Skip to main content

Enabled default configuration

Need

Disable default configurations to prevent unauthorized access and information leakage.

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Rails framework for building web applications

Description

Non compliant code

# config/environments/production.rb

Rails.application.configure do
  # ...
  config.serve_static_files = true
  config.public_file_server.enabled = true
  # ...
end

In the above code, the config.public_file_server.enabled is set to true in the production environment. This means that Rails will serve static files from the public directory. This directory is accessible by default in Rails and is typically used to serve static assets. However, if an attacker knows the exact path to a file in this directory, they can access it directly via the browser.

Furthermore, config.serve_static_files is also set to true. This configuration is an older version of config.public_file_server.enabled and has the same implications.

By enabling these configurations, you are potentially exposing sensitive information to attackers. For example, if there is a file in the public directory that contains sensitive information, an attacker could potentially access this file and extract the information.

Additionally, the server's default page might contain information about the server itself such as the server's software version. This information could be used by an attacker to exploit known vulnerabilities in that software version.

In a production environment, it is recommended to disable these configurations or to at least ensure that no sensitive information is stored in the public directory.

Steps

  • Disable serving static files in the production environment.
  • Disable the public file server in the production environment.

Compliant code

# config/environments/production.rb

Rails.application.configure do
  # ...
  config.serve_static_files = false
  config.public_file_server.enabled = false
  # ...
end

The above code disables the serving of static files and the public file server in the production environment of a Ruby on Rails application. This is done by setting the config.serve_static_files and config.public_file_server.enabled to false.

The previous configuration was a vulnerability because it allowed an attacker to access the server's default page and obtain relevant technical information about the server. By disabling these features, we are preventing unauthorized access to this information, thus enhancing the security of the application.

References

Last updated on