[Possible] Source Code Disclosure (Ruby)
Description
This vulnerability occurs when a Ruby web application's source code files (.rb files) are accessible directly through HTTP requests due to server misconfiguration. Instead of executing the Ruby code, the web server serves the raw source files to anyone who requests them. This typically happens when the web server is not properly configured to handle Ruby files or when source files are placed in publicly accessible directories.
Remediation
Take the following steps to remediate this vulnerability:
1. Verify the misconfiguration: Confirm that Ruby source files are accessible by attempting to download them directly through a web browser.
2. Move source files outside the web root: Relocate all Ruby application files (.rb) to directories outside the publicly accessible web root. Only static assets (CSS, JavaScript, images) should remain in public directories.
3. Configure the web server properly: Ensure your web server (Apache, Nginx, etc.) is configured to process Ruby files through the appropriate application server (Passenger, Puma, Unicorn) rather than serving them as static files. For Apache with Passenger, verify the configuration includes:
LoadModule passenger_module /path/to/passenger/module PassengerRoot /path/to/passenger PassengerRuby /path/to/ruby <VirtualHost *:80> DocumentRoot /path/to/app/public PassengerEnabled on </VirtualHost>
4. Restrict file access: Configure web server rules to explicitly deny access to .rb files. For Nginx:
location ~* \.rb$ {
deny all;
}5. Review file permissions: Ensure source code files have appropriate permissions (e.g., 640 or 600) and are owned by the application user, not the web server user.
6. Audit for exposed secrets: If source code was exposed, rotate all credentials, API keys, and secrets that may have been disclosed.