Comments on: rails security review checklist

By: Interesting developments a link dump (some HTML5, some nosql, some Rails, some Agile, some Redis, a touch of Scala, etc., etc.) « turnings

Tue, 09 Feb 2010 12:58:01 +0000

[...] http://www.ultrasaurus.com/sarahblog/2010/01/rails-security-review-checklist [...]

By: Caffeine Driven Development » Blog Archive » L33t Links #74

Caffeine Driven Development » Blog Archive » L33t Links #74 — Fri, 29 Jan 2010 18:27:05 +0000

[...] rails security review checklist [...]

By: Sarah

Sarah — Wed, 27 Jan 2010 13:59:11 +0000

Updated post with (0) on checking Rails and gem versions, also 1Aii for the named_scope conditions. Thanks Mike!

By: Sarah

Sarah — Wed, 27 Jan 2010 13:09:49 +0000

Hi Scott,

I had forgotten to add that mass assignment the list (now added as 1A — good catch!). I haven’t tried it yet, but it seems like the ideal solution to just disable ActiveRecord’s powers of mass assignment.

Here’s the initializer recommended by Eric Chapweske:

config/initializers/disable_mass_assignment.rb
     ActiveRecord::Base.send(:attr_accessible, nil)

Thanks!
Sarah

By: Mike Gunderloy

Mike Gunderloy — Wed, 27 Jan 2010 11:28:21 +0000

On the SQL injection front, you’ll also want to search “conditions” – named scopes, for example, can be vulnerable without having find/first/all in sight.

Another thing to look at is the version of Rails, to make sure that it’s current (or that appropriate patches have been applied). http://groups.google.com/group/rubyonrails-security is the fastest way to get an overview of recent security patches.

For XSS, it’s worth considering installing http://github.com/nzkoz/rails_xss which switches escaping from a “doesn’t happen unless you ask for it” to an “always happens unless you override it” action. This may require application rewrites, but it gives you a safe default.

You need to check all models for appropriate use of attr_accessible/attr_protected to make sure you’re not vulnerable to mass assignment bugs. I’ve particularly seen places where this can be used for escalation of privilege in applications I’ve reviewed.

It’s also worth reviewing the deployment stack, from the operating system through the ruby version to the web server software, to make sure it’s being kept up to date.

By: Scott Bronson

Scott Bronson — Wed, 27 Jan 2010 08:46:26 +0000

Might want to mention mass assignment issues. http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment This one is still found in popular Rails apps.

It’s so easy to fix too: you must use attr_accessible on any model that gets mass-assigned from user-supplied parameters (i.e. @order.update_attributes(params[:order])).

By: Matthew Lang

Matthew Lang — Wed, 27 Jan 2010 08:23:56 +0000

Great list Sarah! It’s been a while since I’ve seen an article on security in Rails. Most previous articles tend to focus on SQL injection and scripting attacks. Good to see other aspects of security in Rails being covered as well.