Api Key Exposure in Hanami with Oracle Db

Hanami is a Ruby web framework that encourages explicit, layered architecture. When Hanami applications interact with an Oracle Db instance, developers often manage database credentials and external service tokens through environment variables or initializer files. If these keys are inadvertently exposed through logs, error messages, or misconfigured connection handling, an attacker can harvest them and move laterally within the infrastructure.

During a middleBrick scan, the Data Exposure check analyzes how an endpoint behaves when supplied with varied inputs and inspects responses for sensitive material. With Oracle Db, a common pattern is to establish a connection using a dedicated service account whose credentials are stored as environment variables. If a Hanami controller or background job logs the connection string or raises an exception that reveals the full DSN (Data Source Name), the scan flags the finding under Data Exposure because the key material appears in the response or application logs.

The combination of Hanami’s convention-over-configuration style and Oracle Db’s rich feature set can inadvertently surface sensitive information when developers rely on default logging or exception handling. For example, a misconfigured logger.level in production may capture SQL statements that include bind variables or connection identifiers, while verbose Oracle error codes may expose internal schema names or key identifiers. middleBrick’s Property Authorization and Input Validation checks complement this by verifying whether access controls are consistently enforced and whether inputs are properly sanitized before being used in queries.

Another vector involves unauthenticated endpoints that return metadata or health information. If a Hanami app exposes a status route that queries the database to confirm connectivity, and that route does not enforce authentication, middleBrick’s Authentication and Unauthenticated LLM endpoint detection can identify the risk of key leakage through indirect means, such as error messages returned by Oracle drivers when credentials are missing or malformed.

LLM/AI Security checks further highlight how an exposed key might be weaponized. If a system prompt or configuration file is accessible through an endpoint, middleBrick’s regex-based system prompt leakage detection looks for patterns associated with ChatML, Llama 2, Mistral, and Alpaca formats to ensure that key material is not embedded in responses that could be exfiltrated via prompt injection or jailbreak techniques.

Remediation focuses on ensuring that key material never reaches the response layer and that database interactions are handled with explicit, secure patterns. The following Oracle Db examples assume the use of the ruby_oci8 or activerecord-oracle_enhanced-adapter gem with Hanami.

Secure Credential Handling

Store credentials outside the codebase and reference them via environment variables. Do not log or interpolate them into error messages.

# config/initializers/database.rb
require 'securerandom'

# Use ENV variables; do not hardcode or log them
username = ENV.fetch('ORACLE_USER')
password = ENV.fetch('ORACLE_PASSWORD')
host     = ENV.fetch('ORACLE_HOST', 'localhost')
sid      = ENV.fetch('ORACLE_SID', 'XE')

connection_string = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=#{host})(Port=1521))(CONNECT_DATA=(SID=#{sid})))"

# Establish connection without echoing sensitive values
begin
  ActiveRecord::Base.establish_connection(
    adapter: 'oracle_enhanced',
    username: username,
    password: password,
    connection_string: connection_string
  )
rescue => e
  # Log generic errors only; avoid exposing connection_string or credentials
  Hanami.logger.error "Database connection failed: #{e.class}"
  raise Hanami::Errors::InternalServerError
end

Parameterized Queries and Error Handling

Use bound variables to prevent SQL injection and ensure that Oracle errors do not leak schema or key details.

# app/usecases/authorize_user.rb
module AuthorizeUser
  def self.call(user_input)
    # Use placeholders; do not interpolate user_input into SQL strings
    sql = 'SELECT role FROM users WHERE username = :username'
    result = ActiveRecord::Base.connection.exec_query(sql, 'SQL', [[:username, user_input]])
    result.first
  rescue ActiveRecord::StatementInvalid => e
    # Generic handling to avoid exposing Oracle error codes or internals
    Hanami.logger.warn "Query failed: #{e.class}"
    nil
  end
end

Middleware and Logging Controls

Configure Hanami and the Oracle adapter to suppress sensitive data in logs and ensure that health checks do not expose connection strings.

# config/initializers/logging.rb
Hanami.configure do
  logger.level = Logger::INFO
  # Redact identifiable connection parameters from logs
  Hanami::Logger::Formatter.add_filter(/ORACLE_USER=\w+/, '[FILTERED]')
  Hanami::Logger::Formatter.add_filter(/ORACLE_PASSWORD=\w+/, '[FILTERED]')
end

Compliance Mapping

These practices align with multiple compliance frameworks referenced by middleBrick. For example, they support controls under OWASP API Security Top 10 (2023) A07:2021 – Identification and Authentication Failures and A05:2021 – Security Misconfiguration, as well as relevant requirements in PCI-DSS and SOC2 by ensuring that key material is not inadvertently exposed through logs or error responses.