search

smartinez87 / exception_notification

Exception Notifier Plugin for Rails
http://smartinez87.github.io/exception_notification
MIT License
2.18k stars 415 forks source link

Secret_key_base is leaking through the email #507

Open thebravoman opened 3 years ago

thebravoman commented 3 years ago

Steps to reproduce

  1. Install
  2. Simulate an error
  3. Receive an email The email contains action_dispatch.secret_key_base

This is the secret_key_base that is leaking through the email.

Expected behavior

Hide the secret_key_base

Actual behavior

It is in the email as action_dispatch.secret_key_base

System configuration

Rails version: 6.0 Ruby version: 2.6.5 Other configurations:

thebravoman commented 3 years ago

I was wondering if you've had the chance to look at this. It seems to be a security issue as the secret key base is how most of the security on rails is handled. So I think it should not be exposed

frenkel commented 3 years ago

For me it shows up as:

     * action_dispatch.secret_key_base                         : [FILTERED]

Did you setup your Rails.application.config.filter_parameters correctly?

thebravoman commented 3 years ago

No, I did not realize that exception_notification was using filter_parameters

Should it be like 

Rails.application.config.filter_parameters += [:password, :secret_key_base]

Would you accept a PR that gives more information about filter_parameters?

Update: I can confirm that Rails.application.config.filter_parameters += [:password, :secret_key_base] removes the :secret_key_base

frenkel commented 3 years ago

The default for a Rails 6 app is this, it is what I use:

config/initializers/filter_parameter_logging.rb :

# Be sure to restart your server when you modify this file.

# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [
  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
]

I'm not the original author, so I cannot accept your PR if you create one.

thebravoman commented 3 years ago

Got it.

I am running this platform since rails 2 and there was only one filtered param.

Will add the rest.

On Tue, Aug 17, 2021, 13:48 Frank Groeneveld @.***> wrote:

The default for a Rails 6 app is this, it is what I use:

config/initializers/filter_parameter_logging.rb :

Be sure to restart your server when you modify this file.

Configure sensitive parameters which will be filtered from the log file.

Rails.application.config.filter_parameters += [ :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn ]

I'm not the original author, so I cannot accept your PR if you create one.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/smartinez87/exception_notification/issues/507#issuecomment-900190554, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKAGBJV4VACNUYA65YNKB3T5I47TANCNFSM44EAPA7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .