ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling
semgrep
Author
unknown
Download Count*
License
Found a string literal assignment to a Rails session secret $KEY
. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Run Locally
Run in CI
Defintion
rules:
- id: check-rails-session-secret-handling
patterns:
- pattern-either:
- patterns:
- pattern: |
:$KEY => "$LITERAL"
- pattern-inside: |
ActionController::Base.session = {...}
- pattern: |
$RAILS::Application.config.$KEY = "$LITERAL"
- pattern: |
Rails.application.config.$KEY = "$LITERAL"
- metavariable-regex:
metavariable: $KEY
regex: ^secret(_(token|key_base))?$
message: Found a string literal assignment to a Rails session secret `$KEY`. Do
not commit secret values to source control! Any user in possession of this
value may falsify arbitrary session data in your application. Read this
value from an environment variable, KMS, or file on disk outside of source
control.
languages:
- ruby
severity: WARNING
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb
category: security
cwe:
- "CWE-540: Inclusion of Sensitive Information in Source Code"
owasp:
- A01:2021 - Broken Access Control
technology:
- ruby
- rails
references:
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
- https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb
- https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Examples
check-rails-session-secret-handling.rb
#rails2
ActionController::Base.session = {
:key => '_rails2_session',
#ruleid: check-rails-session-secret-handling
:secret => 'secret!',
:session_http_only => false
}
#rails2
ActionController::Base.session = {
:key => '_rails2_session',
#ok: check-rails-session-secret-handling
:secret => ENV['mysecret'],
:session_http_only => false
}
#ruleid: check-rails-session-secret-handling
Rails3::Application.config.secret_token = '5cd420fa1791cbbe44796ff5d37af5eaea9e4a821c18cb4947c5a0002ca5751970e0376909bc6ee8da7430982f1e529ee856512abb1f1d6ea442c021893cb993'
#ruleid: check-rails-session-secret-handling
Rails4::Application.config.secret_key_base = '3d90f727dcc14992232b9461fac5d31cf2bc184854e0afd90ae67e0ae48f22b676ee2529c84d4c23bc2a9c7be6eeefcf202b91ccb8d04e7b87a85c852f6784d6'
#ok: check-rails-session-secret-handling
MyRailsApp::Application.config.secret_token = ENV["SECRET_TOKEN"]
Short Link: https://sg.run/KyJd