Segurança no Rails

Segurança no Rails

O Rails é um framework muito mais seguro do que você imagina. Infelizmente nem todo desenvolvedor faz a sua parte para garantir que a aplicação continue assim. Nessa palestra você verá alguns vetores de ataque utilizados, porque é importante manter seu aplicativo atualizado e conhecer algumas boas práticas para minimizar as chances de ser hackeado.

Cb5d9e9095cd41b636764a85e57ade4b?s=128

Nando Vieira

November 23, 2013
Tweet

Transcript

  1. 2.
  2. 10.

    Injection Broken Authentication & Session Management Cross-Site Scripting (XSS) Insecure

    Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards OWASP — TOP 10 2013
  3. 26.
  4. 38.
  5. 40.

    @fnando $ http http://localhost:9292/ HTTP/1.1 200 OK Cache-Control: max-age=0, private,

    must-revalidate Connection: Keep-Alive Content-Length: 1313 Content-Type: text/html; charset=utf-8 Date: Fri, 27 Sep 2013 23:41:57 GMT Etag: "b313808d614f80d3d28848edf101ef4b" Server: WEBrick/1.3.1 (Ruby/2.0.0/2013-06-27) Set-Cookie: _rails3-app_session=BAh7CEki...3Npa9d; path=/; HttpOnly X-Request-Id: c0f73c4949d60ef75c3d1d8fdf5c15d5 X-Runtime: 0.054038 X-Ua-Compatible: IE=Edge
  6. 41.
  7. 51.

    @fnando class SessionsController < ApplicationController def create user = User.find_by_email(params[:email])

    if user && user.authenticate(params[:password]) reset_session session[:user_id] = user.id redirect_to dashboard_path else render :new end end end
  8. 54.
  9. 59.

    @fnando class ReturnUrl attr_reader :default_url def initialize(default_url) @default_url = default_url

    end ! def return_url(url) return default_url if url.blank? ! uri = URI.parse(url) path = uri.path path << "?#{uri.query}" if uri.query path << "##{uri.fragment}" if uri.fragment path end end
  10. 63.
  11. 67.

    @fnando email = " ' OR 1) --" User.where("email =

    '#{email}'").first #=> #<User id: 1, email: "john@example.org"> ! id = "1) OR 1=1--" User.delete_all("id = #{id}")
  12. 69.

    @fnando # Using a hash User.where(email: params[:email]) ! # Using

    placeholders User.where("name LIKE ?", "%#{params[:name]}%") ! # Using named placeholders User.where("name LIKE :name", name: "%#{params[:name]}%")
  13. 74.

    @fnando params[:column] = <<-SQL salary) FROM users WHERE email =

    'john@example.org'; SQL ! User.calculate(:sum, params[:column]) #=> 4200
  14. 86.

    @fnando require "active_model" require "uri" ! class UrlValidator < ActiveModel::EachValidator

    PROTOCOLS = %w[http https] ! def validate_each(record, attribute, value) uri = URI.parse(value) valid = PROTOCOLS.include?(uri.scheme) rescue URI::InvalidURIError valid = false ensure record.errors.add(attribute, :invalid_url) unless valid end end
  15. 100.

    @fnando class Article < ActiveRecord::Base # Completely remove unsafe and/or

    # unknown tags. html_fragment :body, scrub: :prune end
  16. 102.

    @fnando def annotation(text) %[<em class="annotation">#{text}</em>].html_safe end def annotation(text) content_tag :em,

    text, class: "annotation" end def annotation(text) %[<em class="annotation">#{h(text)}</em>].html_safe end
  17. 112.
  18. 114.