Hi, this blog is no longer maintained, my new blog is here

Ruby On Rails and a Conning Israeli entrepreneur

Lighting Fast Ruby On Rails security checklist

Ruby on Rails Security checklist for models:

  1. Use attr_accessible (or attr_protected if you must) to explicitly identify attributes that are accessible by .create and .update_attributes. Just because you don't expose an attribute on an edit form doesn't mean that someone won't try to post a value to it. I prefer attr_accessible over attr_protected as it fails on the side of safety when new fields are added to a model - you have to explicitly expose new fields.
  2. Make sure queries are using the Rails bind variable facility for parameters, not string concatenation or the handy Ruby's #{...} syntax.
  3. Use validations to prevent bad input.
Ruby on Rails Security checklist for controllers:
  1. Make non-action controller methods private (if possible).
  2. If non-action controller methods must be public, identify them with hide_action to prevent unwanted execution.
  3. Make sure before_filters are in place if necessary for your authorization infrastructure.
  4. Move queries from your controller to your model, and see the model checklist above.
  5. Check for params[:id] usage - are you sure you can trust it? Check for proper ownership of the record.
  6. Check for usage of hidden fields - a user can send anything to you through them, so treat them with suspicious just as params[:id] should be suspect.
  7. Use filter_parameter_logging to prevent entry of sensitive unencrypted data (passwords, SSN's, credit card numbers, etc.) in your server logs.
  8. Forget about your view code for a minute, and think about how to protect your controller from posts a malicious user could make to any of your exposed methods. All parameters (whether or not exposed on a form, and whether or not invisible) are suspect to length overruns, bypassing of any browser based validation, attacks with malformed data, etc.
Ruby on Rails Security checklist for views:
  1. Make sure all data displayed is escaped with the helper method h(string).
  2. Eliminate comments in your views that you don't wish the entire world to see.

0 comments:


The Web Ask eizesus.com

Subscribe

    follow me on Twitter

    Twiters Around

    About Me

    My photo
    I am a web developer for more than 9 years, managed, cried, coded, designed and made money in this industry. now trying to do it again.

    Labels