While we're on the subject of Rails security, should this be of concern?

While we're on the subject of Rails security, should this be of concern?(github.com)

24 points by rubypay 14 years ago | 12 comments

skimbrel 14 years ago |

I presume this is not strictly a Rails problem.

You can check in things that shouldn't be checked in with any language/framework.

If you have done this, here's how to fix it: http://help.github.com/remove-sensitive-data/

kevinpet 14 years ago | |

Better is to change your security token and expire all sessions. Removing sensitive data should be seen as just a suggestion. Google never forgets.

antics 14 years ago |

Before we all grab our pitchforks, I have just gone through the entire first page of results and a huge majority of them were explicitly noted as test applications. Sometimes you can see this in the names:

    test / rails_app_v3 /
    test_app / config

In many other instances, things are not as the seem. For example, some of these results come from commits where the author is moving the token to an environment variable. For example: https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a2...

I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.

TazeTSchnitzel 14 years ago | |

Also, for the ones that were not test apps, they may be the testing/development secret keys which are different from the production secret keys. I do this myself, where the hash salt and API keys for my local development server are different from those I use on my production server.

5h 14 years ago |

Not just rails, same for django (https://github.com/search?q=SECRET_KEY&repo=&langOve...) and I imagine any framework with this sort of thing in their default project skeleton

justindocanto 14 years ago |

This is not a language/framework based issue. This is an issue with careless and/or uneducated developers.

This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.

bradleyland 14 years ago |

Flagged. This is just ridiculous. I actually support Egor, but this borders on absurd. The question is stated incorrectly. The actual question is:

"Is storing your private key in a public repository a security concern?"

It's a parody of a security question. This is a needless distraction in an important discussion.

oscardelben 14 years ago |

Could this help? https://github.com/rails/rails/pull/5286

manojlds 14 years ago |

Soon, there will be articles on how insecure Git is because, well, it allows people to check-in sensitive stuff.

yuvadam 14 years ago |

Not really. At least not in the way you are insinuating.

zbuc 14 years ago |

Facebook as well...

https://github.com/search?q=FB_SECRET&repo=&langOver...

Not really a "vulnerability" because you can't keep stupid people from giving out their secret key.

AznHisoka 14 years ago |

The solution is simple. Don't use a secret token :)