Writing Secure(r) Rails Apps

Sunday, September 15, 13

Secure Rails Apps r Sunday, September 15, 13

https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

DON’T TRUST USERS RULE #1 Sunday, September 15, 13

Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13

"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13

RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

CanCan ryanb/cancan Sunday, September 15, 13

class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13

class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13

<option value="120">Alan <option value="121">Bria Sunday, September 15, 13

<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13

In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13

RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13

YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13

In Review Keep gems up-to-date Keep learning Sunday, September 15,
13

Writing Secure(r) Rails Apps

Writing Secure(r) Rails Apps

Jon Canady

More Decks by Jon Canady

Other Decks in Programming

Featured

Transcript

Sunday, September 15, 13

Secure Rails Apps r Sunday, September 15, 13

https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

DON’T TRUST USERS RULE #1 Sunday, September 15, 13

Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

In Review User input is dangerous. Even after it’s saved

RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

CanCan ryanb/cancan Sunday, September 15, 13

class Ability include CanCan::Ability def initialize user can :read, Post,

class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

<option value="120">Alan <option value="121">Bria Sunday, September 15, 13

<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

Sunday, September 15, 13

Sunday, September 15, 13

In Review Restrict what users can access Validate incoming data

RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

Sunday, September 15, 13

Rails ruby interpreter database adapter authentication view templates javascript Sunday,

Sunday, September 15, 13

YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

In Review Keep gems up-to-date Keep learning Sunday, September 15,

Sunday, September 15, 13