Sign in through GitHub
7 Security Tips

#178 7 Security Tips

Sep 07, 2009 | 14 minutes | Security, Forms, Views, Active Record
Security is important! Here I show seven different security flaws which are common to Rails applications ranging from mass assignment to CSRF protection.
Click to Play Video ▶
  • Download:
  • source codeProject Files in Zip (193 KB)
  • mp4Full Size H.264 Video (21.8 MB)
  • m4vSmaller H.264 Video (15.2 MB)
  • webmFull Size VP8 Video (41.2 MB)
  • ogvFull Size Theora Video (31.5 MB)
Browse_code Browse Source Code

Resources

#1 Mass Assignment

script/console 
p = Project.find(2)
p.update_attributes(:task_ids => [4])
p.tasks
models/project.rb 
attr_accessible :name, :photo

#2 File Uploads

models/project.rb 
validates_attachment_content_type :photo, :content_type => ['image/jpeg', 'image/png']
# more security required

#3 Filter Log Params

application_controller.rb 
filter_parameter_logging :password

#4 CSRF Protection

application_controller.rb 
protect_from_forgery

#5 Authorizing Ownership

projects_controller.rb 
def show
  @project = current_user.projects.find(params[:id])
end

#6 SQL Injection

projects_controller.rb 
def index
  @projects = current_user.projects.all(:conditions => ["name like ?", "%#{params[:search]}%"])
end

#7 HTML Injection (XSS)

projects/show.html.erb 
<%=h task.name %>