Ruby

Ruby

Made by DeepSource

Plaintext password found in callback RB-S1003

Security
Major
cwe-256

Rails 3.1 introduced a callback http_basic_authenticate_with to simplify basic authentication. You can simply pass a username and password in plaintext to have a basic form of authentication. This especially is a big problem when the password is passed as plaintext, as it can be leaked.

Implementing authentication this way should be avoided. However if you want to use it to just test locally how the app will flow with authentication enabled, it is recommended to use environment variables to set the password for this callback.

Bad practice

class PostsController < ApplicationController
    http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
    #...
end

Recommended

class PostsController < ApplicationController
    http_basic_authenticate_with :name => "dhh", :password => ENV['USER_PASSWD'], :except => :index
    #...
end

References

  1. CWE-256: Plaintext Storage of a Password