Why is Net::HTTP's set_debug_output dangerous if used in production?

Looking at the code, there is no other security hole, except for the fact that everything in the HTTP protocol is passed to the stream you provide. If you don't take care and the output is put somewhere you don't suspect it, this could expose the internal workings of you application.

IMHO, the statement in the documentation is pretty hard and doesn't provide a good explanation regarding the security hole. I think the comment should read something along the lines of:

Be careful and sit on your hands before you type, since setting a debug_output will expose the complete HTTP protocol (including possible sensitive information) to the stream that is passed in.

Long story short: there is no "hidden" security hole.

set_debug_output(output) could expose sensitive user data.

At lines https://github.com/ruby/ruby/blob/trunk/lib/net/protocol.rb#L159 and https://github.com/ruby/ruby/blob/trunk/lib/net/protocol.rb#L196 all traffic is returned to whatever output is provided and that could expose session ids, login credentials, credit card information, etc...

In the following example, the SENSITIVE DATA could be exposed to either $stdout or $stderr even when using SSL

require "net/https"require "uri"uri = URI.parse("https://ssltest7.bbtest.net/")http = Net::HTTP.new(uri.host, uri.port)http.use_ssl = truehttp.verify_mode = OpenSSL::SSL::VERIFY_NONE#SECURITY HOLEhttp.set_debug_output($stdout)request = Net::HTTP::Post.new(uri.request_uri)request.set_form_data({"SENSITIVE" => "DATA"})response = http.request(request)

More Net::HTTP examples

It could be due to the fact that setting debug on would allow your site to leak more information to an attacker. If someone was trying to break in, they could see exactly the errors they are causing, and thus make it easier to reverse engineer how your site works.