ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling

rules:
  - id: check-rails-session-secret-handling
    patterns:
      - pattern-either:
          - patterns:
              - pattern: |
                  :$KEY => "$LITERAL"
              - pattern-inside: |
                  ActionController::Base.session = {...}
          - pattern: |
              $RAILS::Application.config.$KEY = "$LITERAL"
          - pattern: |
              Rails.application.config.$KEY = "$LITERAL"
      - metavariable-regex:
          metavariable: $KEY
          regex: ^secret(_(token|key_base))?$
    message: Found a string literal assignment to a Rails session secret `$KEY`. Do
      not commit secret values to source control! Any user in possession of this
      value may falsify arbitrary session data in your application. Read this
      value from an environment variable, KMS, or file on disk outside of source
      control.
    languages:
      - ruby
    severity: WARNING
    metadata:
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb
      category: security
      cwe:
        - "CWE-540: Inclusion of Sensitive Information in Source Code"
      owasp:
        - A01:2021 - Broken Access Control
      technology:
        - ruby
        - rails
      references:
        - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
        - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb
        - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information