Screencast: 7 Sicherheitstips

Downloadlinks:

Download (22.2 MB, 14:53)

Alternativer Download for iPod & Apple TV(16.9 MB, 14:53)

Weitere Ressourcen:

  • Rails Security Guide
  • Full episode source code

Links und Quellcodes zu den einzelnen Beispielen:

1 Mass Assignment:


# script/console
p = Project.find(2)
p.update_attributes(:task_ids => [4])
p.tasks

# models/project.rb
attr_accessible :name, :photo

2 File Uploads
Disabling Script Execution with Apache

# models/project.rb
validates_attachment_content_type :photo, :content_type => ['image/jpeg', 'image/png']
# more security required

3 Filter Log Params
Episode 9: Filtering Sensitive Logs

# application_controller.rb
filter_parameter_logging :password

4 CSRF Protection
Cross-site Request Forgery
Rails authenticity token with jQuery

# application_controller.rb
protect_from_forgery

5 Authorizing Ownership

# projects_controller.rb
def show
  @project = current_user.projects.find(params[:id])
end

6 SQL Injection
SQL Injection
Episode 25: SQL Injection

# projects_controller.rb
def index
  @projects = current_user.projects.all(:conditions => ["name like ?", "%#{params[:search]}%"])
end

7 HTML Injection (XSS)
Cross Site Scripting
Episode 27: Cross Site Scripting

<!-- projects/show.html.erb -->
<%=h task.name %>
Be Sociable, Share!