Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
110
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
66
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
技術同人誌をMCP Serverにしてみた
74th
1
680
なぜ「共通化」を考え、失敗を繰り返すのか
rinchoku
1
660
生成AI時代のコンポーネントライブラリの作り方
touyou
1
250
「テストは愚直&&網羅的に書くほどよい」という誤解 / Test Smarter, Not Harder
munetoshi
0
190
iOS 26にアップデートすると実機でのHot Reloadができない?
umigishiaoi
0
130
20250704_教育事業におけるアジャイルなデータ基盤構築
hanon52_
5
880
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
610
チームで開発し事業を加速するための"良い"設計の考え方 @ サポーターズCoLab 2025-07-08
agatan
1
450
Webの外へ飛び出せ NativePHPが切り拓くPHPの未来
takuyakatsusa
2
570
PHPで始める振る舞い駆動開発(Behaviour-Driven Development)
ohmori_yusuke
2
410
おやつのお供はお決まりですか?@WWDC25 Recap -Japan-\(region).swift
shingangan
0
140
A full stack side project webapp all in Kotlin (KotlinConf 2025)
dankim
0
130
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
Thoughts on Productivity
jonyablonski
69
4.7k
A better future with KSS
kneath
238
17k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
A Tale of Four Properties
chriscoyier
160
23k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
How to train your dragon (web standard)
notwaldorf
96
6.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Adopting Sorbet at Scale
ufuk
77
9.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
54k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13