Auf Screencasts.com ist heute ein weiterer Screencast erschienen. In dieser Folge werden sieben Tips beschrieben um die Sicherheit innerhalb Rails-Applikationen zu erhöhen.
Downloadlinks:
Download (22.2 MB, 14:53)
Alternativer Download for iPod & Apple TV(16.9 MB, 14:53)
Weitere Ressourcen:
- Rails Security Guide
- Full episode source code
Links und Quellcodes zu den einzelnen Beispielen:
1 Mass Assignment:
[ruby]
# script/console
p = Project.find(2)
p.update_attributes(:task_ids => [4])
p.tasks
# models/project.rb
attr_accessible :name, :photo
[/ruby]
2 File Uploads
Disabling Script Execution with Apache
[ruby]
# models/project.rb
validates_attachment_content_type :photo, :content_type => [‚image/jpeg‘, ‚image/png‘]
# more security required
[/ruby]
3 Filter Log Params
Episode 9: Filtering Sensitive Logs
[ruby]
# application_controller.rb
filter_parameter_logging :password
[/ruby]
4 CSRF Protection
Cross-site Request Forgery
Rails authenticity token with jQuery
[ruby]
# application_controller.rb
protect_from_forgery
[/ruby]
5 Authorizing Ownership
[ruby]
# projects_controller.rb
def show
@project = current_user.projects.find(params[:id])
end
[/ruby]
6 SQL Injection
SQL Injection
Episode 25: SQL Injection
[ruby]
# projects_controller.rb
def index
@projects = current_user.projects.all(:conditions => ["name like ?", "%#{params[:search]}%"])
end
[/ruby]
7 HTML Injection (XSS)
Cross Site Scripting
Episode 27: Cross Site Scripting
[ruby]
<!– projects/show.html.erb –>
<%=h task.name %>
[/ruby]