What are the security concerns of the following scenario? (this is one of those crazy ideas that someone will try, and maybe a it's a good idea, and maybe it's a terrible idea...)
You have Rails app at example.com, and an action at https://example.com/admin/update_app
This action has the following requirements:
- It requires https (and redirects if not on https)
- It requires admin access
- The action displays a page with a form that says "Repository password: [ ]"
- This field is filtered out of the server logs, the same way that authentication to the site is filtered out, via the log filtering mechanism in Rails (i.e. this method)
This action does the following
- You put your code repository password in the field and hit "Submit"
- The action starts a shell script which pulls the latest updates from the stable branch of your code repository, and applies them to the site (unless repository authentication fails, in which case it stops all further steps)
- The web server is restarted
- An email is sent to the admin saying something simple like, "App update complete"
Don't send the password. The app could be compromised and trojaned or the filtering could fail. Instead, grant the web app read-only access to the repository via a separate account or public access.
Don't restart the server if there are no changes. Then the action is secure even without access control: unless the developer has authorized the update by updating the stable branch, nothing happens. If the stable branch is not so stable, create a separate production branch for this.
Stop the webserver before doing the update. The app might not be secure or safe to use as a mix of files from different versions.
Make sure the web server doesn't serve any metadata files left by the VCS.