• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?
...completely failed to come up with even the most rudimentary usable frameworks for understanding the security of modern software. – Michal Zalewski, The Tangled Web
class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end
class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end
class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end