DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Ruby

Ruby

Made by DeepSource
Use Analyzer

Plaintext password found in callback RB-S1003

Security
Major
 cwe-256

Rails 3.1 introduced a callback http_basic_authenticate_with to simplify basic authentication. You can simply pass a username and password in plaintext to have a basic form of authentication. This especially is a big problem when the password is passed as plaintext, as it can be leaked.

Implementing authentication this way should be avoided. However if you want to use it to just test locally how the app will flow with authentication enabled, it is recommended to use environment variables to set the password for this callback.

Bad practice

class PostsController < ApplicationController
    http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
    #...
end

Recommended

class PostsController < ApplicationController
    http_basic_authenticate_with :name => "dhh", :password => ENV['USER_PASSWD'], :except => :index
    #...
end

References

  1. CWE-256: Plaintext Storage of a Password