Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure(r) Rails Apps

Avatar for Jon Canady Jon Canady
September 16, 2013
Programming
0
110

Writing Secure(r) Rails Apps

Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.

Avatar for Jon Canady

Jon Canady

September 16, 2013
Tweet

More Decks by Jon Canady

See All by Jon Canady
Basics of Rails Security
Avatar for Jon Canady joncanady
1
67
What Is Rspec?
Avatar for Jon Canady joncanady
0
120
Ruby on Rails Presenters
Avatar for Jon Canady joncanady
2
240

Other Decks in Programming

See All in Programming
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
Avatar for Takahashi Ikki takahashiikki
1
110
How Android Uses Data Structures Behind The Scenes
Avatar for HyunWoo Lee l2hyunwoo
0
450
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
Avatar for r-kagaya rkaga
5
2.3k
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
Avatar for Daichi Takeya taked137
0
180
Updates on MLS on Ruby (and maybe more)
Avatar for sylph01 sylph01
1
180
「待たせ上手」なスケルトンスクリーン、 そのUXの裏側
Avatar for teamLab teamlab
PRO
0
530
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
Avatar for Tomoki Kobayashi temoki
0
320
Design Foundational Data Engineering Observability
Avatar for suci sucitw
3
200
Navigation 2 を 3 に移行する(予定)ためにやったこと
Avatar for yokomii yokomii
0
240
Zendeskのチケットを Amazon Bedrockで 解析した
Avatar for ryokosuge ryokosuge
3
300
print("Hello, World")
Avatar for 高見龍 eddie
2
530
モバイルアプリからWebへの横展開を加速した話_Claude_Code_実践術.pdf
Avatar for Kazuya Sakamoto kazuyasakamoto
0
330

Featured

See All Featured
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
It's Worth the Effort
Avatar for 3n 3n
187
28k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
525
40k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
236
140k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
51
5.6k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Scaling GitHub
Avatar for Zach Holman holman
463
140k

Transcript

  1. Sunday, September 15, 13

  2. Secure Rails Apps r Sunday, September 15, 13

  3. https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

  4. DON’T TRUST USERS RULE #1 Sunday, September 15, 13

  5. Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

  6. Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

  7. Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

  8. `ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

  9. file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

    13

  10. "<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

  11. In Review User input is dangerous. Even after it’s saved

    to the database! Sunday, September 15, 13

  12. RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

  13. before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

    must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

  14. CanCan ryanb/cancan Sunday, September 15, 13

  15. class Ability include CanCan::Ability def initialize user can :read, Post,

    account_id: user.account_id end end Sunday, September 15, 13

  16. class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

    15, 13

  17. <option value="120">Alan <option value="121">Bria Sunday, September 15, 13

  18. <option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

    15, 13

  19. Sunday, September 15, 13

  20. Sunday, September 15, 13

  21. In Review Restrict what users can access Validate incoming data

    Keep your secrets secret Sunday, September 15, 13

  22. RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

  23. Sunday, September 15, 13

  24. Rails ruby interpreter database adapter authentication view templates javascript Sunday,

    September 15, 13

  25. Sunday, September 15, 13

  26. YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

    13

  27. In Review Keep gems up-to-date Keep learning Sunday, September 15,

    13

  28. Sunday, September 15, 13