Screencast: 7 Sicherheitstips

Downloadlinks:

Download (22.2 MB, 14:53)

Alternativer Download for iPod & Apple TV(16.9 MB, 14:53)

Weitere Ressourcen:

• Rails Security Guide
• Full episode source code

Links und Quellcodes zu den einzelnen Beispielen:

1 Mass Assignment:

• Episode 26: Hackers Love Mass Assignment
• Is your Rails application safe?

[ruby]

# script/console p = Project.find(2) p.update_attributes(:task_ids => [4]) p.tasks

# models/project.rb attr_accessible :name, :photo [/ruby]

2 File Uploads Disabling Script Execution with Apache

[ruby] # models/project.rb validates_attachment_content_type :photo, :content_type => [‘image/jpeg’, ‘image/png’] # more security required [/ruby]

3 Filter Log Params Episode 9: Filtering Sensitive Logs

[ruby] # application_controller.rb filter_parameter_logging :password [/ruby]

4 CSRF Protection Cross-site Request Forgery Rails authenticity token with jQuery

[ruby] # application_controller.rb protect_from_forgery [/ruby]

5 Authorizing Ownership

[ruby] # projects_controller.rb def show @project = current_user.projects.find(params[:id]) end [/ruby]

6 SQL Injection SQL Injection Episode 25: SQL Injection

[ruby] # projects_controller.rb def index @projects = current_user.projects.all(:conditions => [“name like ?”, ”%#{params[:search]}%”]) end [/ruby]

7 HTML Injection (XSS) Cross Site Scripting Episode 27: Cross Site Scripting

[ruby] <%=h task.name %> [/ruby]