-
Notifications
You must be signed in to change notification settings - Fork 384
/
check-rails-secret-yaml.yaml
42 lines (42 loc) · 1.24 KB
/
check-rails-secret-yaml.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rules:
- id: check-rails-secret-yaml
paths:
include:
- '*secrets.*.yml'
- '*secrets.*.yaml'
patterns:
- pattern: |
secret_key_base: $VALUE
- metavariable-pattern:
metavariable: $VALUE
language: generic
patterns:
- pattern-not: |
<%= ... %>
- pattern-inside: |
production:
...
message: $VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`.
Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary
session data in your application. Read this value from an environment variable, KMS, or file on disk
outside of source control.
languages:
- yaml
severity: WARNING
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb
category: security
cwe:
- 'CWE-540: Inclusion of Sensitive Information in Source Code'
owasp:
- A01:2021 - Broken Access Control
technology:
- ruby
- rails
references:
- https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW