Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure(r) Rails Apps

Avatar for Jon Canady Jon Canady
September 16, 2013
Programming
0
120

Writing Secure(r) Rails Apps

Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.

Avatar for Jon Canady

Jon Canady

September 16, 2013
Tweet

More Decks by Jon Canady

See All by Jon Canady
Basics of Rails Security
Avatar for Jon Canady joncanady
1
69
What Is Rspec?
Avatar for Jon Canady joncanady
0
120
Ruby on Rails Presenters
Avatar for Jon Canady joncanady
2
240

Other Decks in Programming

See All in Programming
Basic Architectures
Avatar for Denys Poltorak denyspoltorak
0
680
FOSDEM 2026: STUNMESH-go: Building P2P WireGuard Mesh Without Self-Hosted Infrastructure
Avatar for Date Huang tjjh89017
0
170
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
Avatar for ♛Heitor Hirose hekuchan
2
690
CSC307 Lecture 02
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
780
Implementation Patterns
Avatar for Denys Poltorak denyspoltorak
0
290
カスタマーサクセス業務を変革したヘルススコアの実現と学び
Avatar for Tomoyuki Hamaguchi _hummer0724
0
700
余白を設計しフロントエンド開発を 加速させる
Avatar for karacoro / からころ tsukuha
7
2.1k
MUSUBIXとは
Avatar for Hisaho nahisaho
0
130
dchart: charts from deck markup
Avatar for Anthony Starks ajstarks
3
990
AI & Enginnering
Avatar for codelynx codelynx
0
110
AIフル活用時代だからこそ学んでおきたい働き方の心得
Avatar for shinoyu shinoyu
0
140
AI によるインシデント初動調査の自動化を行う AI インシデントコマンダーを作った話
Avatar for azukiazusa azukiazusa1
1
730

Featured

See All Featured
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
120
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.4k
Designing for Timeless Needs
Avatar for Cassini Nazir cassininazir
0
130
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
57
14k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
170
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2k
How to make the Groovebox
Avatar for あそなす asonas
2
1.9k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.4k

Transcript

  1. Sunday, September 15, 13

  2. Secure Rails Apps r Sunday, September 15, 13

  3. https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

  4. DON’T TRUST USERS RULE #1 Sunday, September 15, 13

  5. Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

  6. Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

  7. Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

  8. `ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

  9. file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

    13

  10. "<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

  11. In Review User input is dangerous. Even after it’s saved

    to the database! Sunday, September 15, 13

  12. RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

  13. before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

    must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

  14. CanCan ryanb/cancan Sunday, September 15, 13

  15. class Ability include CanCan::Ability def initialize user can :read, Post,

    account_id: user.account_id end end Sunday, September 15, 13

  16. class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

    15, 13

  17. <option value="120">Alan <option value="121">Bria Sunday, September 15, 13

  18. <option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

    15, 13

  19. Sunday, September 15, 13

  20. Sunday, September 15, 13

  21. In Review Restrict what users can access Validate incoming data

    Keep your secrets secret Sunday, September 15, 13

  22. RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

  23. Sunday, September 15, 13

  24. Rails ruby interpreter database adapter authentication view templates javascript Sunday,

    September 15, 13

  25. Sunday, September 15, 13

  26. YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

    13

  27. In Review Keep gems up-to-date Keep learning Sunday, September 15,

    13

  28. Sunday, September 15, 13