Security concerns #2

Closed
maximeg opened this Issue Nov 14, 2012 · 4 comments

Comments

Projects
None yet
3 participants
@maximeg

maximeg commented Nov 14, 2012

I'm not mélanchonien but this initiative is quite laudable.
I saw you took some precautions while disclosing the source code, but you missed some points.

In config/initializers/secret_token.rb :

PartiDeGauche::Application.config.secret_token = 'c38ac477282636ad9940105aa8445d626f281ea543def898337c77bbcb2979ffdd62085ad456dd5cf36c35c37ce02ffa21cfdf5bb6f444db86bb43090fe0aa31'

This is called secret for a reason. It is used to sign your cookies. You let your users vulnerable to a session hijacking.

In config/environment.rb :

PBX_SITE = "5133308"
PBX_SITE_TEST = "1999888"

These are part of a payment gateway credentials. For these ones, you're stuck with them being public, you can't regenerate them. Try calling Paybox.

In config/initializers/devise.rb :

require "omniauth-facebook"
config.omniauth :facebook, "293257790720210", "47c73941bce3de72e4dae13d0dd0b8b0", :strategy_class => OmniAuth::Strategies::Facebook

Here are the APP_ID and APP_SECRET for your facebook app.

Here is a little help. I wanted to talk about SettingsLogic, addressing such issues, so I jumped on the occasion :
http://emaxime.com/2012/managing-private-settings-with-settingslogic/

@Dorian

This comment has been minimized.

Show comment
Hide comment
@Dorian

Dorian Nov 14, 2012

About the session secret, you could use this method instead:

It require a initializer: https://github.com/diaspora/diaspora/blob/develop/config/initializers/check_session_secret.rb
And the corresponding rake task: https://github.com/diaspora/diaspora/blob/develop/lib/tasks/generate_session_secret.rake

A the launch of the application, it check it the secret token is set, if not, it generate it with a rake task.

Dorian commented Nov 14, 2012

About the session secret, you could use this method instead:

It require a initializer: https://github.com/diaspora/diaspora/blob/develop/config/initializers/check_session_secret.rb
And the corresponding rake task: https://github.com/diaspora/diaspora/blob/develop/lib/tasks/generate_session_secret.rake

A the launch of the application, it check it the secret token is set, if not, it generate it with a rake task.

@maximeg

This comment has been minimized.

Show comment
Hide comment
@maximeg

maximeg Nov 14, 2012

Diaspora use quite the same way through diaspora.yml (https://github.com/diaspora/diaspora/blob/develop/config/load_config.rb) that populates AppConfig. They added a fallback for avoiding developers to fill this entry in diaspora.yml in dev.

maximeg commented Nov 14, 2012

Diaspora use quite the same way through diaspora.yml (https://github.com/diaspora/diaspora/blob/develop/config/load_config.rb) that populates AppConfig. They added a fallback for avoiding developers to fill this entry in diaspora.yml in dev.

@ghost ghost assigned ddlamb2000 Nov 15, 2012

@ddlamb2000

This comment has been minimized.

Show comment
Hide comment
@ddlamb2000

ddlamb2000 Nov 15, 2012

Contributor

The secret token key published here is the original key generated by Rails, but it's not used by production environments. The system uses a method similar to what's proposed here (diaspora) based on Capistrano.

The facebook Id and keycode isn't used by the application and refers to a kind of 'dummy' account that is never used, so those Ids will be cleaned-up. In any case the keys will be managed using Capistrano scripts.

For payment credentials, this refers to a test site in a test mode.

Thank you very much guys for your input here.

Contributor

ddlamb2000 commented Nov 15, 2012

The secret token key published here is the original key generated by Rails, but it's not used by production environments. The system uses a method similar to what's proposed here (diaspora) based on Capistrano.

The facebook Id and keycode isn't used by the application and refers to a kind of 'dummy' account that is never used, so those Ids will be cleaned-up. In any case the keys will be managed using Capistrano scripts.

For payment credentials, this refers to a test site in a test mode.

Thank you very much guys for your input here.

@ddlamb2000

This comment has been minimized.

Show comment
Hide comment
@ddlamb2000

ddlamb2000 Dec 12, 2012

Contributor

Toutes les remarques ont été prises en compte:

  • suppression de la clé "secret_token"
  • suppression des informations paybox
  • suppression des informations application facebook.
Contributor

ddlamb2000 commented Dec 12, 2012

Toutes les remarques ont été prises en compte:

  • suppression de la clé "secret_token"
  • suppression des informations paybox
  • suppression des informations application facebook.

@ddlamb2000 ddlamb2000 closed this Dec 12, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment