Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Rails apps

Security and Rails apps

Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.

danielvlopes

May 05, 2011
Tweet

More Decks by danielvlopes

Other Decks in Programming

Transcript

  1. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles =>

    { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end
  2. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path =>

    ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC" end
  3. Devise.setup do |config| config.mailer_sender = "[email protected]" require 'devise/orm/active_record' config.encryptor =

    :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..." config.timeout_in = 10.minutes config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hour end Devise
  4. gem 'reverse_captcha' class Comment < ActiveRecord::Base captcha :nickname end <%=

    form_for @comment do |f| %> ... <%= f.captcha %> <% end %> Spam gem 'recaptcha' gem 'captcha'
  5. require File.expand_path('../boot', __FILE__) require 'rails/all' Bundler.require(:default, Rails.env) if defined?(Bundler) module

    Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... end end Log Filter
  6. Mass Assign. Parâmetros ☐ ☐ SQL Inject. ☐ XSS ☐

    CSRF ☐ File System ☐ Brute Force ☐ Spams ☐ Log ☐ Session ☐
  7. Mass Assign. Parâmetros ☑ SQL Inject. XSS CSRF File System

    Brute Force Spams Log ☑ ☑ ☑ ☑ ☑ ☑ ☑ ☑