Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
110
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
66
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
技術同人誌をMCP Serverにしてみた
74th
1
450
来たるべき 8.0 に備えて React 19 新機能と React Router 固有機能の取捨選択とすり合わせを考える
oukayuka
2
880
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.4k
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
1
710
Cline指示通りに動かない? AI小説エージェントで学ぶ指示書の書き方と自動アップデートの仕組み
kamomeashizawa
1
600
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
yodakeisuke
0
120
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
220
Modern Angular with Signals and Signal Store: New Rules for Your Architecture @enterJS Advanced Angular Day 2025
manfredsteyer
PRO
0
160
なんとなくわかった気になるブロックテーマ入門/contents.nagoya 2025 6.28
chiilog
1
240
WebViewの現在地 - SwiftUI時代のWebKit - / The Current State Of WebView
marcy731
0
100
Benchmark
sysong
0
280
新メンバーも今日から大活躍!SREが支えるスケールし続ける組織のオンボーディング
honmarkhunt
0
120
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
82
9.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
Balancing Empowerment & Direction
lara
1
390
Why Our Code Smells
bkeepers
PRO
337
57k
Scaling GitHub
holman
459
140k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Designing Experiences People Love
moore
142
24k
Done Done
chrislema
184
16k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13
joncanady
74th
oukayuka
ichimichi
seike460
kamomeashizawa
yodakeisuke
okashoi
manfredsteyer
chiilog
marcy731
sysong
.png){kind=avatar}
honmarkhunt
samanthasiow
smashingmag
cromwellryan
addyosmani
mongodb
productmarketing
lara
bkeepers
holman
malarkey
moore
chrislema
![Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_4.jpg){kind=link}
![Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_5.jpg){kind=link}
![Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_6.jpg){kind=link}
![`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_7.jpg){kind=link}
![file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_8.jpg){kind=link}
![before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_12.jpg){kind=link}
