- 浏览: 239028 次
文章分类
最新评论
-
bluky999:
中间的兼职例子很逗 哈哈哈
tornado: web.py 之 Application -
flingfox63:
学习了,详细,赞个
Ruby变量作用域的类目录结构 -
zhou6711411:
不知是版本问题还是怎么的
class A
...
Ruby变量作用域的类目录结构 -
t284299773:
你在方法中定义方法就相当于在方法中调用lambda!
Ruby变量作用域的类目录结构(补二) -
lnj888:
很是有用 不错Powerpoint converter
一个简单的link_to,ROR到底在背后做了些什么?(未完)
Ruby on Rails Security Guide
Ruby on Rails does a decent job in handling security concerns in the background. You will have to configure your application to avoid few security attacks while plugins would be required for many security concerns which are not at all or poorly managed by rails.
In this article I have described the security issues related to a ruby on rails web application. I have followed DRY by linking to articles with good explanation and solutions to security concerns wherever required. This guide can also be used as a quick security check for your current web application.
Table of Contents
Authentication
Authentication is the foremost requirement of most of the web applications to authenticate and give privileges to their users. Apart from normal authentication mechanism rails have plugins for OpenID, CAS and Access Control. Build your own authentication system only if your requirements are very unique or you do not trust other implementations.
Plugin - Restful Authentication (recommended) - easy to use and you can tweak it according to your requirements.http://code.google.com/p/rolerequirement/
http://agilewebdevelopment.com/plugins/activeacl_rails_authorization_system
Acts_as_authenticated - http://technoweenie.stikipad.com/plugins/show/User+Authentication
Super Simple Authentication - http://ariejan.net/2007/08/24/super-simple-...
- Model -
SQL Injection
The problem arises when metacharacters are injected into your queries to database. Rails has a very good support to avoid SQL injection if you follow conventions in issuing queries to your database.
Description : Alternate Solution - use hash for specifying conditions in#find
Activerecord Validation
To validate the contents of model object before records are created/modified in the database. Activerecord validations are very useful over database data-type constraints to ensure values entered into the database follow your rules. You might have javascript validations for forms but javascript can easily be switched off. Use javascript validations only for better user experience.
Description : Conditional validation using:on
and :if
options. Checkout this cool video
Be careful using validates_uniqueness_of, it has problems when used with :scope
option. Open bug tickets :
http://dev.rubyonrails.org/ticket/9235
http://dev.rubyonrails.org/ticket/8811
http://dev.rubyonrails.org/ticket/8774
- Its easy to manage 'nil' values using
:allow_nil
, its quite handy. For ex: set:allow_nil => true
in validates_uniqueness_of to check uniqueness of non-nil values and ignore nil values - validates_presence_of is not required if you are using validates_format_of, unless regular expression accepts empty string.
Creating records directly from parameters
While creating database records directly from form params, a malicious user can add extra fields into the params and manually submit the web page which will set values of fields which you do not want user to set.
Description : Alternate Solution - Trim the parameters to keep the required keys and remove the others.- Controller -
Exposing methods
Use private and protected in controller for methods which should not be actions. Actions are pubic methods and can be invoked from the browser.
hide_action : If non-action controller methods must be public, hide them using hide_action. Be careful of bypassing private and protected using meta-programmingAuthorize parameters
Always authorize user request. By tweaking form parameters or url a user can send request to view/modify other users information if there is no proper authorization of parameters.
For example :
1 |
## To find information of an order which belongs to a particular user. |
Filter sensitive logs
Prevent logs of sensitive unencrypted data using #filter_parameter_logging
in controller. The default behavior is to log request parameters in production as well as development environment, and you would not like logging of password, credit card number, etc.
Cross Site Reference(or Request) Forgery (CSRF)
In a CSRF attack, the attacker makes victim click on a link of his choice which would contain a GET/POST request and causes web application to take malicious action. The link could be embedded in a iframe or an img tag. Its recommended to use secret token while communicating with user to avoid this attack.
Its little complex to understand this attack. So, only those readers who are very enthusiastic to know about it, please read the Description below. Rest can directly move ahead to use the plugin.
Description : Use Get and Post appropiately (note : Both get and post are vulnerable to CSRF) Example - Gmail CSRF security flaw Plugin - CSRF Killer (recommended) - it requires edge railshttp://activereload.net/2007/3/6/your-requests-are-safe-with-us
Security extension - http://svn.aviditybytes.com/rails/plugins/security_extensions/
Minimize session attacks
If an attacker has session-id of your user, he can create HTTP requests to access user account. An attacker can get session-id by direct access to user machine or is able to successfully run malicious scripts at user machine. In this section we will talk about how to avoid or minimize the risk if attacker has user session-id. Following steps are helpful:
- Store IP Address, but creates problem if user moves from one network to another.
- Create a new session everytime someone logs in.
- Expire session on user logout, user is idle for a time period or on closing of browser/tab. For maximum security expire sessions on all the three conditions.
1 |
## Timeout after inactivity of one hour. |
|
ActionController::Base.session_options[:session_expires] = <i>say after two years</i> |
Stop spam on your website from DNS Blacklist
Avoid access to your website from IP addresses which are present in DNS Blacklist(DNSBL).
Plugin - DNSBL checkCaching authenticated pages
Page caching does bypass any security filters in your application. So avoid caching authenticated pages and use action or fragment caching instead.
- View -
Cross site scripting(XSS) attack
Cross Site Scripting is a technique found in web applications which allow code injection by malicious web users into the web pages viewed by other users. An attacker can steal login of your user by stealing his cookie. The most common method of attack is to place javascript code on a website that can receive the session cookie. To avoid the attack, escape HTML meta characters which will avoid execution of malicious Javascript code. Ruby on Rails has inbuilt methods like escape_html() (h()), url_encode(), sanatize(), etc to escape HTML meta characters.
Description Can we avoid tedious use of h() in views? Sanitize() is used to escape script tags and other malicious content other than html tags. Avoid using it ... its unsecure. Use white_list instead. White_list pluginAnti-spam form protection
Use Captcha or Javascript based form protection techniques to ensure only human can submit forms successfully.
When using Captcha do ensure the following :
- Images are rendered on webpage using
send_data
and are not stored at the server, because its not required to store images and are redundant. - Avoid using algorithm used by standard Catpcha plugins as they can easily be hacked, instead tweak an existing algorithm or write your own.
- Use a Captcha which does not store secret code or images in filesystem, as you will have trouble using Captcha with multiple servers.
Inverse Captcha for Mephisto - http://www.artweb-design.de/projects/mephisto-plugin-inverse...
JavaScript based Form Spam Protection - http://form-spam-protection.googlecode.com/svn/form...
Hide mailto links
Mailto links in a webpage can be attacked by e-mail harvesting bots. Use the plugin CipherMail to generate a 1024 bit random key and obfuscate the mailto link.
Plugin - CipherMailUse password strength evaluators
A lot of people have used password strength evaluators simply because its used by google in their registration form. You can use it to help your users register with strong password. But I don't think its a must have security addon. Uptill now I have not found a good algorithm to assess strength of a password, but some of them are reasonable.
Also, if there is an open source tool or algorithm for evaluating password strength, it can easily be broken. So, you might consider tweaking the algorithm or building one from scratch.
Tools- Miscellaneous -
Transmission of Sensitive information
Use SSL to encrypt sensitive data between transfer from client to server. SSL hits server performace, so you might consider using SSL only for few pages which transfer sensitive data to and fro.
Plugin ssl_requirement Mongrel, rails, apache and SSL Controller in SSL subdomain Sample SSL code in railsFile upload
Be very careful when you allow your users to upload files and make them available for other users to download.
Description Must read - Section 26.7 of Agile web development with rails - 2nd edition In place file upload 3 plugins for file upload reviewed at :Secure your setup / environment
Proper Mysql configuration
Use good passwords
Security plugins directory
http://www.railslodge.com/plugins
http://railsify.com/categories/security-production
Note : I will keep this security guide updated. Any additions/improvements are welcome.
发表评论
-
(ZZ)Ror on svn
2007-12-20 19:34 1465正好需要,zz过来,抄袭自:http://www.surui. ... -
用GetText来进行ROR的国际化和本地化
2007-11-22 15:17 1403IBM developerWorks上的一篇文章,直接贴地址, ... -
advanced act_as_solr
2007-10-31 19:40 1755原文出处:http://www.quarkruby.com/2 ... -
act_as_solr
2007-10-31 19:39 1930原文出处:http://www.quarkruby.com/2 ... -
Ambition
2007-10-31 19:36 1296原文出处:http://railsontherun.com/2 ... -
使用Inkscape提供自己的pdf服务
2007-10-31 19:34 1490原文出处:http://www.thesatya.com/bl ... -
给will_paginate加上ajax效果
2007-10-31 19:30 2106原文出处:http://railsontherun.com/2 ... -
使用rails制作图表
2007-10-31 19:21 2755原文出处:http://www.railsontherun.c ... -
如果定制attachment_fu上传文件的路径和文件名
2007-10-31 16:59 2707原文出处:http://the.railsi.st/2007/ ... -
attachment_fu使用指南
2007-10-31 16:56 3161原文出处:http://clarkware.com/cgi/b ... -
(ZZ)Cache in Rails
2007-09-25 15:49 1464很经典的文章,留在blog里面做个收藏 Ruby on Rai ... -
学到三招
2007-09-24 01:54 1355第一招:用ruby-debug来调试rails程序 具体使用方 ... -
一个action的process过程
2007-09-17 00:11 2475ruby 代码 def process(req ... -
在线查看rails代码和edge rails api的网址,备份,以免忘记
2007-09-14 18:38 1277Edge Rails API: http://caboo.se ... -
总是看到returning,这到底是个什么东东,查了一下找到了源代码
2007-09-14 18:37 1336A Ruby-ized realization of the ... -
一个简单的link_to,ROR到底在背后做了些什么?(未完)
2007-09-14 18:20 3409滥用link_to会造成ror程序 ... -
学到关于include的一点儿知识
2007-08-23 18:09 1112ruby 代码 module Test ... -
在一个controller中render另外一个controller中view的时候出现问题
2007-08-21 18:27 2122我想在posts这个controller中的show.rh ... -
因为Rjs试用NetBeans
2007-06-20 09:44 1083因为昨天看Rails Recipe的时候提到了rjs,于是四处 ...
相关推荐
Ruby on Rails 4.0 Guide 英文mobi 本资源转载自网络,如有侵权,请联系上传者或csdn删除 查看此书详细信息请在美国亚马逊官网搜索此书
《Ruby on Rails Tutorial》中文版(原书第2版,涵盖 Rails 4) Ruby 是一门很美的计算机语言,其设计原则就是“让编程人员快乐”。David Heinemeier Hansson 就是看重了这一点,才在开发 Rails 框架时选择了 Ruby...
Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 Ubuntu系统ruby on rails安装 ...
Ruby On Rails中文教材(PDF)
Ruby on Rails Guides v2 - Ruby on Rails 4.2.5
ruby on rails社区网站开发源码
学习Ruby on Rails 4.0的逐步指南。 它包括针对Ruby 2.0.0的基本教程,是为至少了解另一种编程语言并熟悉HTML的程序员编写的。
Ruby on Rails Web开发学习实录 内容简介: 在目前的主流web开发技术中,基于ruby语言的rails框架是做网站开发速度最快的工具。它可以达到j2ee框架开发速度的5~10倍,并且代码量也非常少。另外由于代码量的大幅度...
ruby on rails对mongodb的操作ruby on rails对mongodb的操作ruby on rails对mongodb的操作ruby on rails对mongodb的操作
本书的目标是成为对“如果想学习使用 Ruby on Rails 进行 Web 开发,我应该从哪儿开始?”这一问题的最好答案。学习完本书的内容之后,你将具备使用 Rails 进行开发和部署 Web 程序的技能。同时你还能够通过一些进阶...
Ruby On Rails 官方教程,这本书讲解如何使用 Ruby on Rails 框架开发应用,以及如何把应用部署到生成环境。本书使用 Rails 默认的开发工具栈开发了一个完整的社交应用(类似 Twitter)。读完本书后你将掌握如何使用...
ruby on rails 教程源码,配合原书使用
本书教您如何使用Ruby on Rails开发和部署真正的,具有工业实力的Web应用程序,Ruby on Rails是为诸如Twitter,Hulu,GitHub和Yellow Pages等顶级网站提供支持的开源Web框架。
ruby on rails最新版 这是本人精心收集的重要软件
ruby on rails 开发环境包(ruby1.8.7,rails2.2.3)
该资源包包括在Linux安装Ruby on Rails所需的包,以及安装步骤文档
Ruby on Rails中文指南
Ruby On Rails 框架自它提出之日起就受到广泛关注,在“不要重复自己”,“约定优于配置”等思想的指导下,Rails 带给 Web 开发者的是极高的开发效率。 ActiveRecord 的灵活让你再也不用配置繁琐的 Hibernate 即可...
Ruby on Rails Guide:是rails官方教程,本人为了大家学习查阅的方便,制成chm格式。就如同java doc的chm格式一样方便。