Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?

Security is Hard

Massive Assignment

  • watch for ActiveRecord Relation, like has_many, has_many :through
  • watch for user_roles, `group_users
  • UPDATE action

Admin

  • use https://
  • use subdmoain
  • use different domain
  • Add Whitelist
  • don't use database attributes for admin?
  • 3rd party is an option github

Routing

  • remove match ':controller(/:action(/:id(.:format)))'
  • avoid match

HTML escape

  • watch for list, breadcrumb
  • break complexy HTML helper to partials
  • don't concat HTML in helper
  • watch for TinyMCE content
  • sanitize the tags

Search

  • watch form search functions
  • actions with complex options, ex [:date],[:order],[:field]
  • actions with complex joins
  • avoid find_by_sql, count_by_sql

Opensource Project

  • replace secret_token.rb after cloing opensource project
  • release opensource project, set token in ENV['SECRET_TOKEN']
  • release opensource project, set .gitignore to secret_token.rb

Scopes

  • watch for EDIT, UPDATE, DESTROY
  • using scopes filter to filter out illegal access as 404
  • use cancan to authorize resources

Upgrade

  • upgrade Rails version > 3.2.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment