What''s the most recommended technique for guarding Rails HTTP params?
For example, something like this can obviously be dangerous (e.g. SQL
injection)
user_account = UserAccount.find(:first, :conditions => ["username
?", params[:id])
I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I''m
expecting), etc. but I wasn''t sure if there are existing
plugins/libraries out there.
I was considering writing something like this:
id = validate_params(params[:id], "string", 10) # 10 being
max_length
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
Ben Knight wrote:> What''s the most recommended technique for guarding Rails HTTP params? > > For example, something like this can obviously be dangerous (e.g. SQL > injection) > user_account = UserAccount.find(:first, :conditions => ["username > ?", params[:id]) > > I am about to write a home-grown validation routine to check for string > lengths, data types (e.g. numeric versus string, depending on what I''m > expecting), etc. but I wasn''t sure if there are existing > plugins/libraries out there. > > I was considering writing something like this: > id = validate_params(params[:id], "string", 10) # 10 being > max_lengthActiveRecord has may validations callbacks such as validate_presence_of, etc. It''s preferrable to validate data in the models instead of controllers. Regards, rp8 ======================http://lun.competo.com/ -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 20 Dec 2008, at 18:31, Ben Knight wrote:> > What''s the most recommended technique for guarding Rails HTTP params? > > For example, something like this can obviously be dangerous (e.g. SQL > injection) > user_account = UserAccount.find(:first, :conditions => ["username > ?", params[:id]) >If you read the docs, you would know that this sanitizes parameters precisely to guard against such injection :-) Fred> I am about to write a home-grown validation routine to check for > string > lengths, data types (e.g. numeric versus string, depending on what I''m > expecting), etc. but I wasn''t sure if there are existing > plugins/libraries out there. > > I was considering writing something like this: > id = validate_params(params[:id], "string", 10) # 10 being > max_length > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:> If you read the docs, you would know that this sanitizes parameters > precisely to guard against such injection :-)Sorry, guys; my bad. I should have explained that I''m probably least worried about ActiveRecord.find stuff (even though I threw that example up) and more worried about params in general (i.e. ones not passed to ActiveRecord.find) and also worried about ActiveRecord::Base.connection.select_all, count_by_sql, etc. I do have methods that accept params for non-ActiveRecord in a couple of places. I have used many of ActiveRecord''s validation callbacks (e.g. validate_presence_of) but I''ll dig deeper into those. However, I''m looking for a generic, non-ActiveRecord, params validation stuff. If you know of any, please let me know. Thanks again, everyone. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ben, I suspect that you''ll need to provide some more specific examples. I also suspect that you''re possibly over thinking things a bit (possibly due to how you might have approached problems like this in previous languages/frameworks) Robby On Sat, Dec 20, 2008 at 3:09 PM, Ben Knight <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Frederick Cheung wrote: >> If you read the docs, you would know that this sanitizes parameters >> precisely to guard against such injection :-) > > > Sorry, guys; my bad. I should have explained that I''m probably least > worried about ActiveRecord.find stuff (even though I threw that example > up) and more worried about params in general (i.e. ones not passed to > ActiveRecord.find) and also worried about > ActiveRecord::Base.connection.select_all, count_by_sql, etc. I do have > methods that accept params for non-ActiveRecord in a couple of places. > > I have used many of ActiveRecord''s validation callbacks (e.g. > validate_presence_of) but I''ll dig deeper into those. However, I''m > looking for a generic, non-ActiveRecord, params validation stuff. If > you know of any, please let me know. > > Thanks again, everyone. > -- > Posted via http://www.ruby-forum.com/. > > > >-- Robby Russell Chief Evangelist, Partner PLANET ARGON, LLC design // development // hosting http://www.planetargon.com/ http://www.robbyonrails.com/ aim: planetargon +1 503 445 2457 +1 877 55 ARGON [toll free] +1 815 642 4068 [fax] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I''ve actually worked with Rails for 2+ years and published articles
about it, so I hope I''m not over-thinking things :-)
However, we recently began getting very long URLs with invalid
parameters, which is what got me thinking of these
things. This is 10% of the how long the URLs are -- imagine this string
times 10:
{our
domain}/4/pick-up-your-toys?code=+%0d%0ahttp%3a%2f%2fwarn1207.hostevo.com%2fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+%0d%0ahttp%3a%2f%2fpetr3549.yourfreehosting.net%2fbaked-scrod-recipes.html+baked+spasagna+recipe+%0d%0ahttp%3a%2f
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
I can''t really understand what you''re trying to do here. What is this URL? Where is it being used to be dangerous? Is it in activerecord code? If it is and you''re following the best practices (using placeholders to your conditions), this isn''t a problem (as Frederick has already explained). - Maurício Linhares http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/ (en) On Sun, Dec 21, 2008 at 12:00 AM, Ben Knight <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > I''ve actually worked with Rails for 2+ years and published articles > about it, so I hope I''m not over-thinking things :-) > > However, we recently began getting very long URLs with invalid > parameters, which is what got me thinking of these > things. This is 10% of the how long the URLs are -- imagine this string > times 10: > > {our > domain}/4/pick-up-your-toys?code=+%0d%0ahttp%3a%2f%2fwarn1207.hostevo.com%2fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+%0d%0ahttp%3a%2f%2fpetr3549.yourfreehosting.net%2fbaked-scrod-recipes.html+baked+spasagna+recipe+%0d%0ahttp%3a%2f > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
That URL is from our log files; I masked our domain name (see below). We are getting calls made with very long parameters made every couple of minutes and since they all from Windows NT machines, I suspect it''s a virus that the user might not even be aware of. Anyway, whether it''s a virus or deliberate attempt to crack our systems, I would like to guard our parameters, so only appropriate size and content is passed in. http://www.ourdomain.com/4/pick-up-your-toys?code=+%0d%0ahttp%3a%2f%2fwarn1207.hostevo.com%2fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+%0d%0ahttp%3a%2f%2fpetr3549.yourfreehosting.net%2fbaked-scrod-recipes.html+baked+spasagna+recipe+%0d%0ahttp%3a%2f Maurício Linhares wrote:> I can''t really understand what you''re trying to do here. > > What is this URL? Where is it being used to be dangerous? Is it in > activerecord code? > > If it is and you''re following the best practices (using placeholders > to your conditions), this isn''t a problem (as Frederick has already > explained). > > - > Maur�cio Linhares > http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/ > (en) > > > > On Sun, Dec 21, 2008 at 12:00 AM, Ben Knight-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---