Cute, but at least that page in particular is more of an intro to Ruby.
Are there any more higher level resources for implementing security in Ruby/Rails/et al? I’m training my security consultant business partner in the ways of Rails, and resources on what people-consider-to-be-best-practices seem thin on the ground.
Well, the hard part about security in Ruby is that the language is so flexible, if you’re not familiar with it, you can miss entire classes of vulnerabilities. Like “oh, I just monkeypatched #authorized? to always return true.” So it’s kinda necessary.
It gets trickier if you want to load in plugins that other people wrote, sure, but… for the most part as a web developer I’m not thinking about that attack vector – I’m more concerned about people trying to break my app. If they’re eval'ing code the game is already over.
I’m not a terribly big fan of that guide. That said, when I do have any idea on how to improve it, I will duly share it.
Part of the guide is how you may not realize people may eval your code.
For example, there’ve been a few DoS attacks against Rails where some_input.to_sym was getting called… not strictly an eval, but somewhere where you may not think of input being a problem.
I know of Rails apps that actually have Ruby code in a field in the db that gets eval’d. ಠ_ಠ
Cute, but at least that page in particular is more of an intro to Ruby.
Are there any more higher level resources for implementing security in Ruby/Rails/et al? I’m training my security consultant business partner in the ways of Rails, and resources on what people-consider-to-be-best-practices seem thin on the ground.
Well, the hard part about security in Ruby is that the language is so flexible, if you’re not familiar with it, you can miss entire classes of vulnerabilities. Like “oh, I just monkeypatched
#authorized?to always returntrue.” So it’s kinda necessary.We have a Rails Guide on security: http://guides.rubyonrails.org/security.html
Well… that’s kind of irrelevant, no?
It gets trickier if you want to load in plugins that other people wrote, sure, but… for the most part as a web developer I’m not thinking about that attack vector – I’m more concerned about people trying to break my app. If they’re eval'ing code the game is already over.
I’m not a terribly big fan of that guide. That said, when I do have any idea on how to improve it, I will duly share it.
Part of the guide is how you may not realize people may eval your code.
For example, there’ve been a few DoS attacks against Rails where
some_input.to_symwas getting called… not strictly an eval, but somewhere where you may not think of input being a problem.I know of Rails apps that actually have Ruby code in a field in the db that gets eval’d. ಠ_ಠ