#65 ✓invalid
Jeremy Lightsmith

Security Issue : Cruise Control RB makes database.yml DB passwords available over web

Reported by Jeremy Lightsmith | April 21st, 2008 @ 01:48 PM

On new installation of CC.rb. When a project fails to build/test cleanly, links are generated to various code file in the build log section of the dashboard. Links in this section can be modified to show any arbitrary file that is part of your project, including the sensitive database.yml file that is part of a rails project. This file contains sensitive information about database hosts, usernames, and passwords. A link like the following can be constructed: http://localhost:3333/projects/c... Please proovide a mechanism to enable/disable this code viewing (could be based on where request is coming in from?). And please provide a way, if code viewing is enabled, to hide specific files from being viewed (e.g. a project config var that would allow specifying an array of files that should not be allowed to be viewed.) Thanks!

Comments and changes to this ticket

  • Michael Schubert

    Michael Schubert June 9th, 2008 @ 09:14 PM

    • State changed from “open” to “invalid”
    • Assigned user set to “Michael Schubert”

    (to the original submitter...)

    I have to question why sensitive passwords are being checked into your source repository anyways?

    In every team and every rails project I've ever been involved it, it has NEVER been the practice to check in sensitive files for precisely reasons like this.

    Let's not make this tool promote bad practices.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

People watching this ticket

Tags

Pages