Debugging enabled in production
Need
Disabling debugging mode in production environment
Context
- Requirement of Ruby 2.0 or later for executing the code
- Usage of Rails framework for building web applications
Description
Non compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
config.action_mailer.raise_delivery_errors = false
config.active_record.migration_error = :page_load
config.active_support.deprecation = :log
config.assets.debug = true
# ...
end
In the above code, you can see that the debug mode is enabled in the production environment. This is a serious security vulnerability because it can expose sensitive data to potential attackers.
Here's how each line contributes to the vulnerability:
-
config.consider_all_requests_local = true: This line means that the application will show full error reports for every IP address. In a production environment, this should be set tofalseto prevent error reports from being shown to end users. -
config.action_controller.perform_caching = false: This line disables caching in the production environment. This can lead to performance issues and can also expose sensitive data if error messages are not properly handled. -
config.action_mailer.raise_delivery_errors = false: This line means that the application will not raise exceptions for failed email deliveries. This can lead to information being leaked if error messages contain sensitive data. -
config.active_record.migration_error = :page_load: This line means that the application will show a detailed error page if there is a database migration error. This can expose sensitive database information. -
config.active_support.deprecation = :log: This line means that the application will log deprecation warnings. This can expose sensitive application information if the logs are not properly secured. -
config.assets.debug = true: This line enables debugging mode for assets. This can expose sensitive asset information and can also lead to performance issues.
In summary, enabling debug mode in a production environment can expose sensitive application, database, and asset information. It can also lead to performance issues.
Steps
- Disable debug mode in the production environment.
- Set 'config.consider_all_requests_local' to false.
- Set 'config.assets.debug' to false.
- Ensure that error messages are not displayed to users in production.
- Enable error logging instead of displaying error messages.
Compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
config.action_mailer.raise_delivery_errors = false
config.active_record.migration_error = :page_load
config.active_support.deprecation = :log
config.assets.debug = false
# ...
end
The above code is a fixed version of the previous vulnerable code. The changes made are as follows:
-
config.consider_all_requests_localis set tofalse. This means that if your application encounters an error, it will not display a debugging page to the user. Instead, it will render the standard 500 server error page. This is important because the debugging page can contain sensitive information that you do not want to expose to users. -
config.action_controller.perform_cachingis set totrue. This means that the application will cache views, which can improve performance. -
config.assets.debugis set tofalse. This means that the application will not generate source maps for your assets. This is important because source maps can reveal a lot of information about your codebase, which can be a security risk. -
The other settings remain the same.
config.action_mailer.raise_delivery_errorsis set tofalseto prevent the application from raising exceptions when an email fails to be delivered.config.active_record.migration_erroris set to:page_loadto raise an exception when a migration error is encountered during page load.config.active_support.deprecationis set to:logto log deprecation warnings.
By making these changes, you can ensure that your application does not expose sensitive information when an error occurs, which can help to keep your application secure.