Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
110
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
67
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
takahashiikki
1
110
How Android Uses Data Structures Behind The Scenes
l2hyunwoo
0
450
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.3k
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
taked137
0
180
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
「待たせ上手」なスケルトンスクリーン、 そのUXの裏側
teamlab
PRO
0
530
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
320
Design Foundational Data Engineering Observability
sucitw
3
200
Navigation 2 を 3 に移行する(予定)ためにやったこと
yokomii
0
240
Zendeskのチケットを Amazon Bedrockで 解析した
ryokosuge
3
300
print("Hello, World")
eddie
2
530
モバイルアプリからWebへの横展開を加速した話_Claude_Code_実践術.pdf
kazuyasakamoto
0
330
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
It's Worth the Effort
3n
187
28k
Unsuck your backbone
ammeep
671
58k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Building Applications with DynamoDB
mza
96
6.6k
Code Reviewing Like a Champion
maltzj
525
40k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
Making Projects Easy
brettharned
117
6.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
51
5.6k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Designing Experiences People Love
moore
142
24k
Scaling GitHub
holman
463
140k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13