Why is Net::HTTP's set_debug_output dangerous if used in production?
Looking at the code, there is no other security hole, except for the fact that everything in the HTTP protocol is passed to the stream you provide. If you don't take care and the output is put somewhere you don't suspect it, this could expose the internal workings of you application.
IMHO, the statement in the documentation is pretty hard and doesn't provide a good explanation regarding the security hole. I think the comment should read something along the lines of:
Be careful and sit on your hands before you type, since setting a debug_output will expose the complete HTTP protocol (including possible sensitive information) to the stream that is passed in.
Long story short: there is no "hidden" security hole.
set_debug_output(output)
could expose sensitive user data.
At lines https://github.com/ruby/ruby/blob/trunk/lib/net/protocol.rb#L159 and https://github.com/ruby/ruby/blob/trunk/lib/net/protocol.rb#L196 all traffic is returned to whatever output
is provided and that could expose session ids, login credentials, credit card information, etc...
In the following example, the SENSITIVE DATA could be exposed to either $stdout
or $stderr
even when using SSL
require "net/https"require "uri"uri = URI.parse("https://ssltest7.bbtest.net/")http = Net::HTTP.new(uri.host, uri.port)http.use_ssl = truehttp.verify_mode = OpenSSL::SSL::VERIFY_NONE#SECURITY HOLEhttp.set_debug_output($stdout)request = Net::HTTP::Post.new(uri.request_uri)request.set_form_data({"SENSITIVE" => "DATA"})response = http.request(request)