9

I have installed the latest version of the Brakeman gem to help me with Rails application security.

I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability.

Session secret should not be included in version control near line 7

This is the first time I have seen this error since I ran an older version of Brakeman months ago.

From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.

One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.

Any help would be appreciated.

Pamela Cook - LightBe Corp
  • 3,912
  • 5
  • 50
  • 86

2 Answers2

13

That particular message in Brakeman was silenced for me when I put secret information into ENV variables, as you mentioned. Personally, I like to use the Figaro gem for this, but I think dotenv is popular as well.

Some other resources that may be of interest to you regarding this are:

Community
  • 1
  • 1
Paul Fioravanti
  • 16,423
  • 7
  • 71
  • 122
  • 1
    The suggestion I mentioned about the ENV variable came from the Code Climate blog post. I read it before posting my question. I was not sure how to make it the ENV variable when I posted my question. However when I took a look at environment.rb I saw the statement formats were the same. So I moved the statement from secret_token there. The message disappeared. I have the Code Climate blog post in my Bookmarks. I will check out Figaro which I saw in previous searches. I will also look at dotenv also. – Pamela Cook - LightBe Corp May 27 '13 at 12:15
  • 5
    If environment.rb is stored in your source control, then it's no more safe than secret_token.rb. – Justin Jun 10 '13 at 04:35
1

I'm not sure how moving the session secret to a different file would make a difference. Essentially, the secret token should be treated just like a password.

This blog post from Phusion explores a few different options for providing the session key at deploy time.

Justin
  • 1,561
  • 10
  • 12
  • I read this post before asking my question. They suggested option 2 along with patching Rails. Several of the options assume that you are using Capistrano. I'm not using it. I am still learning things about Rails, especially regarding security. Unfortunately the blog post has a lot of information that I am not familiar with. – Pamela Cook - LightBe Corp May 25 '13 at 21:06
  • The other file (e.g. `.env`) can be gitignored, keeping it out of version control. It can then be managed as appropriate for each platform, with developers manually editing the ignored file with a development secret, and DevOps managing it however appropriate on their server stack. – David Hempy Jul 27 '23 at 12:14