Technical information leak - SourceMap
Need
Protection of sensitive technical information
Context
- Usage of Ruby for building dynamic and object-oriented applications
- Usage of Rails framework for building web applications
Description
Non compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.assets.debug = true
config.assets.raise_runtime_errors = true
# ...
end
In the above code, the config.assets.debug = true
and config.assets.raise_runtime_errors = true
configurations in the production environment of a Ruby on Rails application are problematic. These settings are typically used in development environments to aid debugging by generating source maps and providing detailed error messages.
However, when used in a production environment, they can expose sensitive information. Specifically, setting config.assets.debug = true
causes Rails to generate source maps for your assets. These source maps are then accessible to anyone who knows where to look for them, potentially exposing your application's source code.
Similarly, config.assets.raise_runtime_errors = true
can lead to detailed error messages being displayed to users, which can provide malicious actors with clues about your application's inner workings. This is a form of technical information leakage, which is a serious security vulnerability.
Steps
- Disable debug mode for assets in the production environment.
- Remove the line 'config.assets.debug = true' from the 'config/environments/production.rb' file.
- Set 'config.assets.debug = false' in the 'config/environments/production.rb' file.
- Restart the application to apply the changes.
Compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.assets.debug = false
config.assets.raise_runtime_errors = true
# ...
end
The above code is a fixed version of the previous vulnerable code. The vulnerability was that the application was leaking technical information through the .map files. This was because the debug mode for assets was enabled in the production environment.
In the fixed code, the debug mode for assets has been disabled in the production environment. This is done by setting config.assets.debug = false
in the config/environments/production.rb
file. This change will prevent the .map files from being exposed, thus mitigating the risk of a malicious actor analyzing the application.
After making these changes, remember to restart the application to apply them. This is a crucial step as the changes made in the configuration files will not take effect until the application is restarted.