Rails - Nov 2006 - validating the whole app against dangerous characters

Hi,

i was wondering if someone could help me out in figuring out what i 
should do with the following issue:

i''d like to secure my rails app so that no one can sign up to my site 
using dangerous characters so i put in my User model a

  validates_format_of :name, :with =>
/^[^][*^}{%&$><|\/.''"]+$/,
:message => ''you
  cant do this, no u cant''

which works like a charm. (can''t save any of the ] [ * ^ } { % & $
> < |
\ / . '' "
characters)

question is, is there any way to apply this regex validation to EVERY 
aspect of my site that has a connection to my database. (i.e to alter 
Base::save properties?/validations? or do something else i am not aware 
of)?

?

MANY MANY thanks for indulging me in this interesting information...
much appreciated,

harp


-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Harp,

Not an expert so take this with a very large pinch of salt.

If your underlying requirement is to stop SQL Injection type attacks
then Ruby by default protects you in many cases.

Code such as User.Find(:parms[id]) would be safe as find would escape
the string making it safe.

If you construct SQL code on the fly such as

"Select * from user where name = #{@user.name}"

then its not safe and you should use the bind variable facility which
is something like

"Select * from user where name =  :user_name'', {:user_name =>
params[:name] }

Otherwise look into filters. It would be possible to use these I think
but I am not sure if one can do a before_find filter.

As I say large dose of salt as I am pretty new to this.

Also it would be an idea to get a copy of Agile Web Development with
Rails the second edition which is available in PDF form only as it is
still in prerelease form it covers these topics. The second edition of
this book is much better than the first (not that that was bad).

Regards

Sean


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 11/7/06, harp
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Hi,
>
> i was wondering if someone could help me out in figuring out what i
> should do with the following issue:
>
> i''d like to secure my rails app so that no one can sign up to my
site
> using dangerous characters so i put in my User model a
>
>   validates_format_of :name, :with =>
/^[^][*^}{%&$><|\/.''"]+$/,
> :message => ''you
>   cant do this, no u cant''
Isn''t this not covered by the ''h()'' method? Which
scrubs exploit code
like XSS & SQL injection from your inputs?

And shouldn''t this really be done in the view not the model?

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> Isn''t this not covered by the ''h()'' method?
Which scrubs exploit code
> like XSS & SQL injection from your inputs?
> 
> And shouldn''t this really be done in the view not the model?
ok...

i may just as well not really know enough about security in rails so 
this thread may be somewhat of a redundant one; but this is my case in a 
little further detail:

i have a login/signup page, where new users enlist. if someone signed up 
with a user name such as

                  a%simple;usena{me

(with the %;{ dangerous characters)
the name would be saved. (exactly as "a%simple;usena{me")

so i pass a validate_format method for the User class to stop Base::save 
so that there characters cannot be written into the sql table. (no user 
can have there dangerous characters as a name, password, or any other 
attribute they have)

problem is, i can''t really get that to work (i.e, not for the whole 
class, but only for the methods i state in validate_format_of 
:attribute) - - i can only validate this for specific attributes.

is there any way to validate a whole class? (so no bad characters will 
be saved into the sql-table?) there must be SOMETHING like this...no?

many thanks...

harp

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 11/7/06, harp
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
> is there any way to validate a whole class? (so no bad characters will
> be saved into the sql-table?) there must be SOMETHING like this...no?
Good question, and I don''t know the answer to it. I see where you are
coming from all right - you want the _default_ behaviour to remove, or
generate an error on detection of dangerous characters.

However in addition to model-based validation, look into view validation
using the h() method (which purges everything silently). You wouldn''t
want to use it everywhere - like for instance in your signup code you
definately want to be messaging to the user that their login name is
unacceptable.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> like for instance in your signup code you
> definately want to be messaging to the user that their login name is
> unacceptable.
...that''s the point;  that''s why i used a Model-based 
validates_format_of :login_name_foo_bar but i was hoping there was 
something more general than that - something that added an error to the 
object (just as in validates_whatever when it fails) to ALL cases where 
Base::Save is used.

it seems to me that it shouldn''t be THAT complicated...

?

harp

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

ok. i may be missing something stupid, or not know enough to feel free 
to ask stupid questions or whatever, but let me try and simplify the 
question:

is there any way to modify the Base::save functionality so that it will 
add an error to the object it is working on, if it doesn''t pass a 
certain regex match.

is this possible?
SOMEONE HAS GOT TO BE OUT THERE TO AT LEAST TELL ME

"no, there isn''t."

thanks.

harp

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---