secvault 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +1 -0
  3. data/SECURITY.md +98 -0
  4. data/lib/secvault/secrets.rb +5 -4
  5. data/lib/secvault/version.rb +1 -1
  6. data/lib/secvault.rb +0 -3
  7. metadata +18 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d57e110e287dd498f1751e5d823283c7f673c5f7511fca743772bec1ba25c5fc
4
- data.tar.gz: b4c48354b471bc32634eb40dc15a99869e86825aae010f9f338ca4ab91850d66
3
+ metadata.gz: ff511b4da4c277844438956507222da90bd15416fd8e4adec1e973a4e5b73993
4
+ data.tar.gz: 45219a2e917ac366af2c94c8a848cc5557219b4856daab6fcd870d19898d1685
5
5
  SHA512:
6
- metadata.gz: 6c1f2e1f452cfca7bbcc34117a32b05d252589d156b59175158577548f9158628bf1d0f01ace21714b3f8cf7fd8de195769ecf0d60b6d11915d4ca10163070e3
7
- data.tar.gz: 1b5ffc0246423e154b2c0e12799e6d11370c8fa242eed3bec9f902e98df9119e70d0ae1da27f02c206a62a47b839c8e0788f35afd0d5a5cca7fe360739c66ced
6
+ metadata.gz: 45e5d96b9eaa32ea9396921451dfb2ed148e485992236ae45bf58acf9a380869cde8df8b3e93e621cdfe1bcd9710f4eccbeaee3880fa5436c73e336d063d866f
7
+ data.tar.gz: db91a660ae62430a0c27f311bd512d964efc485f4a224e42f958b9215d31c9c553db765b638b622413b18c9b236ab6865d14328594f8d6ab726452484eddc767
data/README.md CHANGED
@@ -3,6 +3,7 @@
3
3
  Simple YAML secrets management for Rails. Uses standard YAML anchors for sharing configuration.
4
4
 
5
5
  [![Gem Version](https://img.shields.io/gem/v/secvault.svg)](https://rubygems.org/gems/secvault)
6
+ [![CI](https://github.com/unnitallman/secvault/actions/workflows/ci.yml/badge.svg)](https://github.com/unnitallman/secvault/actions/workflows/ci.yml)
6
7
 
7
8
  ## Installation
8
9
 
data/SECURITY.md ADDED
@@ -0,0 +1,98 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ We actively support the following versions of Secvault with security updates:
6
+
7
+ | Version | Supported |
8
+ | ------- | ------------------ |
9
+ | 3.1.x | :white_check_mark: |
10
+ | 3.0.x | :white_check_mark: |
11
+ | < 3.0 | :x: |
12
+
13
+ ## Reporting a Vulnerability
14
+
15
+ **Please do not report security vulnerabilities through public GitHub issues.**
16
+
17
+ Instead, please report security vulnerabilities by emailing **unnikrishnan.kp@bigbinary.com**.
18
+
19
+ You should receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but typically within 7 days.
20
+
21
+ ### What to Include in Your Report
22
+
23
+ Please include the following information in your vulnerability report:
24
+
25
+ - Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
26
+ - Full paths of source file(s) related to the manifestation of the issue
27
+ - The location of the affected source code (tag/branch/commit or direct URL)
28
+ - Any special configuration required to reproduce the issue
29
+ - Step-by-step instructions to reproduce the issue
30
+ - Proof-of-concept or exploit code (if possible)
31
+ - Impact of the issue, including how an attacker might exploit the issue
32
+
33
+ This information will help us triage your report more quickly.
34
+
35
+ ## Security Best Practices
36
+
37
+ When using Secvault in your applications, please follow these security best practices:
38
+
39
+ ### 1. File Permissions
40
+ - Ensure your secrets files (`config/secrets.yml`, etc.) have restrictive file permissions (600 or 640)
41
+ - Never commit secrets files to version control
42
+ - Use `.gitignore` to exclude secrets files from your repository
43
+
44
+ ### 2. Environment Separation
45
+ - Use different secrets files for different environments (development, staging, production)
46
+ - Never use production secrets in development or testing environments
47
+ - Implement proper environment-specific configuration
48
+
49
+ ### 3. Secret Management
50
+ - Rotate secrets regularly
51
+ - Use strong, randomly generated secrets
52
+ - Avoid hardcoding secrets in application code
53
+ - Consider using external secret management services for production environments
54
+
55
+ ### 4. Access Control
56
+ - Limit access to secrets files to only necessary personnel and processes
57
+ - Use proper deployment practices that don't expose secrets in logs or process lists
58
+ - Implement proper access controls in your deployment infrastructure
59
+
60
+ ### 5. Monitoring and Auditing
61
+ - Monitor access to secrets files
62
+ - Implement logging for secrets access (without logging the actual secret values)
63
+ - Regular security audits of your secrets management practices
64
+
65
+ ## Dependencies and Supply Chain Security
66
+
67
+ Secvault has minimal dependencies to reduce attack surface:
68
+
69
+ - **Rails**: We require Rails >= 7.1.0 and stay updated with security patches
70
+ - **Zeitwerk**: Used for autoloading, maintained by the Rails core team
71
+
72
+ We regularly monitor our dependencies for security vulnerabilities and update them promptly when security issues are discovered.
73
+
74
+ ## Security Considerations
75
+
76
+ ### Hot Reload Feature
77
+ The hot reload feature (`reload_secrets!`) is designed for development environments only. It should not be enabled in production as it can potentially expose secrets through memory dumps or debugging tools.
78
+
79
+ ### Rails Integration
80
+ Secvault integrates deeply with Rails' secrets system. While this provides seamless functionality, it's important to understand that secrets are loaded into memory and may be visible to processes with sufficient privileges.
81
+
82
+ ### File System Security
83
+ Secvault reads secrets from the file system. Ensure your deployment environment has proper file system security controls in place.
84
+
85
+ ## Acknowledgments
86
+
87
+ We appreciate the security research community and responsible disclosure. Contributors who report valid security vulnerabilities will be acknowledged in our release notes (unless they prefer to remain anonymous).
88
+
89
+ ## Contact
90
+
91
+ For any security-related questions or concerns, please contact:
92
+
93
+ **Email**: unnikrishnan.kp@bigbinary.com
94
+ **Project**: https://github.com/unnitallman/secvault
95
+
96
+ ---
97
+
98
+ *This security policy is effective as of the date of the latest commit to this file and applies to all current and future versions of Secvault.*
data/lib/secvault/secrets.rb CHANGED
@@ -66,9 +66,9 @@ module Secvault
66
66
  # Read and process the plain YAML file content
67
67
  source = path.read
68
68
 
