Ruby on Rails Security checklist for models:
- Use attr_accessible (or attr_protected if you must) to explicitly identify attributes that are accessible by .create and .update_attributes. Just because you don't expose an attribute on an edit form doesn't mean that someone won't try to post a value to it. I prefer attr_accessible over attr_protected as it fails on the side of safety when new fields are added to a model - you have to explicitly expose new fields.
- Make sure queries are using the Rails bind variable facility for parameters, not string concatenation or the handy Ruby's #{...} syntax.
- Use validations to prevent bad input.
- Make non-action controller methods private (if possible).
- If non-action controller methods must be public, identify them with hide_action to prevent unwanted execution.
- Make sure before_filters are in place if necessary for your authorization infrastructure.
- Move queries from your controller to your model, and see the model checklist above.
- Check for params[:id] usage - are you sure you can trust it? Check for proper ownership of the record.
- Check for usage of hidden fields - a user can send anything to you through them, so treat them with suspicious just as params[:id] should be suspect.
- Use filter_parameter_logging to prevent entry of sensitive unencrypted data (passwords, SSN's, credit card numbers, etc.) in your server logs.
- Forget about your view code for a minute, and think about how to protect your controller from posts a malicious user could make to any of your exposed methods. All parameters (whether or not exposed on a form, and whether or not invisible) are suspect to length overruns, bypassing of any browser based validation, attacks with malformed data, etc.
- Make sure all data displayed is escaped with the helper method h(string).
- Eliminate comments in your views that you don't wish the entire world to see.
0 comments:
Post a Comment