#178 7 Security Tips
Security is important! Here I show seven different security flaws which are common to Rails applications ranging from mass assignment to CSRF protection.
- Download:
- source code
- mp4
- m4v
- webm
- ogv
-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
if you run mod_php its quite simple to deactivate php for a directory tree. Just create a file .htaccess in the base directory of that tree and add one line to it:
php_flag engine off
Make sure the webserver can read that file.
this is perfect - just what i need to do but was putting off.
append the string "GIF89" to the upload file will bypassing the content_type filter,for example:
GIF89
<?php phpinfo(); ?>
It's so easy to forget these h methods. Looking forward to Rails 3, any one knows when it's ready?
Thanks Ryan! Just updated a couple of my apps. These are easy to forget and it's nice to have a solid checklist in place. One of your most important screen casts yet!
Brian
Ryan, about Rails 3 and the h() method: what's the function to unescape a string, i.e., the contrary of h()? :P
Thanks! Great cast today.
Even by the high standards one usually encounters on Railscasts, this is a fantastically concise description of major security flaws for all rails developers to be aware of.
@Josè: I think you can use <%= raw(text) %>
There is a plugin for h() issue.
http://code.google.com/p/xss-shield/
XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().
Instead of:
<h3><%= h(item.name) %></h3>
<p><%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %></p>
You will be able to write:
<h3><%= item.name %></h3>
<p><%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %></p>
Hi Ryan,
Thanks a lot....for all these tutorials.....you are doing a wonderful job.....you have been a major driving force for many like me making learning rails easier and motivational..........thanks once again:)
Paperclip also allows for users to view other users' uploads. What's best is simply not to store files in the public directory and then use send_file. send_file would not execute any scripts.
Hey man I hit you up on twitter the other day, wondering about all the attr_accessible's in nifty-scaffold, still didn't understand when you said security issues. Now I know, cheers mate!
godt damn, nice episode. I'm greatfull for all the time you save me with these short to the point videos. This one was very usefull!
Hi,
Thanks for all your screencasts !
What did you do to have this console ? It's very nice !
Sephi-Chan
And people, don't forget to upgrade to 2.3.4 because of h() html escaping xss vulnerability
It's all the old song) But it's good to refresh knowledge.
One more thanks, Ryan!
Thank you for keep Rails alive, somehow I got all excited about the technology... got a couple books, watch the screencasts and develop some applications to play with it, even learn the basics of git ;-).
Lately feel like the momentum, and energy start to vanishing a bit... The brazilian podcast quit posting news, the envycast split also. Peepcode start posting some other topics to keep it profitable, which I understand and don't blame at all, but really hope you keep the rails momentum going. Its a great technology and really fun and cool way to develop applications. I'm just affraid the direction is not clear and everyday we see less and less people on the community.
Thank you Ryan for be our sensei in the Ruby on Rails development world, can't agree more thank you for all your hard work and your screencasts. Really enjoy your videos at pragmatic tv.
Best Regards Dinooz.
@Sephi-Chan Ryan mention on the previous railscast he used hirb gem something to give the output mysql like, yes I agree really cool.
Ryan, I have a bad feeling you have a bunch of rails developers fixing the flaws in their sites this week, especially now that you've shown all these flaws many people might not have known they had...
Thanks! Great Railscast again!
Hey Ryan,
thank you very much for this awesome screencast! I really enjoy your stuff! Keep up the good work :)
Kind regards
Bijan
Please add captcha!
Great stuff Ryan. What do you suggest to give administrators the opportunity to do mass assignment (change ownership, etc.) without making the controllers bloated?
Jeffery, try the trusted-params plugin at http://github.com/ryanb/trusted-params/tree/master
great resource!!!
want to test your server date.
greets from germany (UTC + 1)
Police Ready, it's hirb (http://github.com/cldwalker/hirb/tree/master). In console require 'hirb' and do Hirb.enable. Now the records should be showed in that table format.
A great resource presented in a very compact way, so thanks. Keep up the good work.
This seems to be a way to train consumers to a new model and expectation for "using" this content in a way that is perceived as "legal".
really
Ryan,
Great episode!
I tried to reproduce the issue you mentioned about uploading files with an incorrect content-type, while using the validates_attachment_content_type validation:
http://gist.github.com/192625
However, Paperclip seems to handle these properly. It seems that this validation does more than its name implies ;-).
As for the "#1 Mass Assignment" security issue, I largely prefer Merb's approach: filtering sensitive attributes should be done in the controller.
Look the 'param_protected' plugin for Rails.
Talking about the mass assignment, there is an interesting topic in Rails Core ML: http://bit.ly/4jfGa
Another security hole: filtering fields from serialized objects.
If you set up your users using default RESTful routes, then
/users/:id.xml
will show all fields by default, including (if they exist) the persistence-token, crypted password, salt, email address and openid.
You can disable the formatted routes, or you can sanitize these fields by overriding to_xml, to_json, etc to always use the
:only => [...whitelisted fields...]
flag.
I have a plugin at http://github.com/mrflip/attr_visible that helps set defaults for the serialization methods.
----------
Also be thoughtful about fields that should be writeable on create but not on update: for example, username, or an "I agree to these terms" flag. Remember, even if they're not present in the form they can be submitted as params.
thx ryan,
great cast - as usual!
lots of your security issues might easily solved via rack-apps.
just have a look at http://coderack.org/
e.g. http://coderack.org/users/J-_-L/entries/80-racknotags is deleting all "<" and ">" tag elements - and you can use it for every app/framework you use!!
alert("Yup, you are good")