[SECURITY BUG] Class shown when a user enters the wrong password

[envygeeks]

While configuring Pry for the pry developers today and doing some of the most basic security tests on our server I decided to see how well it could handle authentication and it's basic, I put in the wrong password and it showed me everything in the class it init. If somebody were to create a blank class and put the passwords hash in that class, it would render the entire point of auth moot.

jordon@envygeeks:~ % pry-remote-em pryem://pry01.envygeeks.com:1337
[pry-remote-em] client connected
[pry-remote-em] remote is PryRemoteEm 0.4.2 pryem
user: envygeeks
envygeeks's password: ****

Frame number: 0/0
From: /home/pry/.bin/pry_server @ line 16 in Foo#initialize:

    11: 
    12: require 'pry-remote-em/server'
    13: 
    14: class Foo
    15:   def initialize
 => 16:     binding.remote_pry_em('10.4.5.71', 1337, auth: $auth)
    17:   end
    18: end
    19: 
    20: EM.run do
    21:   Foo.new

[gruis]

Yup, that's not good.

It only happens when you run it as binding.remote_pry_em ...., right?
If you start the server as some_object.remote_pry_em you won't get the dump with the password, correct?

Thanks for the report. I'll work on it today.

[envygeeks]

I'll test it for you right now, or well I'll have @banister test it.

[gruis]

That should fix it.

If course, in the scenario you describe, once a user successfully logs in they can get access to the auth data see other user/password combinations.

Perhaps a note in the readme about the security benefits of using an authenticator that is external to the process would be good.

[gruis]

new gem is: https://rubygems.org/gems/pry-remote-em/versions/0.4.3