Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret_key_base is leaking through the email #507

Open
thebravoman opened this issue May 5, 2021 · 5 comments
Open

Secret_key_base is leaking through the email #507

thebravoman opened this issue May 5, 2021 · 5 comments

Comments

@thebravoman
Copy link

Steps to reproduce

  1. Install
  2. Simulate an error
  3. Receive an email
    The email contains action_dispatch.secret_key_base

This is the secret_key_base that is leaking through the email.

Expected behavior

Hide the secret_key_base

Actual behavior

It is in the email as action_dispatch.secret_key_base

System configuration

Rails version:
6.0
Ruby version:
2.6.5
Other configurations:
@thebravoman
Copy link
Author

I was wondering if you've had the chance to look at this. It seems to be a security issue as the secret key base is how most of the security on rails is handled. So I think it should not be exposed

@frenkel
Copy link

frenkel commented Aug 13, 2021

For me it shows up as:

     * action_dispatch.secret_key_base                         : [FILTERED]

Did you setup your Rails.application.config.filter_parameters correctly?

@thebravoman
Copy link
Author

thebravoman commented Aug 17, 2021
edited
Loading

No, I did not realize that exception_notification was using filter_parameters

Should it be like

Rails.application.config.filter_parameters += [:password, :secret_key_base]

Would you accept a PR that gives more information about filter_parameters?

Update:
I can confirm that
Rails.application.config.filter_parameters += [:password, :secret_key_base] removes the :secret_key_base

@frenkel
Copy link

frenkel commented Aug 17, 2021

The default for a Rails 6 app is this, it is what I use:

config/initializers/filter_parameter_logging.rb :

# Be sure to restart your server when you modify this file.

# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [
  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
]

I'm not the original author, so I cannot accept your PR if you create one.

@thebravoman
Copy link
Author

thebravoman commented Aug 18, 2021 via email

thebravoman pushed a commit to thebravoman/exception_notification that referenced this issue Aug 26, 2021
[readme] Adding documentation in the README about Rails and filter_pa…
7b5ece9 
…rameters.

ExceptionNotification users the filter_parameters configuration of Rails.
Adding explanation and an example.

The request is about issue - smartinez87#507
@thebravoman thebravoman mentioned this issue Aug 26, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frenkel @thebravoman