Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
100
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
55
What Is Rspec?
joncanady
0
110
Ruby on Rails Presenters
joncanady
2
230
Other Decks in Programming
See All in Programming
Milestoner
bkuhlmann
1
410
Elm Form Validation
bkuhlmann
0
510
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
130
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
try! Swift Tokyo 初参加報告LT
hinakko2
0
220
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
200
雑に思考を整理する技術と効能
konifar
59
29k
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
930
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
700
ゆるい個人開発のススメ
kuroppe1819
10
990
Featured
See All Featured
RailsConf 2023
tenderlove
4
540
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Done Done
chrislema
178
15k
What the flash - Photography Introduction
edds
64
11k
Designing for Performance
lara
601
67k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
The Language of Interfaces
destraynor
151
23k
The Invisible Side of Design
smashingmag
294
49k
Making Projects Easy
brettharned
108
5.5k
Embracing the Ebb and Flow
colly
80
4.1k
What's in a price? How to price your products and services
michaelherold
237
11k
For a Future-Friendly Web
brad_frost
172
9k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13