Enabled default configuration
Need
Disable default configurations to prevent unauthorized access and information leakage.
Context
- Usage of Ruby for building dynamic and object-oriented applications
- Usage of Rails framework for building web applications
Description
Non compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.serve_static_files = true
config.public_file_server.enabled = true
# ...
end
In the above code, the config.public_file_server.enabled
is set to true
in the production environment. This means that Rails will serve static files from the public
directory. This directory is accessible by default in Rails and is typically used to serve static assets. However, if an attacker knows the exact path to a file in this directory, they can access it directly via the browser.
Furthermore, config.serve_static_files
is also set to true
. This configuration is an older version of config.public_file_server.enabled
and has the same implications.
By enabling these configurations, you are potentially exposing sensitive information to attackers. For example, if there is a file in the public
directory that contains sensitive information, an attacker could potentially access this file and extract the information.
Additionally, the server's default page might contain information about the server itself such as the server's software version. This information could be used by an attacker to exploit known vulnerabilities in that software version.
In a production environment, it is recommended to disable these configurations or to at least ensure that no sensitive information is stored in the public
directory.
Steps
- Disable serving static files in the production environment.
- Disable the public file server in the production environment.
Compliant code
# config/environments/production.rb
Rails.application.configure do
# ...
config.serve_static_files = false
config.public_file_server.enabled = false
# ...
end
The above code disables the serving of static files and the public file server in the production environment of a Ruby on Rails application. This is done by setting the config.serve_static_files
and config.public_file_server.enabled
to false
.
The previous configuration was a vulnerability because it allowed an attacker to access the server's default page and obtain relevant technical information about the server. By disabling these features, we are preventing unauthorized access to this information, thus enhancing the security of the application.