ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml
semgrepAuthor
unknown
Download Count*
License
$VALUE Found a string literal assignment to a production Rails session secret in secrets.yaml. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Run Locally
Run in CI
Defintion
rules:
- id: check-rails-secret-yaml
paths:
include:
- "*secrets.*.yml"
- "*secrets.*.yaml"
patterns:
- pattern: |
secret_key_base: $VALUE
- metavariable-pattern:
metavariable: $VALUE
language: generic
patterns:
- pattern-not: |
<%= ... %>
- pattern-inside: |
production:
...
message: $VALUE Found a string literal assignment to a production Rails session
secret in `secrets.yaml`. Do not commit secret values to source control!
Any user in possession of this value may falsify arbitrary session data in
your application. Read this value from an environment variable, KMS, or
file on disk outside of source control.
languages:
- yaml
severity: WARNING
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb
category: security
cwe:
- "CWE-540: Inclusion of Sensitive Information in Source Code"
owasp:
- A01:2021 - Broken Access Control
technology:
- ruby
- rails
references:
- https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Short Link: https://sg.run/0Wvb