associated with that user.
- API_KEY is a key that would allow access to an API.

Having these hard-coded into the source code means that if the source code is ever exposed, these credentials are immediately compromised. Additionally, it makes it difficult to change these credentials, as you would have to change the source code and redeploy the application.

This is a particularly serious issue if the code is stored in a public repository, as it could be accessed by anyone. But even in a private repository, it could be accessed by anyone who has been given access to the repository, including former employees or contractors.

It's also worth noting that hard-coding credentials in this way means that all instances of the application use the same credentials. This is a problem because it means that a compromise of one instance potentially compromises all instances.

Steps

  • Remove the sensitive information from the source code.
  • Store the sensitive information in a secure location, such as environment variables.
  • Update the code to retrieve the sensitive information from the secure location at runtime.
  • Ensure that the secure location is properly protected and access to it is restricted.
  • Regularly review and update the sensitive information to minimize the risk of exposure.

Compliant code

        class ApplicationController < ActionController::Base
  # Removed hardcoded credentials
  USER = ENV['USER']
  PASSWORD = ENV['PASSWORD']
  EMAIL = ENV['EMAIL']
  API_KEY = ENV['API_KEY']
end
        
        

The previous code had a serious vulnerability as it contained hardcoded sensitive information such as user credentials and API keys. This is a bad practice because anyone who has access to the source code can see this information, which can lead to serious security breaches.

The updated code removes the hardcoded credentials and instead retrieves them from environment variables at runtime. Environment variables are a secure way to store sensitive information because they are only available to the process in which they were set, which minimizes the risk of exposure.

To set the environment variables, you can use the following commands in the terminal:

                export USER='your_username'
export PASSWORD='your_password'
export EMAIL='your_email'
export API_KEY='your_api_key'

            


Remember to replace 'your_username', 'your_password', 'your_email', and 'your_api_key' with your actual credentials.

Also, ensure that these environment variables are set in the production environment. You can do this by adding them to the environment configuration of your hosting service.

Finally, make sure to protect the environment variables by restricting access to them and regularly reviewing and updating them.

References