Common security holes specific to Rails?

Question

Common security holes specific to Rails?

I'm a pretty novice Rails developer, but since most of the things in Rails are so simple, I’m always afraid that I will add a new security hole when I write my code. For example, just an hour ago, I noticed one of the code that I wrote a few weeks ago, where in the UserController editing method I forgot to check whether the user you are editing is equal to the user you are logged in with (i.e. @user = User.find params[:id]instead of @user = current_user) I wrote it like this because I usually use it for all editing methods (e.g., @post = Post.find params[:id]). This will show you the email address of another user.

What are the common security holes in Rails applications that I should be aware of? Things that are easily overlooked due to conventions (like the example above)?

+3

security ruby-on-rails

user142019 Feb 06 '11 at 3:32

source share

2 answers

seeingidog · Answer 1 · 2011-02-06T03:38:52+0000

Common sense problems, as you have illustrated, are probably the most important security issues. Rails has come a long way in creating a more secure structure, such as SQL injection, which harms many PHP applications, is covered (for the most part) by sanitized form input, which is now used by default. The official word on Rails security is well read: http://guides.rubyonrails.org/security.html

robinjam · Answer 2 · 2011-02-16T20:41:27+0000

, , - , , , . , , .

, , - , , , .

:

http://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers

http://guides.rubyonrails.org/security.html

Common security holes specific to Rails?

More articles: