Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Writing Secure(r) Rails Apps
Search
Jon Canady
September 16, 2013
Programming
0
120
Writing Secure(r) Rails Apps
Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.
Jon Canady
September 16, 2013
Tweet
Share
More Decks by Jon Canady
See All by Jon Canady
Basics of Rails Security
joncanady
1
69
What Is Rspec?
joncanady
0
120
Ruby on Rails Presenters
joncanady
2
240
Other Decks in Programming
See All in Programming
実はマルチモーダルだった。ブラウザの組み込みAI🧠でWebの未来を感じてみよう #jsfes #gemini
n0bisuke2
2
1.1k
TUIライブラリつくってみた / i-just-make-TUI-library
kazto
1
390
令和最新版Android Studioで化石デバイス向けアプリを作る
arkw
0
410
【Streamlit x Snowflake】データ基盤からアプリ開発・AI活用まで、すべてをSnowflake内で実現
ayumu_yamaguchi
1
120
認証・認可の基本を学ぼう前編
kouyuume
0
250
MAP, Jigsaw, Code Golf 振り返り会 by 関東Kaggler会|Jigsaw 15th Solution
hasibirok0
0
240
俺流レスポンシブコーディング 2025
tak_dcxi
14
8.8k
Canon EOS R50 V と R5 Mark II 購入でみえてきた最近のデジイチ VR180 事情、そして VR180 静止画に活路を見出すまで
karad
0
110
tparseでgo testの出力を見やすくする
utgwkk
2
220
sbt 2
xuwei_k
0
300
re:Invent 2025 のイケてるサービスを紹介する
maroon1st
0
110
ZOZOにおけるAI活用の現在 ~モバイルアプリ開発でのAI活用状況と事例~
zozotech
PRO
8
5.7k
Featured
See All Featured
Facilitating Awesome Meetings
lara
57
6.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
34k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.6k
[SF Ruby Conf 2025] Rails X
palkan
0
520
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.5k
How to Think Like a Performance Engineer
csswizardry
28
2.4k
Transcript
Sunday, September 15, 13
Secure Rails Apps r Sunday, September 15, 13
https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13
DON’T TRUST USERS RULE #1 Sunday, September 15, 13
Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13
Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13
Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13
`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13
file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,
13
"<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13
In Review User input is dangerous. Even after it’s saved
to the database! Sunday, September 15, 13
RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13
before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You
must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13
CanCan ryanb/cancan Sunday, September 15, 13
class Ability include CanCan::Ability def initialize user can :read, Post,
account_id: user.account_id end end Sunday, September 15, 13
class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September
15, 13
<option value="120">Alan <option value="121">Bria Sunday, September 15, 13
<option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September
15, 13
Sunday, September 15, 13
Sunday, September 15, 13
In Review Restrict what users can access Validate incoming data
Keep your secrets secret Sunday, September 15, 13
RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13
Sunday, September 15, 13
Rails ruby interpreter database adapter authentication view templates javascript Sunday,
September 15, 13
Sunday, September 15, 13
YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,
13
In Review Keep gems up-to-date Keep learning Sunday, September 15,
13
Sunday, September 15, 13
joncanady
n0bisuke2
kazto
arkw
ayumu_yamaguchi
kouyuume
hasibirok0
.jpg){kind=avatar}
tak_dcxi
karad
utgwkk
xuwei_k
maroon1st
zozotech
lara
panda_program
dougneiner
eileencodes
bluesmoon
marcduiker
rmw
thoeni
palkan
philnash
csswizardry
![Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_4.jpg){kind=link}
![Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_5.jpg){kind=link}
![Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_6.jpg){kind=link}
![`ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_7.jpg){kind=link}
![file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_8.jpg){kind=link}
![before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You](https://files.speakerdeck.com/presentations/62a7b47000a70131be1f026ba03981e0/slide_12.jpg){kind=link}
