Skip to content

Disable advanced_debugging_tools by default in development #645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
benjaminwood wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Disable advanced_debugging_tools by default in development #645

benjaminwood wants to merge 1 commit into from

Conversation

@benjaminwood
Copy link

@benjaminwood benjaminwood commented Jun 8, 2025
edited
Loading

The enable_advanced_debugging_tools setting is potentially dangerous, especially in development environments that are exposed to external networks. For example, if you run a Rails server bound to a public interface (e.g. -b 0.0.0.0), anyone on the local network can access sensitive information such as environment variables or memory debugging data. This risk is even greater if the application is exposed via a tunnel for webhook testing or similar purposes.

Although the README states that enable_advanced_debugging_tools is disabled by default, the current Railtie enables it in development mode. This change corrects that inconsistency and prioritizes safety by requiring explicit opt-in for these tools.

@benjaminwood
Disable advanced_debugging_tools by default in development
07958c3 
The advanced_debugging_tools setting is potentially dangerous, especially in development environments that are exposed to external networks. For example, if you run a Rails server bound to a public interface (e.g. -b 0.0.0.0), anyone on the local network can access sensitive information such as environment variables or memory debugging data. This risk is even greater if the application is exposed via a tunnel for webhook testing or similar purposes.

Although the README claims that enable_advanced_debugging_tools is disabled by default, the current Railtie enables it in development mode. This change corrects that inconsistency and prioritizes safety by requiring explicit opt-in for these tools.
@nateberkopec
Copy link
Collaborator

nateberkopec commented Jun 9, 2025

Couple of thoughts

  1. This probably isn't the most-used feature in RMP
  2. Local/dev ENV variables at most companies contain at least 1 sensitive/prod key IME
  3. It's not possible to reliably detect in RMP whether or not we're exposed to the wider internet

So I'm 60/40 leaning towards "always disable". Would be nice to slap this in 4.0, wdyt @tgxworld

@fernandes fernandes mentioned this pull request Jul 16, 2025
Open
@benjaminwood
Copy link
Author

benjaminwood commented Aug 7, 2025

This didn't make it in to the 4.0 release, but I still think it's the right default. Can we ship it in the next release?

@natevick
Copy link

natevick commented Aug 7, 2025

@nateberkopec I thought this was changed at 4.0, did I misunderstand?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benjaminwood @nateberkopec @natevick