$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
120
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
68
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
20 years of Symfony, what's next?
fabpot
2
310
Media Capture and Streams: W3C仕様と現場での知見
nowaki28
0
130
【Streamlit x Snowflake】データ基盤からアプリ開発・AI活用まで、すべてをSnowflake内で実現
ayumu_yamaguchi
1
110
DSPy Meetup Tokyo #1 - はじめてのDSPy
masahiro_nishimi
1
150
Reactive Thinking with Signals and the new Resource API
manfredsteyer
PRO
0
160
C-Shared Buildで突破するAI Agent バックテストの壁
po3rin
0
120
MAP, Jigsaw, Code Golf 振り返り会 by 関東Kaggler会|Jigsaw 15th Solution
hasibirok0
0
210
sbt 2
xuwei_k
0
180
バックエンドエンジニアによる Amebaブログ K8s 基盤への CronJobの導入・運用経験
sunabig
0
130
251126 TestState APIってなんだっけ?Step Functionsテストどう変わる?
east_takumi
0
300
Microservices Platforms: When Team Topologies Meets Microservices Patterns
cer
PRO
1
910
tparseでgo testの出力を見やすくする
utgwkk
1
130
Featured
See All Featured
Making Projects Easy
brettharned
120
6.5k
Optimizing for Happiness
mojombo
379
70k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
700
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
Building a Scalable Design System with Sketch
lauravandoore
463
34k
Documentation Writing (for coders)
carmenintech
76
5.2k
The Cost Of JavaScript in 2023
addyosmani
55
9.3k
Docker and Python
trallard
46
3.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Stop Working from a Prison Cell
hatefulcrawdad
273
21k
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.1k
Agile that works and the tools we love
rasmusluckow
331
21k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13
joncanady
fabpot
nowaki28
ayumu_yamaguchi
masahiro_nishimi
manfredsteyer
po3rin
hasibirok0
xuwei_k
sunabig
east_takumi
cer
utgwkk
brettharned
mojombo
tammyeverts
reverentgeek
lauravandoore
carmenintech
addyosmani
trallard
denniskardys
hatefulcrawdad
dougneiner
rasmusluckow
![Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_4.jpg){kind=link}
![Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_5.jpg){kind=link}
![Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_6.jpg){kind=link}
![`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_7.jpg){kind=link}
![file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_8.jpg){kind=link}
![before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_12.jpg){kind=link}
