Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure(r) Rails Apps

Avatar for Jon Canady Jon Canady
September 16, 2013
Programming
0
120

Writing Secure(r) Rails Apps

Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.

Avatar for Jon Canady

Jon Canady

September 16, 2013
Tweet

More Decks by Jon Canady

See All by Jon Canady
Basics of Rails Security
Avatar for Jon Canady joncanady
1
69
What Is Rspec?
Avatar for Jon Canady joncanady
0
120
Ruby on Rails Presenters
Avatar for Jon Canady joncanady
2
240

Other Decks in Programming

See All in Programming
Oxlintはいいぞ
Avatar for Yuji Yamaguchi yug1224
5
1.3k
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
Avatar for Masahiro Nishimi masahiro_nishimi
5
470
Patterns of Patterns
Avatar for Denys Poltorak denyspoltorak
0
1.4k
Automatic Grammar Agreementと Markdown Extended Attributes
について
Avatar for Kishikawa Katsumi kishikawakatsumi
0
190
「ブロックテーマでは再現できない」は本当か?
Avatar for Takashi Kitajima inc2734
0
1k
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
Avatar for ♛Heitor Hirose hekuchan
2
690
izumin5210のプロポーザルのネタ探し #tskaigi_msup
Avatar for izumin5210 izumin5210
1
130
今こそ知るべき耐量子計算機暗号(PQC)入門 / PQC: What You Need to Know Now
Avatar for mackey0225 mackey0225
3
380
SourceGeneratorのススメ
Avatar for tkym htkym
0
200
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
Avatar for nash_efp nash_efp
1
980
開発者から情シスまで - 多様なユーザー層に届けるAPI提供戦略 / Postman API Night Okinawa 2026 Winter
Avatar for tasshi tasshi
0
200

Featured

See All Featured
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.9k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1371
200k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.3M
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
270
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
130
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
0
57
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
910
Conquering PDFs: document understanding beyond plain text
Avatar for Ines Montani inesmontani
PRO
4
2.3k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
New Earth Scene 8
Avatar for Sydney Stone popppiees
1
1.5k

Transcript

  1. Sunday, September 15, 13

  2. Secure Rails Apps r Sunday, September 15, 13

  3. https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

  4. DON’T TRUST USERS RULE #1 Sunday, September 15, 13

  5. Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

  6. Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

  7. Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

  8. `ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

  9. file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

    13

  10. "<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

  11. In Review User input is dangerous. Even after it’s saved

    to the database! Sunday, September 15, 13

  12. RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

  13. before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

    must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

  14. CanCan ryanb/cancan Sunday, September 15, 13

  15. class Ability include CanCan::Ability def initialize user can :read, Post,

    account_id: user.account_id end end Sunday, September 15, 13

  16. class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

    15, 13

  17. <option value="120">Alan <option value="121">Bria Sunday, September 15, 13

  18. <option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

    15, 13

  19. Sunday, September 15, 13

  20. Sunday, September 15, 13

  21. In Review Restrict what users can access Validate incoming data

    Keep your secrets secret Sunday, September 15, 13

  22. RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

  23. Sunday, September 15, 13

  24. Rails ruby interpreter database adapter authentication view templates javascript Sunday,

    September 15, 13

  25. Sunday, September 15, 13

  26. YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

    13

  27. In Review Keep gems up-to-date Keep learning Sunday, September 15,

    13

  28. Sunday, September 15, 13