Leakage of sensitive data in dynamic file generation

• Rule ID: ruby_lang_file_generation
• Languages: ruby
• Source: file_generation.yml

Description

Writing sensitive data to static files, such as logs, backups, or data exports, can lead to unintended data exposure. Be wary of writing sensitive information to files, because this poses a risk of data leakage.

Remediations

• Do not write sensitive data directly to static files without considering the security implications. This includes user emails, names, or any personally identifiable information (PII).

  File.open("users.log", "w") { |f| f.write "#{Time.now} - User #{user.email} logged in\n" }
  File.open("users.csv", "w") do |f|
    users.each do |user|
      f.write "#{user.email},#{user.first_name},#{user.last_name}"
    end
  end

• Do ensure that if writing sensitive data to files is necessary, such files are securely stored and access is strictly controlled. Implement encryption for files containing sensitive data.
• Do document the storage location of files containing sensitive data and ensure it aligns with your organization's internal data handling and privacy policies.

Associated CWE

• CWE-313: Cleartext Storage in a File or on Disk

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_file_generation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_file_generation