rack-mini-profiler environment variables disclosure
Description
rack-mini-profiler is a Rails middleware component that provides performance profiling information for web applications. When improperly configured in production environments, it can expose sensitive application data including environment variables, configuration settings, and system information without requiring authentication. This misconfiguration allows unauthorized users to access the profiler's diagnostic interface, which is intended only for development use.
Remediation
Immediately disable rack-mini-profiler in production environments. If profiling is required in production, implement the following security controls:
1. Remove rack-mini-profiler from production by ensuring it is only included in development and test groups in your Gemfile:
group :development, :test do gem 'rack-mini-profiler' end
2. If production profiling is necessary, restrict access using authorization callbacks in your configuration:
# config/initializers/rack_profiler.rb
if Rails.env.production?
Rack::MiniProfiler.config.authorization_mode = :allow_authorized
Rack::MiniProfiler.config.authorize_cb = lambda { |env|
# Only allow specific IP addresses or authenticated admin users
request = Rack::Request.new(env)
current_user = User.find_by(id: request.session[:user_id])
current_user&.admin?
}
end3. Verify the configuration is not exposing the profiler at the /rack-mini-profiler path without authentication.