HIGH api key exposurehanamicockroachdb

Api Key Exposure in Hanami with Cockroachdb

Scan for api key exposure in hanami

Api Key Exposure in Hanami with Cockroachdb — how this specific combination creates or exposes the vulnerability

In Hanami applications that connect to Cockroachdb, API key exposure often arises from how database credentials and connection strings are managed and logged. Hanami, by default, loads environment variables into its configuration and passes them to the underlying database driver. If a developer accidentally commits a database.yml or equivalent configuration containing the Cockroachdb connection string with embedded credentials to version control, the API key (often a username/password or client certificate) becomes part of the repository history and potentially exposed via source code visibility.

When the application starts, Hanami establishes a connection to Cockroachdb using a URI such as cockroachdb://user:password@host:26257/defaultdb?sslmode=require. If this URI is constructed dynamically using environment variables that are printed to logs or exposed through error messages (for example, in a rescue block that logs the full connection URI), the API key can be leaked to anyone with access to application logs or crash reports.

The risk is compounded because Cockroachdb often runs in distributed or cloud environments where endpoints are publicly reachable. Without strict network controls or authentication, an exposed connection string can allow unauthorized access to sensitive data. Furthermore, Hanami’s convention-over-configuration approach may lead developers to omit explicit credential handling, relying on defaults that inadvertently expose sensitive information in stack traces or monitoring output.

During a middleBrick scan, findings related to this pattern may surface under Data Exposure and Authentication checks. The scanner detects that connection strings or credentials appear in observable surfaces such as logs, error pages, or unauthenticated endpoints. This does not imply that middleBrick can view your database contents, but it highlights that the API key used to reach Cockroachdb is not being adequately isolated from public-facing attack surfaces.

To illustrate, consider a typical Hanami initializer that sets up the database connection:

require 'hanami/setup'
require 'hanami/model'

Hanami::Model.configure do
  # WARNING: embedding credentials directly is unsafe
  url 'cockroachdb://root:[email protected]:26257/app_production?sslmode=require'
end

Hanami::Model.relation(:users)
Hanami::Model.migration.up

In this example, the API key (the password secret123) is hardcoded. If the application raises an unhandled exception and the full configuration is included in the error report, the key is exposed. A safer approach uses environment variables and avoids logging the full URI.

Cockroachdb-Specific Remediation in Hanami — concrete code fixes

Remediation focuses on ensuring that the Cockroachdb connection string and API keys never appear in source code, logs, or error output. Use environment variables and a secure configuration loader, and ensure that any logging in Hanami filters out sensitive connection details.

First, define your connection URI using environment variables, and validate their presence at startup:

require 'hanami/setup'
require 'hanami/model'

database_url = ENV.fetch('COCKROACHDB_DATABASE_URL')
raise 'COCKROACHDB_DATABASE_URL must be set' if database_url.nil? || database_url.empty?

Hanami::Model.configure do
  url database_url
end

Hanami::Model.relation(:users)
Hanami::Model.migration.up

Set the environment variable externally, for example:

export COCKROACHDB_DATABASE_URL='cockroachdb://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:26257/${DB_NAME}?sslmode=require'

Second, override logging in Hanami to prevent connection details from appearing in logs. Configure the model logger to suppress sensitive data:

# config/initializers/logging.rb
if defined?(Hanami::Model)
  Hanami::Model.logger = Logger.new($stdout)
  Hanami::Model.logger.level = Logger::INFO

  # Prevent logging of connection setup details
  original_connect = Hanami::Model::Adapter::Connection.instance_method(:connect)
  Hanami::Model::Adapter::Connection.define_method(:connect) do
    Hanami::Model.logger.info 'Connecting to database (credentials omitted)'
    original_connect.bind(self).call
  end
end

Third, use Cockroachdb’s built-in role-based access control to limit what the API key can do, even if exposed. Create a dedicated user with minimal privileges:

-- In Cockroachdb SQL, executed by an admin
CREATE USER hanami_app WITH PASSWORD 'strong_password_here';
GRANT SELECT, INSERT, UPDATE ON TABLE users TO hanami_app;
REVOKE ALL ON DATABASE system FROM hanami_app;

Finally, integrate middleBrick into your workflow using the CLI or GitHub Action to detect any remaining exposure of credentials in your API surface. The scanner checks for authentication weaknesses and data exposure patterns that could allow an attacker to leverage an exposed Cockroachdb connection string.

For ongoing protection, use the Pro plan to enable continuous monitoring and CI/CD integration, so that any future commit containing a hardcoded URI fails the build before reaching production.

Scan for api key exposure in hanami Free API security scan

Frequently Asked Questions

Can middleBrick remove an exposed API key from my repository?
middleBrick detects and reports exposed API keys with remediation guidance, but it does not modify or remove secrets from repositories. You must rotate the key and clean your repository history manually.
Does using environment variables fully prevent API key exposure in Hanami?
Environment variables reduce the risk of accidental commits, but they can still be logged or exposed through error messages. Always filter logs and restrict database user privileges in Cockroachdb to minimize impact.

Related Pages

Api Key Exposure in HanamiLearn how API key exposure manifests in Hanami applications, how to detect it with middleBrick's specialized scanning, aApi Key Exposure in CockroachdbDetect and fix API key exposure in CockroachDB apps. Learn attack patterns, scanning with middleBrick, and remediation uApi Key Exposure in Hanami on GcpDetect and remediate API key exposure in Hanami on GCP with secure authentication patterns and middleBrick scanning.Api Key Exposure in Hanami on CloudflareLearn how API keys can be exposed in Hanami apps behind Cloudflare and apply concrete fixes. middleBrick scans detect daPci Dss: Api Key Exposure in HanamiExplore how API key exposure intersects with PCI DSS in Hanami apps and apply concrete Hanami code fixes to keep keys seSoc2: Api Key Exposure in HanamiUnderstand SOC2 implications of API key exposure in Hanami apps and apply secure Hanami code patterns to protect credentIso 27001: Api Key Exposure in HanamiExplore ISO 27001 controls for API key exposure in Hanami apps, with secure code examples and remediation guidance.Cis: Api Key Exposure in HanamiCIS controls and Hanami patterns for preventing API key exposure, with secure configuration and logging examples.Api Key Exposure in Hanami with Mutual TlsHanami API key exposure with mutual TLS: causes and concrete Hanami code fixes to prevent leakage in responses and logs.Api Key Exposure in Hanami with Api KeysExplore Api Key Exposure in Hanami with Api Keys, understand the risks, and apply concrete code fixes to protect secretsApi Key Exposure in Hanami with Bearer TokensExplore Api Key Exposure in Hanami with Bearer Tokens: understand risks and apply concrete code fixes to protect tokens.Api Key Exposure in Hanami with Hmac SignaturesLearn how Api Key Exposure can occur with Hanami and Hmac Signatures, and apply concrete code fixes to secure your endpo