Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
While we're on the subject of Rails security, should this be of concern? (github.com/search)
24 points by rubypay on March 5, 2012 | hide | past | favorite | 12 comments


I presume this is not strictly a Rails problem.

You can check in things that shouldn't be checked in with any language/framework.

If you have done this, here's how to fix it: http://help.github.com/remove-sensitive-data/


Better is to change your security token and expire all sessions. Removing sensitive data should be seen as just a suggestion. Google never forgets.


Before we all grab our pitchforks, I have just gone through the entire first page of results and a huge majority of them were explicitly noted as test applications. Sometimes you can see this in the names:

    test / rails_app_v3 /
    test_app / config
In many other instances, things are not as the seem. For example, some of these results come from commits where the author is moving the token to an environment variable. For example: https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a2...

I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.


Also, for the ones that were not test apps, they may be the testing/development secret keys which are different from the production secret keys. I do this myself, where the hash salt and API keys for my local development server are different from those I use on my production server.


Not just rails, same for django (https://github.com/search?q=SECRET_KEY&repo=&langOve...) and I imagine any framework with this sort of thing in their default project skeleton


This is not a language/framework based issue. This is an issue with careless and/or uneducated developers.

This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.


Flagged. This is just ridiculous. I actually support Egor, but this borders on absurd. The question is stated incorrectly. The actual question is:

"Is storing your private key in a public repository a security concern?"

It's a parody of a security question. This is a needless distraction in an important discussion.


Could this help? https://github.com/rails/rails/pull/5286


Soon, there will be articles on how insecure Git is because, well, it allows people to check-in sensitive stuff.


Not really. At least not in the way you are insinuating.


Facebook as well...

https://github.com/search?q=FB_SECRET&repo=&langOver...

Not really a "vulnerability" because you can't keep stupid people from giving out their secret key.


The solution is simple. Don't use a secret token :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: