RAILS SECURITY
Bart ten Brinke
movesonrails.com
bart.tenbrinke@movesonrails.com

Why I did this
After a security presentation at RailsConfEurope 2007, I
found a lot was missing, so I made this.
I didn’t finish it in time for reject conf, so I posted
it on my blog.
No, I am not australian :)

SQL Injection
(Old, but even Jason still does this wrong)
Don’t do this
Person.find(:first, :conditions => “name = #{name}”)
Do this
Person.find(:first, :conditions => [“name = ?”, name])
Or
Person.find_by_name(name)

Cross Site
Scripting (XXS)
Don’t do this in a view
<p>Name: <%= @name %></p>
Do this
<p>Name: <%= h @name %></p>
Don’t forget your link_to’s and images.
If you forget just one you are an easy victim.

Skipping security
Don’t do this
skip_before_filter :check_auth
Do this
skip_before_filter :check_auth, :only =>[:login]
Explicitly specify the actions that skip security.
Otherwise new ones will be unsecure by default

Watch out for the
TO_JSON XSS exploit
Don’t do this in a view
<script>posts = <%= @posts.to_json %></script>
This is fixed in edge rails (6893)
So if you are on 1.2.3, you have a problem.
Write your own to_json for the model or mixin
the patch for ticket 8371 of rails.

Obfuscate passwords
in logging
If your log looks like this
Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST]
Session ID: 023b70d61b76c29a0e123e79c8772f4d
Parameters: {\"sign_in\"=>\"Sign in\", \"remember\"=>\"\", \"action\"=>\"create\",
\"username\"=>\"Administrator\", \"controller\"=>\"login\", \"password\"=>\"im1337\"}
Add this to your application.rb
filter_parameter_logging \"password\"

Are you accessable?
Don’t have everything XML or JSON
/mykillerapp/users.xml
<users>
<user>
<id type=\"integer\">3</id>
<username>administrator</username>
<password-hash>
4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd
</password-hash>
<password-salt>ntoRnlDr</password-salt>
</user>
</users>

Production deploy
Don’t do this
production:
adapter: mysql
database: my_killer_app
username: root
password:
host: localhost
Do this
Use decent security in a production environment.
Also strip all the stuff you don’t need from your
tags (like /test).

CONCLUSIONS
These are all examples of things I ran into during about
one year of full-time Rails development. Realize that
there are more! Greetings to everyone who came to
RailsConf Europe 2007. It was inspiring!
If you have any questions, feel free to email me.
Bart ten Brinke
movesonrails.com
bart.tenbrinke@movesonrails.com