Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

ShowExceptions should filter known sensitive keys from env #420

Closed
skimbrel opened this Issue · 11 comments

5 participants

Sam Kimbrel James Tucker Christian Neukirchen Daniel Levenson Frankel
Sam Kimbrel

A warning that this "could" happen really isn't sufficient, particularly when using this in conjunction with other Rack middleware like Rack::Session::Cookie will result in leakage of the session cookie secret.

For reference, here's how Django handles its debug page: https://github.com/django/django/blob/master/django/views/debug.py
Note the HIDDEN_SETTINGS variable and the use of cleanse_setting() to prevent configuration of Django built-ins from leaking.

To reproduce: enable ShowExceptions and Session::Cookie, then do anything to a Rack-powered application that causes it to crash and show the ShowExceptions page. Witness the dumping of all of env, including rack.session.options and its :secret/:oldsecret values.

James Tucker
Owner

Hosting things in development mode in production is generally a really bad idea regardless. I'll consider this either way, as users cannot be trusted with themselves, but this makes me uneasy. It's always an incomplete approach, and just as flawed as $SAFE - that is, whilst I can block things that live in rack, when someone adds non-core middleware, I can't protect them from themselves anymore. Only you can protect yourself.

James Tucker raggi was assigned
Christian Neukirchen

How does the secret get into the env, anyway?

Sam Kimbrel

@raggi Agreed wholeheartedly, but "sane defaults" is also a good principle.

@chneukirchen I'm not that familiar with the Rack code but it looks like the middleware merges its options into the server options when it initializes. That might be how it gets there?

Christian Neukirchen

I wonder why it does that... it only verifies against the secrets stored in the instance variables...

James Tucker
Owner

I'm closing this out for now. I'd accept a lightweight patch for this, but will not take the time to implement it at present. ShowExceptions is not recommended for production use.

James Tucker raggi closed this
Daniel Levenson

Hey @raggi and @skimbrel,

How do you remove Rack::ShowExceptions from a Rails 4.0.4 app? I ran across this exact issue and want to not output sensitive info like the all the cookie details.

A config.middleware.delete 'Rack::ShowExceptions' didn't work at all...

James Tucker
Owner

@dleve123 use production mode. if it's in production, that's a rails bug.

What does rake middleware RAILS_ENV=production say?

Daniel Levenson

@raggi Thanks for helping out!

$ rake middleware RAILS_ENV=production
use Raven::Rack
use HttpMethodNotAllowed
use ActionDispatch::SSL
use Rack::Sendfile
use ActionDispatch::Static
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007feaf6822e98>
use Rack::Runtime
use Rack::MethodOverride
use ActionDispatch::RequestId
use RequestStore::Middleware
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Callbacks
use ActiveRecord::ConnectionAdapters::ConnectionManagement
use ActiveRecord::QueryCache
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use ActionDispatch::Flash
use ActionDispatch::ParamsParser
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use Warden::Manager
run Healthify::Application.routes

However, simulation an ArgumentError (liking POSTing with an unescaped %), spits out HTML generated by Rack::ShowExceptions.

$ tail -n 20 argument_rack_error.html 
          </tr>

          <tr>
            <td>:requested_at</td>
            <td class="code"><div>2014-11-23 17:30:07 -0500</div></td>
          </tr>

      </tbody>
    </table>

</div>

<div id="explanation">
  <p>
    You're seeing this error because you use <code>Rack::ShowExceptions</code>.
  </p>
</div>

</body>
</html>

Seems really odd to me! I have tried removing ActionDispatch::ShowExceptions, but still got the same page from Rack::ShowExceptions.

James Tucker
Owner

So either one of those middleware has it implicitly in their internal stack, or you have it in config.ru, or you're booting a server in a different way.

Frankel

@dleve123 In my case, I found the answer, http://manpages.ubuntu.com/manpages/quantal/man1/unicorn.1.html Search "RACK_ENV" and "Rack::ShowExceptions"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.