Rails is Secure

614 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
614
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Rails is Secure

    1. 1. Rails is Secure but YMMVFranck Verrot, Lyon.rb, March 2012
    2. 2. Me!• Franck Verrot• http://twitter.com/cesariogw• http://github.com/cesario• Co-Founder of evome• Currently awesoming at shazino
    3. 3. @hamakov
    4. 4. @hamakov• Hacked GitHub
    5. 5. @hamakov• Hacked GitHub• Exploited bad architecture
    6. 6. @hamakov• Hacked GitHub• Exploited bad architecture• Exploited current Rails worst practices
    7. 7. Software Architecture 101
    8. 8. SOLID principles• Single Responsibility• Open/Close• Liskov Substitution• Interface Segregation• Dependency Inversion
    9. 9. Current practices
    10. 10. What’s the problem? Rails + ActionPack 1 class PostsController < ApplicationController 2 respond_to :html, :json 3 def index 4 respond_with(@posts = Post.all) 5 end 6 end
    11. 11. What’s the problem? Rails + ActionPack 1 class PostsController < ApplicationController 2 respond_to :html, :json 3 def index 4 respond_with(@posts = Post.all) 5 end 6 end
    12. 12. Architecture at risk (scary title I know)
    13. 13. Issues• Tight coupling: referencing a constant• Hard to test: referencing a constant• AR pattern FTL: DB table in a form!?
    14. 14. Refactor!
    15. 15. (Wrong) Solutions• Think attr_accessible is the way to go• config.active_record.whitelist_attributes = true
    16. 16. (Better) Solutions (YMMV)• Ban “params” (Rails #2510 “request.params”)• Use an ActiveModel object for validating parameters
    17. 17. (Other) Solutions (WIP)• https://github.com/technoweenie/ tainted_hash• https://github.com/rails/strong_parameters
    18. 18. Layered Architectures!
    19. 19. Thanks for listening! Q&A

    ×