Hi, this blog is no longer maintained, my new blog is here

Ruby On Rails and a Conning Israeli entrepreneur

Lighting Fast Ruby On Rails security checklist

Ruby on Rails Security checklist for models:

  1. Use attr_accessible (or attr_protected if you must) to explicitly identify attributes that are accessible by .create and .update_attributes. Just because you don't expose an attribute on an edit form doesn't mean that someone won't try to post a value to it. I prefer attr_accessible over attr_protected as it fails on the side of safety when new fields are added to a model - you have to explicitly expose new fields.
  2. Make sure queries are using the Rails bind variable facility for parameters, not string concatenation or the handy Ruby's #{...} syntax.
  3. Use validations to prevent bad input.
Ruby on Rails Security checklist for controllers:
  1. Make non-action controller methods private (if possible).
  2. If non-action controller methods must be public, identify them with hide_action to prevent unwanted execution.
  3. Make sure before_filters are in place if necessary for your authorization infrastructure.
  4. Move queries from your controller to your model, and see the model checklist above.
  5. Check for params[:id] usage - are you sure you can trust it? Check for proper ownership of the record.
  6. Check for usage of hidden fields - a user can send anything to you through them, so treat them with suspicious just as params[:id] should be suspect.
  7. Use filter_parameter_logging to prevent entry of sensitive unencrypted data (passwords, SSN's, credit card numbers, etc.) in your server logs.
  8. Forget about your view code for a minute, and think about how to protect your controller from posts a malicious user could make to any of your exposed methods. All parameters (whether or not exposed on a form, and whether or not invisible) are suspect to length overruns, bypassing of any browser based validation, attacks with malformed data, etc.
Ruby on Rails Security checklist for views:
  1. Make sure all data displayed is escaped with the helper method h(string).
  2. Eliminate comments in your views that you don't wish the entire world to see.


The Web Ask eizesus.com


    follow me on Twitter

    Twiters Around

    About Me

    My photo
    I am a web developer for more than 9 years, managed, cried, coded, designed and made money in this industry. now trying to do it again.