

While we're on the subject of Rails security, should this be of concern? - rubypay
https://github.com/search?q=Application.config.secret_token&repo=&langOverride=&start_value=1&type=Code&language=Ruby

======
skimbrel
I presume this is not strictly a Rails problem.

You can check in things that shouldn't be checked in with any
language/framework.

If you _have_ done this, here's how to fix it: <http://help.github.com/remove-
sensitive-data/>

~~~
kevinpet
Better is to change your security token and expire all sessions. Removing
sensitive data should be seen as just a suggestion. Google never forgets.

------
antics
Before we all grab our pitchforks, I have just gone through the entire first
page of results and a huge majority of them were explicitly noted as test
applications. Sometimes you can see this in the names:

    
    
        test / rails_app_v3 /
        test_app / config
    

In many other instances, things are not as the seem. For example, some of
these results come from commits where the author is moving the token to an
environment variable. For example:
[https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a2...](https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a25f959a891dee1bcf/config/initializers/secret_token.rb)

I certainly agree that we should all be security conscious, but I'm also a fan
of keeping perspective. Things are bad, but let's keep the truth in mind too.

~~~
TazeTSchnitzel
Also, for the ones that were not test apps, they may be the
testing/development secret keys which are different from the production secret
keys. I do this myself, where the hash salt and API keys for my local
development server are different from those I use on my production server.

------
5h
Not just rails, same for django
([https://github.com/search?q=SECRET_KEY&repo=&langOve...](https://github.com/search?q=SECRET_KEY&repo=&langOverride=&start_value=1&type=Code&language=Python))
and I imagine any framework with this sort of thing in their default project
skeleton

------
justindocanto
This is not a language/framework based issue. This is an issue with careless
and/or uneducated developers.

This is like people storing plain text passwords in publicly readable txt
files on a server. It's not a problem with FTP, HTML, Apache (pick anything
you'd like) it's a problem with people making poor decisions.

------
bradleyland
Flagged. This is just ridiculous. I actually support Egor, but this borders on
absurd. The question is stated incorrectly. The actual question is:

"Is storing your _private_ key in a public repository a security concern?"

It's a parody of a security question. This is a needless distraction in an
important discussion.

------
oscardelben
Could this help? <https://github.com/rails/rails/pull/5286>

------
manojlds
Soon, there will be articles on how insecure Git is because, well, it allows
people to check-in sensitive stuff.

------
yuvadam
Not really. At least not in the way you are insinuating.

------
zbuc
Facebook as well...

[https://github.com/search?q=FB_SECRET&repo=&langOver...](https://github.com/search?q=FB_SECRET&repo=&langOverride=&start_value=1&type=Code&language=)

Not really a "vulnerability" because you can't keep stupid people from giving
out their secret key.

------
AznHisoka
The solution is simple. Don't use a secret token :)

