Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure(r) Rails Apps

Avatar for Jon Canady Jon Canady
September 16, 2013
Programming
0
120

Writing Secure(r) Rails Apps

Three quick rules to keep in mind to ensure your Rails apps are just a little bit more secure.

Avatar for Jon Canady

Jon Canady

September 16, 2013
Tweet

More Decks by Jon Canady

See All by Jon Canady
Basics of Rails Security
Avatar for Jon Canady joncanady
1
69
What Is Rspec?
Avatar for Jon Canady joncanady
0
120
Ruby on Rails Presenters
Avatar for Jon Canady joncanady
2
240

Other Decks in Programming

See All in Programming
CSC307 Lecture 07
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
550
CSC307 Lecture 05
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
500
AIエージェント、”どう作るか”で差は出るか? / AI Agents: Does the "How" Make a Difference?
Avatar for r-kagaya rkaga
4
2k
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
Avatar for nash_efp nash_efp
1
980
Fragmented Architectures
Avatar for Denys Poltorak denyspoltorak
0
160
AI巻き込み型コードレビューのススメ
Avatar for Nealle nealle
2
310
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
Avatar for MinoDriven minodriven
21
7.3k
Smart Handoff/Pickup ガイド - Claude Code セッション管理
Avatar for rasshii yukiigarashi
0
140
Data-Centric Kaggle
Avatar for ねぼすけAI isax1015
2
780
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
Avatar for Masahiro Nishimi masahiro_nishimi
5
470
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
QAフローを最適化し、品質水準を満たしながらリリースまでの期間を最短化する #RSGT2026
Avatar for shibayu36 shibayu36
2
4.4k

Featured

See All Featured
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
3
100
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
110
The Curse of the Amulet
Avatar for Matthew Lei leimatthew05
1
8.6k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
830
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
273
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
128
17k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.4k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
340
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
3.6k

Transcript

  1. Sunday, September 15, 13

  2. Secure Rails Apps r Sunday, September 15, 13

  3. https://www.owasp.org/index.php/Top_10_2013-Top_10 Sunday, September 15, 13

  4. DON’T TRUST USERS RULE #1 Sunday, September 15, 13

  5. Author.where("publisher_name = #{params[:publisher_name]}") SQL Injection Sunday, September 15, 13

  6. Author.where(publisher_name: params[:publisher_name]) Better Example Sunday, September 15, 13

  7. Author.where("publisher_name LIKE ?", "%#{params[:publisher_name]}%") Better Example Sunday, September 15, 13

  8. `ghostscript #{params[:user_filename]}` Shell Injection Sunday, September 15, 13

  9. file = params[:user_filename].shellescape `ghostscript #{file}` Better Example Sunday, September 15,

    13

  10. "<b>Updated display name: #{@user.name}</b>".html_safe Cross-Site Scripting Sunday, September 15, 13

  11. In Review User input is dangerous. Even after it’s saved

    to the database! Sunday, September 15, 13

  12. RULE #2 LOCK DOWN SENSITIVE DATA Sunday, September 15, 13

  13. before_filter :require_admin private def require_admin unless current_user.admin? flash[:error] = "You

    must be logged in to access this section" redirect_to root_url end end Sunday, September 15, 13

  14. CanCan ryanb/cancan Sunday, September 15, 13

  15. class Ability include CanCan::Ability def initialize user can :read, Post,

    account_id: user.account_id end end Sunday, September 15, 13

  16. class PostsController < ApplicationController load_and_authorize_resource # ... end Sunday, September

    15, 13

  17. <option value="120">Alan <option value="121">Bria Sunday, September 15, 13

  18. <option value="a45b121"> <option value="7e659aa"> Stop Using Database IDs Sunday, September

    15, 13

  19. Sunday, September 15, 13

  20. Sunday, September 15, 13

  21. In Review Restrict what users can access Validate incoming data

    Keep your secrets secret Sunday, September 15, 13

  22. RULE #3 KEEP STUFF UP-TO-DATE! Sunday, September 15, 13

  23. Sunday, September 15, 13

  24. Rails ruby interpreter database adapter authentication view templates javascript Sunday,

    September 15, 13

  25. Sunday, September 15, 13

  26. YOU! https://groups.google.com/forum/#! forum/rubyonrails-security https://www.ruby-lang.org/en/ security/ http://guides.rubyonrails.org/ security.html Sunday, September 15,

    13

  27. In Review Keep gems up-to-date Keep learning Sunday, September 15,

    13

  28. Sunday, September 15, 13