Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
110
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
66
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
Flutter로 Gemini와 MCP를 활용한 Agentic App 만들기 - 박제창 2025 I/O Extended Seoul
itsmedreamwalker
0
140
変化を楽しむエンジニアリング ~ いままでとこれから ~
murajun1978
0
730
Reactの歴史を振り返る
tutinoko
1
180
Understanding Kotlin Multiplatform
l2hyunwoo
0
260
[DevinMeetupTokyo2025] コード書かせないDevinの使い方
takumiyoshikawa
2
280
The State of Fluid (2025)
s2b
0
170
A Gopher's Guide to Vibe Coding
danicat
0
160
令和最新版手のひらコンピュータ
koba789
14
7.8k
フロントエンドのmonorepo化と責務分離のリアーキテクト
kajitack
2
110
「リーダーは意思決定する人」って本当?~ 学びを現場で活かす、リーダー4ヶ月目の試行錯誤 ~
marina1017
0
230
あまり知られていない MCP 仕様たち / MCP specifications that aren’t widely known
ktr_0731
0
280
Webinar: AI-Powered Development: Transformiere deinen Workflow mit Coding Tools und MCP Servern
danielsogl
0
130
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
890
Building Adaptive Systems
keathley
43
2.7k
Scaling GitHub
holman
462
140k
A better future with KSS
kneath
239
17k
The World Runs on Bad Software
bkeepers
PRO
70
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
The Pragmatic Product Professional
lauravandoore
36
6.8k
Documentation Writing (for coders)
carmenintech
73
5k
Docker and Python
trallard
45
3.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13
joncanady
itsmedreamwalker
murajun1978
tutinoko
l2hyunwoo
takumiyoshikawa
s2b
danicat
koba789
kajitack
marina1017
ktr_0731
danielsogl
irinanazarova
keathley
holman
kneath
bkeepers
lemiorhan
chriscoyier
lauravandoore
carmenintech
trallard
eileencodes
dougneiner
![Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_4.jpg){kind=link}
![Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_5.jpg){kind=link}
![Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_6.jpg){kind=link}
![`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_7.jpg){kind=link}
![file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_8.jpg){kind=link}
![before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_12.jpg){kind=link}
