Railscasts - 7 Security Tips

#178

Sep 07, 2009

7 Security Tips

Security is important! Here I show seven different security flaws which are common to Rails applications ranging from mass assignment to CSRF protection.

Tags: security forms views active-record

Download (22.2 MB, 14:53)

alternative download for iPod & Apple TV (16.9 MB, 14:53)

Read it on ASCIIcasts

Resources

#1 Mass Assignment

# script/console
p = Project.find(2)
p.update_attributes(:task_ids => [4])
p.tasks

# models/project.rb
attr_accessible :name, :photo

#2 File Uploads

Disabling Script Execution with Apache

# models/project.rb
validates_attachment_content_type :photo, :content_type => ['image/jpeg', 'image/png']
# more security required

#3 Filter Log Params

Episode 9: Filtering Sensitive Logs

# application_controller.rb
filter_parameter_logging :password

#4 CSRF Protection

# application_controller.rb
protect_from_forgery

#5 Authorizing Ownership

# projects_controller.rb
def show
  @project = current_user.projects.find(params[:id])
end

#6 SQL Injection

# projects_controller.rb
def index
  @projects = current_user.projects.all(:conditions => ["name like ?", "%#{params[:search]}%"])
end

#7 HTML Injection (XSS)

<!-- projects/show.html.erb -->
<%=h task.name %>

< Previous Episode

45 comments

1. torsten Sep 07, 2009 at 01:37

if you run mod_php its quite simple to deactivate php for a directory tree. Just create a file .htaccess in the base directory of that tree and add one line to it:

php_flag engine off

Make sure the webserver can read that file.

2. sthapit Sep 07, 2009 at 01:46

this is perfect - just what i need to do but was putting off.

3. RainChen Sep 07, 2009 at 04:09

append the string "GIF89" to the upload file will bypassing the content_type filter,for example:

GIF89
<?php phpinfo(); ?>

4. Fredd Sep 07, 2009 at 04:35

It's so easy to forget these h methods. Looking forward to Rails 3, any one knows when it's ready?

5. Brian Armstrong Sep 07, 2009 at 05:45

Thanks Ryan! Just updated a couple of my apps. These are easy to forget and it's nice to have a solid checklist in place. One of your most important screen casts yet!
Brian

6. José Mota Sep 07, 2009 at 06:25

Ryan, about Rails 3 and the h() method: what's the function to unescape a string, i.e., the contrary of h()? :P

Thanks! Great cast today.

7. Michael Sep 07, 2009 at 06:42

Even by the high standards one usually encounters on Railscasts, this is a fantastically concise description of major security flaws for all rails developers to be aware of.

8. giates Sep 07, 2009 at 08:04

@Josè: I think you can use <%= raw(text) %>

9. RainChen Sep 07, 2009 at 10:05

There is a plugin for h() issue.

http://code.google.com/p/xss-shield/

XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().

Instead of:

<h3><%= h(item.name) %></h3>
<p><%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %></p>
You will be able to write:

<h3><%= item.name %></h3>
<p><%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %></p>

10. markiv Sep 07, 2009 at 14:24

Hi Ryan,

Thanks a lot....for all these tutorials.....you are doing a wonderful job.....you have been a major driving force for many like me making learning rails easier and motivational..........thanks once again:)

11. Maz Sep 07, 2009 at 14:46

Paperclip also allows for users to view other users' uploads. What's best is simply not to store files in the public directory and then use send_file. send_file would not execute any scripts.

12. dazonic Sep 08, 2009 at 00:32

Hey man I hit you up on twitter the other day, wondering about all the attr_accessible's in nifty-scaffold, still didn't understand when you said security issues. Now I know, cheers mate!

13. christian Sep 08, 2009 at 05:12

godt damn, nice episode. I'm greatfull for all the time you save me with these short to the point videos. This one was very usefull!

14. Marina Sep 08, 2009 at 06:11

Very nice and useful, I'm gonna use it

15. Sephi-Chan Sep 08, 2009 at 06:58

Hi,

Thanks for all your screencasts !

What did you do to have this console ? It's very nice !

Sephi-Chan

16. Adam Hill Sep 08, 2009 at 07:18

And people, don't forget to upgrade to 2.3.4 because of h() html escaping xss vulnerability

17. Blake Sep 08, 2009 at 07:27

It's all the old song) But it's good to refresh knowledge.
One more thanks, Ryan!

18. Dinooz Sep 08, 2009 at 07:32

Thank you for keep Rails alive, somehow I got all excited about the technology... got a couple books, watch the screencasts and develop some applications to play with it, even learn the basics of git ;-).

Lately feel like the momentum, and energy start to vanishing a bit... The brazilian podcast quit posting news, the envycast split also. Peepcode start posting some other topics to keep it profitable, which I understand and don't blame at all, but really hope you keep the rails momentum going. Its a great technology and really fun and cool way to develop applications. I'm just affraid the direction is not clear and everyday we see less and less people on the community.

Thank you Ryan for be our sensei in the Ruby on Rails development world, can't agree more thank you for all your hard work and your screencasts. Really enjoy your videos at pragmatic tv.

