Security Expose: Assume folks have seen this -

[Al]

http://www.reddit.com/r/netsec/comments/158g8s/hijacking_ruby_on_rails_apps_through_exposed/

FYI

[Gary Weaver]

I was concerned when I saw the title of the message, but I think the solution is as simple as just informing people to be sure that any README for Rails apps they share on GitHub (or wherever they have that token exposed), that the user of the application should change that token to a sufficiently random token, and that they should follow the security guide at http://guides.rubyonrails.org/security.html as well as keeping up with everything they can as it relates to security.

In the current release version of Rails (3.2.9), the file that Rails generates resides in: config/initializers/secret_token.rb

Unfortunately, it looks like the guide in 3.2.9 and master still refer to setting that value in environment.rb, even though it is set via config/initializers/secret_token.rb:
https://github.com/rails/rails/blob/master/guides/source/security.md
http://guides.rubyonrails.org/security.html

However, the "configuring" section in 3.2.9 and master were updated to indicate that config/initializers/secret_token.rb is the place where that is stored and that it is randomly generated, per: "Applications get config.secret_key_base initialized to a random key in config/initializers/secret_token.rb."
https://github.com/rails/rails/blob/master/guides/source/configuring.md
http://guides.rubyonrails.org/configuring.html

It may be good to add in the guide that puppet, chef, capistrano, or whatever you use to deploy/setup could be used to copy an environment-specific version of that file and to guard it and config/database.yml with your life, if security is a concern, which it usually is.

Thanks for bringing this up, because it is a good idea to mention it for those sharing apps, and because it should probably be clearer in the Rails guide.

Unless someone else is messing with the guide, I could update security page to note the secret_token.rb file vs. use of environment.rb and to note that for a greater (suggested) level of security, database.yml and secret_token.rb should be copied during deploy and be specific for that environment. I don't think that is overly opinionated as a basic level of security, is it?

On Friday, December 21, 2012 12:47:09 PM UTC-5, Al wrote:

http://www.reddit.com/r/netsec/comments/158g8s/hijacking_ruby_on_rails_apps_through_exposed/

FYI

[Xavier Noria]

On Fri, Dec 21, 2012 at 7:49 PM, Gary Weaver <garys...@gmail.com> wrote:

> Unless someone else is messing with the guide, I could update security page
> to note the secret_token.rb file vs. use of environment.rb and to note that
> for a greater (suggested) level of security, database.yml and
> secret_token.rb should be copied during deploy and be specific for that
> environment. I don't think that is overly opinionated as a basic level of
> security, is it?

Please go ahead!

[Gary Weaver]

Done: https://github.com/rails/rails/pull/8581

[Xavier Noria]

That was quick :), thanks very much Gary!

> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/rubyonrails-core/-/UhY2Y2QxkgsJ.
>
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-co...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.

[Gary Weaver]

You're welcome!