Tag Archives: security

Session secret should not be included in version control near line …

Posted on by
Reply

Problem

After using brakeman to test for security issues in your rails application you get the following warning about the config/initializers/secret_token.rb file:

Session secret should not be included in version control near line xx

Solution

Since you may have already pushed the original secret_token.rb in your version control you may need to do the following.

  • Make a copy of the file : cp config/initializers/secret_token.rb config/initializers/copy_of_secret_token.rb
  • Delete the original file that is also on your version control: rm config/initializers/secret_token.rb
  • Add it to .gitgnore
  • Commit your changes and push to your version control: git commit -a -m “remove secret token and include it in .gitignore”, git push (origin master)
  • Create a new secret key by running: rake secret
  • Copy the value from above to the file config/initializers/copy_of_secret_token.rb replacing the original value of config.secret_key_base
  • Rename the file to secret_token.rb again: mv config/initializers/copy_of_secret_token.rb config/initializers/secret_token.rb
  • Check that the new file is not listed in git when you do : git status

Upgrading your Rails 3.0.3 application

Posted on by
1

Problem
After the announcements in the previous posts about the security vulnerabilities in Rails 3.0.3, you would like to update your application and deploy with the latest 3.0.4 version.

Solution

  • Change your Gemfile to replace
    gem 'rails', '3.0.3'
    with
    gem 'rails', '3.0.4'
  • Run:
    bundle update rails
  • Remove the old gems by using:
    git status
    and then
    git rm name_of_3.0.3_gem
  • Add the new gems to your git
    git add vendor/cache
  • Check in to your repository the new files
    git commit vendor/cache -m 'upgrade to rails 3.0.4'
  • Make sure that you also check in both your Gemfile and Gemfile.lock into your git repository
    git commit Gemfile Gemfile.lock -m 'update Gemfiles to use 3.0.4'
    otherwise when you try to deploy you will see the error:
    You have modified your Gemfile in development but did not check the resulting snapshot (Gemfile.lock) into version control
  • push everything to your git repository:
    git push
  • Deploy your application with capistrano as usual:
    cap deploy
  • Your new gems for 3.0.4 should be installed on the share/bundle folder