Best Regards Dinooz.

@Sephi-Chan Ryan mention on the previous railscast he used hirb gem something to give the output mysql like, yes I agree really cool.

19. Joseph Silvashy Sep 08, 2009 at 10:05

Ryan, I have a bad feeling you have a bunch of rails developers fixing the flaws in their sites this week, especially now that you've shown all these flaws many people might not have known they had...

Thanks! Great Railscast again!

20. Bijan Rahnema Sep 08, 2009 at 17:10

Hey Ryan,
thank you very much for this awesome screencast! I really enjoy your stuff! Keep up the good work :)
Kind regards
Bijan

21. Police Ready Sep 09, 2009 at 18:30

Great screencast and information.

Rails abilitiy for scoping at the association level makes it excellent and easy to use and understand!

Love it

22. Police Ready Sep 09, 2009 at 18:32

Also, anyone know how to get the console to display the model information like how Ryan has it in the screen cast? When he does a find, it shows a table with the attributes. Is that a plugin?

23. Jeffrey Lee Sep 09, 2009 at 19:05

Please add captcha!

Great stuff Ryan. What do you suggest to give administrators the opportunity to do mass assignment (change ownership, etc.) without making the controllers bloated?

24. Arash Sep 09, 2009 at 20:27

Jeffery, try the trusted-params plugin at http://github.com/ryanb/trusted-params/tree/master

25. test_date Sep 10, 2009 at 07:00

great resource!!!

want to test your server date.

greets from germany (UTC + 1)

26. Cat Worms Sep 10, 2009 at 09:46

Thanks for sharing all the flaws that could put a programmer in trouble. Its easy to leave something opened, especially after leaving a project and coming back to complete it later.

27. Tobias Sep 11, 2009 at 05:10

Police Ready, it's hirb (http://github.com/cldwalker/hirb/tree/master). In console require 'hirb' and do Hirb.enable. Now the records should be showed in that table format.

28. observer Sep 11, 2009 at 09:27

A great resource presented in a very compact way, so thanks. Keep up the good work.

29. Dekabristich Sep 12, 2009 at 11:53

Very useful tips, I've used them and will use

30. Jaime Iniesta Sep 18, 2009 at 09:28

A nice checklist to keep in mind while developing rails sites!

Thanks, Ryan

31. Irisha Sep 20, 2009 at 10:17

This seems to be a way to train consumers to a new model and expectation for "using" this content in a way that is perceived as "legal".
really

32. Marek de Heus Sep 24, 2009 at 02:08

Ryan,

Great episode!

I tried to reproduce the issue you mentioned about uploading files with an incorrect content-type, while using the validates_attachment_content_type validation:

http://gist.github.com/192625

However, Paperclip seems to handle these properly. It seems that this validation does more than its name implies ;-).

33. arnau Sep 25, 2009 at 02:22

As for the "#1 Mass Assignment" security issue, I largely prefer Merb's approach: filtering sensitive attributes should be done in the controller.

Look the 'param_protected' plugin for Rails.

34. Luca Guidi Sep 27, 2009 at 13:13

Talking about the mass assignment, there is an interesting topic in Rails Core ML: http://bit.ly/4jfGa

35. Philip (flip) Kromer Oct 04, 2009 at 14:18

Another security hole: filtering fields from serialized objects.

If you set up your users using default RESTful routes, then
/users/:id.xml
will show all fields by default, including (if they exist) the persistence-token, crypted password, salt, email address and openid.

You can disable the formatted routes, or you can sanitize these fields by overriding to_xml, to_json, etc to always use the
:only => [...whitelisted fields...]
flag.

I have a plugin at http://github.com/mrflip/attr_visible that helps set defaults for the serialization methods.

----------

Also be thoughtful about fields that should be writeable on create but not on update: for example, username, or an "I agree to these terms" flag. Remember, even if they're not present in the form they can be submitted as params.

36. Konstantin Nov 05, 2009 at 09:13

actually useful information, thanks to the author

37. Bernhard Nov 14, 2009 at 06:27

Thanks for the great screencast. You are my Ruby Hero!

38. izlesene youtube Nov 14, 2009 at 11:04

Thanks for the great screencast.

39. video ve oyun Nov 14, 2009 at 11:09

Thanks for the great screencast.

40. keşan tv Nov 14, 2009 at 11:14

Thanks for the great screencast.

41. spor izle Nov 14, 2009 at 11:51

it's a bit like giving tax breaks to big businesses like wallmart but ignoring the mom and pop shops. now that is squashing the middle class. because the employees at wallmart don't make enough to be middle class

42. erndEnson Nov 15, 2009 at 14:47

thx ryan,

great cast - as usual!

lots of your security issues might easily solved via rack-apps.

just have a look at http://coderack.org/

e.g. http://coderack.org/users/J-_-L/entries/80-racknotags is deleting all "<" and ">" tag elements - and you can use it for every app/framework you use!!

