Avoid spilling your Rails application secrets

Oups, I just sent the production password in plain text through the internet

Following last week post about Errbit, I thought to share something related. When using external system like Errbit or AppSignal, or NewRelic, – any external system that you send information to, you may be sending more information that what you think:

I’m sure you don’t want to send in plain text your passenger password or Rails secret token, Stripe key, OAUTH token, or your DB password. Those are sensitive informations, and you don’t even need them there anyway.

This is what you get from a simple Errbit configuration like that:

Airbrake.configure do |config|
  config.api_key = ENV['ERRBIT_KEY']
  config.host    = ENV['ERRBIT_HOST']
  config.port    = ENV['ERRBIT_PORT']
  config.secure  = config.port == 443
  config.environment_name = Rails.env
end

Of course, you want your port to be 443 – using HTTPS is a good first step here.

As a good error manager, Errbit will collect all useful information about the context of the error: stack trace, request parameters, connected user and environment variables. Hence the screenshot above. This is clearly not something you want. Onward to fix it!

Let’s filter

So, your ENV probably contains a lot of stuff you don’t want to expose. You can take a look by just firing a console on your server:

irb> ENV.keys

# => ["RAILS_ENV", "rvm_bin_path", 
  "GEM_HOME", "INTERCOM_PASSWORD", "INTERCOM_PASSWORD", 
  "REDIS_CLUSTER_PASSWORD", "RAILS_TOKEN", 
  "ERRBIT_KEY", “STRIPE_SECRET”...]

This stuff will not help you to debug your problem – and they are revealing quite sensitive information. So, before sending the information to your external monitor, be sure to filter every sensitive information:

Airbrake.configure do |config|
…
  ['_csrf_token', 'PASSENGER_CONNECT_PASSWORD'].each { 
    |param_filter| config.params_filters << param_filter 
  }

# Filter config.yml env variable for rake/resque process
  ENV.keys.select { |k| k.match(/SECRET|KEY|PASSWORD/) }.each do |env_key|
    config.params_filters << env_key
  end
end

Also, be sure you are using Airbrake API last version – it already makes some basic filtering.

Time to test

Let’s use the airbrake API to make a test exception. Go to your server and run this:

RAILS_ENV=production bundle exec rake airbrake:test

It will generate an exception that you should see on Errrbit. Time to check exactly what you sent.

Voilà, nice monitoring information, without spilling your application secrets. Now of course, we should look at those Rails log files, too – but that will be for another post. Stay stuned by subscribing to our mailing list.