Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
120
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
67
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
AIと人間の共創開発!OSSで試行錯誤した開発スタイル
mae616
1
410
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
430
コードとあなたと私の距離 / The Distance Between Code, You, and I
hiro_y
0
170
ソフトウェア設計の実践的な考え方
masuda220
PRO
4
590
タスクの特性や不確実性に応じた最適な作業スタイルの選択(ペアプロ・モブプロ・ソロプロ)と実践 / Optimal Work Style Selection: Pair, Mob, or Solo Programming.
honyanya
3
170
私達はmodernize packageに夢を見るか feat. go/analysis, go/ast / Go Conference 2025
kaorumuta
2
570
バッチ処理を「状態の記録」から「事実の記録」へ
panda728
PRO
0
160
実践Claude Code:20の失敗から学ぶAIペアプログラミング
takedatakashi
1
130
CSC305 Lecture 04
javiergs
PRO
0
270
CSC509 Lecture 06
javiergs
PRO
0
260
NixOS + Kubernetesで構築する自宅サーバーのすべて
ichi_h3
0
870
Le côté obscur des IA génératives
pascallemerrer
0
150
Featured
See All Featured
Facilitating Awesome Meetings
lara
56
6.6k
Rails Girls Zürich Keynote
gr2m
95
14k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
A Tale of Four Properties
chriscoyier
161
23k
Keith and Marios Guide to Fast Websites
keithpitt
411
23k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3k
Site-Speed That Sticks
csswizardry
12
900
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Writing Fast Ruby
sferik
629
62k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Side Projects
sachag
455
43k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13
joncanady
mae616
yimajo
hiro_y
masuda220
honyanya
kaorumuta
panda728
takedatakashi
javiergs
ichi_h3
pascallemerrer
lara
gr2m
sstephenson
chriscoyier
keithpitt
tammyeverts
csswizardry
marcelosomers
pedronauck
sferik
yeseniaperezcruz
sachag
![Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_4.jpg){kind=link}
![Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_5.jpg){kind=link}
![Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_6.jpg){kind=link}
![`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_7.jpg){kind=link}
![file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_8.jpg){kind=link}
![before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_12.jpg){kind=link}
