Rails Master Key
Description
General
- Documentation: https://guides.rubyonrails.org/security.html#custom-credentials
- Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypt secrets before storing them in a
credentials.yml.encfile. This file contains at least thesecret_key_baseof the application that is used to encrypt cookies as well as any other secret useful to the application such as API keys. To encrypt thecredentials.yml.encfile, Rails uses a key stored in amaster.keyfile. This detector focuses on catching this master key.
Revoke the secret
If it does not exist yet, the master.key file is created when the credentials file is edited with the command bin/rails credentials:edit. This is a good way to generate a new master key.
Check for suspicious activity
Details for Rails master key assignment
Family: PrivateKey
Category: Private key
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: very rare
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames:
- ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$
- ^(.*/|)master.key$
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- rails_master_key
Examples
- text: |
RAILS_MASTER_KEY = efa44cc0e89b44d78a8d44067cf1962c
secret_key: efa44cc0e89b44d78a8d44067cf1962c
- text: |
RAILS_MASTER_KEY='29ee8ed0227c4ef18127081a482c43c6'
secret_key: 29ee8ed0227c4ef18127081a482c43c6
- text: |
RAILS_MASTER_KEY: "92dd4344e28e4b2383e8dbdaf2575af5"
secret_key: 92dd4344e28e4b2383e8dbdaf2575af5
- text: |
RAILS_MASTER_KEY="c8fad09976234d4db5c382d88ffbd598"
secret_key: c8fad09976234d4db5c382d88ffbd598
Details for Rails secret key base master key
Family: PrivateKey
Category: Private key
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 3.68
Prefixed: False
PreValidators:
- type: FilenameWhitelistPreValidator
whitelist_extensions: []
whitelist_filenames: []
whitelist_filepaths:
- ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$
- ^(.*/|)master.key$
Examples
- text: 127038aa5eb2406d6a8cdf2c3de55341
secret_key: 127038aa5eb2406d6a8cdf2c3de55341
- text: 127038aa5eb2406d6a8cdf2c3de55341
secret_key: 127038aa5eb2406d6a8cdf2c3de55341
# Skip this one because we can't detect it with ggshield
skip_sample_secrets: true
- text: 243438AE2EF6007F6A8BAB5D8BB54326
secret_key: 243438AE2EF6007F6A8BAB5D8BB54326
# Skip this one because we can't detect it with ggshield
skip_sample_secrets: true
- text: 243438AE2EF6007F6A8BAB5D8BB54326
secret_key: 243438AE2EF6007F6A8BAB5D8BB54326
