Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure(r) Rails Apps

Avatar for Jon Canady Jon Canady
September 16, 2013
Programming
120
0

Writing Secure(r) Rails Apps

Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.

Avatar for Jon Canady

Jon Canady

September 16, 2013

More Decks by Jon Canady

See All by Jon Canady
Basics of Rails Security
Avatar for Jon Canady joncanady
1
71
What Is Rspec?
Avatar for Jon Canady joncanady
0
130
Ruby on Rails Presenters
Avatar for Jon Canady joncanady
2
240

Other Decks in Programming

See All in Programming
AWS re:Invent 2025の少し振り返り + DevOps AgentとBacklogを連携させてみた
Avatar for Satoshi Kaneyasu satoshi256kbyte
2
140
GoのDB アクセスにおける 「型安全」と「柔軟性」の両立 - Bob という選択肢
Avatar for tak tak848
0
310
2026-03-27 #terminalnight 変数展開とコマンド展開でターミナル作業をスマートにする方法
Avatar for SUZUKI Masashi masasuzu
0
290
おれのAgentic Coding 2026/03
Avatar for TsukasaSekiguchi tsukasagr
1
130
Coding at the Speed of Thought: The New Era of Symfony Docker
Avatar for Kévin Dunglas dunglas
0
4.5k
KagglerがMixSeekを触ってみた
Avatar for Morim morim
0
370
仕様漏れ実装漏れをなくすトレーサビリティAI基盤のご紹介
Avatar for Kuniwak orgachem
PRO
8
4.6k
PHP でエミュレータを自作して Ubuntu を動かそう
Avatar for memory m3m0r7
PRO
2
170
感情を設計する
Avatar for nakamichi ichimichi
5
900
煩雑なSkills管理をSoC(関心の分離)により解決する――関心を分離し、プロンプトを部品として育てるためのOSSを作った話 / Solving Complex Skills Management Through SoC (Separation of Concerns)
Avatar for nrs nrslib
3
470
20260315 AWSなんもわからん🥲
Avatar for Chiaki Okamoto chiilog
2
190
PCOVから学ぶコードカバレッジ #phpcon_odawara
Avatar for hideki kinjyo o0h
PRO
0
180

Featured

See All Featured
Believing is Seeing
Avatar for Spiro Bolos oripsolob
1
110
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
500
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
680
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
210
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
75
12k
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
1
140
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
62
53k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.8k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.4k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.8k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
274
21k

Transcript

  1. Sunday, September 15, 13

  2. Secure Rails Apps r Sunday, September 15, 13

  3. https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

  4. DON’T TRUST USERS RULE #1 Sunday, September 15, 13

  5. Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

  6. Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

  7. Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

  8. `ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

  9. file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

    13

  10. "<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

  11. In Review User input is dangerous. Even after it’s saved

    to the database! Sunday, September 15, 13

  12. RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

  13. before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

    must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

  14. CanCan ryanb/cancan Sunday, September 15, 13

  15. class Ability include CanCan::Ability def initialize user can :read, Post,

    account_id: user.account_id end end Sunday, September 15, 13

  16. class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

    15, 13

  17. <option value="120">Alan <option value="121">Bria Sunday, September 15, 13

  18. <option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

    15, 13

  19. Sunday, September 15, 13

  20. Sunday, September 15, 13

  21. In Review Restrict what users can access Validate incoming data

    Keep your secrets secret Sunday, September 15, 13

  22. RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

  23. Sunday, September 15, 13

  24. Rails ruby interpreter database adapter authentication view templates javascript Sunday,

    September 15, 13

  25. Sunday, September 15, 13

  26. YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

    13

  27. In Review Keep gems up-to-date Keep learning Sunday, September 15,

    13

  28. Sunday, September 15, 13