69
- # Process ERB and parse YAML
69
+ # Process ERB and parse YAML - using same method as Rails
70
70
  erb_result = ERB.new(source).result
71
- secrets = YAML.safe_load(erb_result, aliases: true, permitted_classes: [])
71
+ secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
72
72
 
73
73
  secrets ||= {}
74
74
 
@@ -79,8 +79,9 @@ module Secvault
79
79
 
80
80
  def read_secrets(secrets_path, env)
81
81
  if secrets_path.exist?
82
- # Handle plain YAML secrets.yml only
83
- all_secrets = YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
82
+ # Handle plain YAML secrets.yml only - using same method as Rails
83
+ erb_result = ERB.new(secrets_path.read).result
84
+ all_secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
84
85
 
85
86
  env_secrets = all_secrets[env.to_s]
86
87
  return env_secrets.deep_symbolize_keys if env_secrets
data/lib/secvault/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Secvault
4
- VERSION = "3.1.0"
4
+ VERSION = "3.2.0"
5
5
  end
data/lib/secvault.rb CHANGED
@@ -267,9 +267,6 @@ module Secvault
267
267
 
268
268
  Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?
269
269
  end
270
-
271
- public
272
-
273
270
  end
274
271
 
275
272
  # Auto-install and setup when Rails is available
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secvault
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Unnikrishnan KP
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2025-09-23 00:00:00.000000000 Z
11
+ date: 2025-09-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -38,6 +38,20 @@ dependencies:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
40
  version: '2.6'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rspec_junit_formatter
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '0.6'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '0.6'
41
55
  description: Secvault restores the classic Rails secrets.yml functionality that was
42
56
  removed in Rails 7.2, using simple, plain YAML files for environment-specific secrets
43
57
  management. Compatible with Rails 7.1+, 7.2+ and 8.0+.
@@ -52,6 +66,7 @@ files:
52
66
  - LICENSE.txt
53
67
  - README.md
54
68
  - Rakefile
69
+ - SECURITY.md
55
70
  - lib/secvault.rb
56
71
  - lib/secvault/rails_secrets.rb
57
72
  - lib/secvault/railtie.rb
@@ -73,7 +88,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
73
88
  requirements:
74
89
  - - ">="
75
90
  - !ruby/object:Gem::Version
76
- version: 3.0.0
91
+ version: 3.2.0
77
92
  required_rubygems_version: !ruby/object:Gem::Requirement
78
93
  requirements:
79
94
  - - ">="