43. Sema Nov 15, 2009 at 15:13

Excellent article! author deserves respect

44. 3d oyunlar Nov 17, 2009 at 12:53

thanks admin
information is the most beautiful treasures

45. muhabbet kuşu Jan 24, 2010 at 14:33

thanks for all

46. iphone fix Mar 10, 2010 at 02:02

thanks for your information, it is very helpful.

47. rehearsal dinner May 13, 2010 at 04:20

I am a carpenter, and have put in many lock in my career. Kwik set locks are cheap, they are not very good for security. So I would change all the entry locks to a better quality if you are worried. Start with the Schlage brand or better, and go for the heavy duty dead bolt.

48. high school diploma Jun 17, 2010 at 23:52

Thanks for sharing this.

49. ByFabs Jun 24, 2010 at 11:31

<?
/* oo very good/*
echo "Thank you admin :)";
?>

50. Gary Jun 27, 2010 at 19:16

I haven't quite figured out why the sexual urge of men and women differ so much. And I never really figured out the whole Venus and Mars thing. I have never figured out why men think with their head and women with their heart.

51. webtasarim Jul 15, 2010 at 09:04

web tasarımı, kurumsal site tasarımı, profesyonel web sitesi tasarımı, profesyonel web tasarımı

<a href="http://www.webtasarimturk.net" title="web tasarımı">web tasarımı</a>

52. iPhone Ringtone Maker for mac Jul 20, 2010 at 19:08

this is a best ,thank you for sharing the bes

53. Nike Dunk SB Jul 22, 2010 at 19:34

looks absolutely amazing!!!!!!!!!! I wish I had a piece right now.

54. discount bathroom vanities Jul 27, 2010 at 09:01

I agree that security is very important! I've been practicing the 7 tips above. Thank you.

55. timberlandbootsuk Aug 02, 2010 at 02:08

we provide our buyers with an efficient and manageable procurement process covering every phase of the international supply chain and

streamlining trade channels. Also welcome wholesaling, feedback now!

56. personal injurry lawyer arizona Aug 03, 2010 at 03:43

I have been following you blog for quite some time now…..I just wanted to say how excited and happy I am for you. I can’t wait to see what you come up with.

58. business mentor Aug 06, 2010 at 02:36

Great post how you know about this in very details, it is really very interesting and knowledgeable things.

59. free directory list Aug 11, 2010 at 22:37

If God would exists it will be you... very thanks for this screencast.

60. cheap air jordans Aug 17, 2010 at 20:07

Very thanks for this screencast. Great post how you know about this in very details, it is really very interesting and knowledgeable things.

61. nextags Aug 20, 2010 at 03:58

What's best is simply not to store files in the public directory and then use send_file. send_file would not execute any scripts.

62. Wholesale hats Aug 20, 2010 at 20:24

I really liked your article and I shared with my friends in my facebook account ..
I gave my site a few examples below. If you appreciate my comments in you enter.

63. Haliyikama Aug 21, 2010 at 06:06

I think type of site that is useful in sharing information and it is important to shar.Web proliferation of new developments in the field of design and entrepreneurial spirit of people who have very beautiful and pleasing to be professional

64. error fix Aug 22, 2010 at 03:01

These are easy to forget and it's nice to have a solid checklist in place. One of your most important screen casts yet!

65. iPhone repair Aug 23, 2010 at 04:40

It works really well with my win7 ultimate..you don't even notice it running in the background.

66. Buz Aug 23, 2010 at 05:57

possibility of sharing and social solidarity at a level just fine

67. Logar Aug 24, 2010 at 00:43

I think type of site that is useful in sharing information and it is important to shar.How to speed up internet technology? Thank you.

68. PDF to Images Converter Aug 24, 2010 at 23:12

Some times, to a certain need, we have to convert PDF to image for enjoyment.

69. Perde Aug 25, 2010 at 00:56

Your site is very useful in terms of cultural exchange.Thank you.

70. Wholesale Electronics Aug 25, 2010 at 01:39

Discount Wholesale Electronics, Wholesale Cell Phones, Electronic Gadgets and More from the Best Dropship Wholesaler

71. Promotional merchandise Aug 25, 2010 at 23:52

But if yer talking about windows messenger, it comes with xp and vista, doesn't need installing.

72. konteyner Aug 26, 2010 at 00:19

a significant share of your site as people think.Thanks you

73. louis vuitton shoes Aug 26, 2010 at 20:55

Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets

74. palet Aug 26, 2010 at 23:17

Very useful in terms of sharing people. Thank you.

75. mini keyboard Aug 30, 2010 at 20:31

thanks for your sharing, it is a nice post and like it very much.

76. snow boots Aug 30, 2010 at 20:48

append the string "GIF89" to the upload file will bypassing the content_type filter,for example:

GIF89
<?php phpinfo(); ?>

77. louis vuitton sunglasses Sep 01, 2010 at 21:22

I feel like I’m often looking for interesting things to read about a variety of subjects, but I manage to include your blog among my reads every day because you have interesting entries that I look forward to. Here’s hoping there’s a lot more great material coming!

Add your comment:

navigation:

sponsored by:

tags:

if you want to help:

required:

Give Back to Open Source