Jesse Proudman
2008-Nov-06 00:48 UTC
Force ERB templates to prevent making changes to models?
I want to build a system where I can let users write templates that allow read access to Rails objects within and then send these templates out to customers via email. The problem I''m having is that through my tests, it''s become obvious that this can create a security risk. Example: A customer could put text into their template such as: @customers = Customer.find(:all) @customers.each do |c| c.destroy end inside the ERB template and when I call it to render the results like this: # Render Template @text = ERB.new(lbt.body_content).result(binding) It will execute the above command and erase all the customers from the database. All I really want people to be able to do is parse variables I hand into the template, not actually load Rails objects and make changes. That way I can specify and pre-populate what they have access to and plug that security issue. Does any one know the best way to do this? I''m assuming there are other ERB command I can use to render, but I can''t seem to find it. Thanks - Jesse -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Nov-06 10:24 UTC
Re: Force ERB templates to prevent making changes to models?
On 6 Nov 2008, at 00:48, Jesse Proudman wrote:> > I want to build a system where I can let users write templates that > allow read access to Rails objects within and then send these > templates > out to customers via email. The problem I''m having is that through my > tests, it''s become obvious that this can create a security risk.Have a look at liquid templates (http://www.liquidmarkup.org/) , they were designed with that in mind. Fred> > > Example: A customer could put text into their template such as: > > @customers = Customer.find(:all) > @customers.each do |c| > c.destroy > end > > inside the ERB template and when I call it to render the results like > this: > > # Render Template > @text = ERB.new(lbt.body_content).result(binding) > > It will execute the above command and erase all the customers from the > database. > > All I really want people to be able to do is parse variables I hand > into > the template, not actually load Rails objects and make changes. That > way I can specify and pre-populate what they have access to and plug > that security issue. > > Does any one know the best way to do this? I''m assuming there are > other > ERB command I can use to render, but I can''t seem to find it. > > Thanks > > - Jesse > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---