2 Ruby on Rails security tips

Working on open source rails applications, I sometimes come across security issues. Rails makes writing secure code reasonably easy - it's hard to make a SQL injection hole in a rails app without trying - but there are a couple of common issues I see repeatedly.

Regular expressions are oven used for validation. However ruby's regexes can behave differently to what you'd expect. Say you're validating an IP address and you have a regular expression that matches an IP address, do not use /^[regex]$/, use /\A[regex]\z/ instead

In ruby, the ^ and $ characters match the beginning and end of line. An attacker can bypass the validation by inserting a newline after a valid IP address, then whatever content he wants. \A and \z should be used instead of ^ and $ - they match the start and end of the string instead of the line. If you want to test out your ruby regular expressions, check out Rubular.

This second tip is well known, but I'll mention it here because it's important.
I'm not going to repeat the API docs, so I'll just say, make sure you understand attr_accessible: and why you would want to use it. Hint: if you have an admin variable on a user model for example, and it isn't protected from mass assignment, I can become an admin by modifying a user edit form.

Other Posts

• 18 Aug 2009 » Best VPS for Ruby on Rails ( or anything )
• 16 Aug 2009 » RailsCamp AU 2009
• 04 Aug 2009 » How to get Safari to open in new Tab instead of new Window
• 18 Jun 2009 » Free Web Design Quote Service
• 13 Nov 2008 » NZ Speed Camera Map
• 16 Sep 2008 » Google Aotearoa
• 01 Sep 2008 » Free car rentals in New Zealand ( Relocation Deals )
• 18 Jun 2008 » Commerce Commission's report on broadband, and why Woosh isn't in it.
• 30 Jan 2008 » New Zealand SEO Seminars & Training
• 16 Dec 2007 » SimpleDB and ActiveRecord
• 16 Dec 2007 » Knol Forum
• 10 Dec 2007 » Will woosh get their act together in 2008? Or will they still suck?
• 06 Dec 2007 » Xen on Ubuntu Gutsy
• 09 Oct 2007 » The music revolution
• 25 Sep 2007 » NZ Ruby on Rails forum and portal launched
• 21 Sep 2007 » GPL to be legally tested in New York
• 20 Sep 2007 » Ruby on Rails IDE? Yes!
• 19 Sep 2007 » 2 Legal Cases to Watch
• 12 Sep 2007 » Laptop Case Mods
• 03 Sep 2007 » When companies go bad
• 30 Aug 2007 » Dailies
• 29 Aug 2007 » Kiwicon 2007
• 25 Jun 2007 » New Zealand Web Hosting Price Comparison
• 19 Jun 2007 » Magic Card Trading
• 19 Jun 2007 » Free privacy policies
• 11 Jun 2007 » Coolest thing to happen to photos, ever.
• 25 May 2007 » It's Official! Microsoft is dead.
• 22 May 2007 » Google Analytics Makeover
• 26 Mar 2007 » Natalie Portman Raps!
• 04 Feb 2007 » Google starts pulling CYFSWATCH posts
• 31 Jan 2007 » SEO on Rails blog launched
• 25 Jan 2007 » NZ Govt tries to shut down blogger hosted blog
• 13 Jan 2007 » Dailies - 13 January 2006
• 11 Jan 2007 » They Work For You - Now in NZ
• 09 Jan 2007 » Windows answer to TextMate?
• 07 Jan 2007 » phpBB Akismet Plugin/Mod
• 03 Jan 2007 » Finally a rural broadband solution?
• 29 Dec 2006 » Firebug
• 21 Dec 2006 » Woosh- 1GB plenty for most people
• 02 Dec 2006 » Ripit.co.nz launches for IE users
• 02 Aug 2006 » WDANZ misses it's own deadline
• 31 Jul 2006 » Woosh buys Quicksilver and IPTV rights from sky
• 13 Jul 2006 » Dailies - 13 July 2006
• 08 Jul 2006 » Unbundling and Woosh
• 08 Jul 2006 » Web Developers Association of New Zealand
• 08 Jul 2006 » Ruby on Rails Web Design
• 05 Jul 2006 » SEO for Firefox
• 22 Jun 2006 » Dunedin
• 13 Mar 2006 » Spoke POV
• 06 Mar 2006 » VMware Player FREE
• 06 Mar 2006 » Build a Six-headed, Six-user Linux System LG
• 06 Mar 2006 » ITA - Make your MP3 Player sync with iTunes like and Ipod
• 04 Mar 2006 » yEd
• 19 Feb 2006 » Ruby on Rails on JEdit
• 18 Feb 2006 » vServe
• 13 Feb 2006 » Toyota Prius Idea
• 08 Jan 2006 » Google Video
• 04 Jan 2006 » Track AdSense Payments from DHL
• 23 Nov 2005 » Battle of the start pages
• 22 Nov 2005 » Dailies - 22nd November 2005
• 21 Nov 2005 » Woosh VoIP
• 20 Nov 2005 » Tagcloud added to SVN
• 20 Nov 2005 » Dailies - 20 November 2005
• 20 Nov 2005 » Akismet Backdoor
• 19 Nov 2005 » How to make a Dailies section
• 19 Nov 2005 » Dailies - 19 November 2005
• 18 Nov 2005 » Broadband Satellite update
• 18 Nov 2005 » Blog Stats
• 18 Nov 2005 » New bBlog site
• 18 Nov 2005 » 2011 Here We Come!
• 16 Nov 2005 » Sony screws up bigtime
• 15 Nov 2005 » Google Affiliate
• 14 Nov 2005 » Web 2.0
• 14 Nov 2005 » Object-Oriented Regular Expressions
• 14 Nov 2005 » Learning Ruby Part One
• 14 Nov 2005 » Google Analytics
• 10 Nov 2005 » Ruby, Ajax, Rails, Web2.0 - Oh My!
• 07 Nov 2005 » Stopping smoking with hypnosis
• 12 Oct 2005 » Trees & Recursion in MySQL
• 20 Apr 2005 » Battlefield 2 Demo and release date
• 11 Feb 2005 » Escape Woosh Wireless Hell
• 05 Feb 2005 » Sydney restaurants
• 26 Jan 2005 » SpellBound - Spellchecker for Firefox
• 25 Jan 2005 » A New, New Zealand Flag?
• 21 Nov 2004 » Knoppix Hacks - book released
• 07 Nov 2004 » PHP5 Hosting
• 30 Oct 2004 » Qmailrocks Mirror
• 08 Sep 2004 » Satellite Internet in NZ
• 24 Aug 2004 » Online Manufacturing
• 20 Aug 2004 » New PHP gallery on the block.
• 30 Jul 2004 » Woosh Wireless Refund
• 30 Jul 2004 » Firefox
• 28 Jul 2004 » Quickies- bBlog 1.0, Webforce Blog, thttpd update, PHP5 Soap
• 21 Jul 2004 » Forum for PHP 5
• 19 Jul 2004 » Yahoo! adds VoIP to Yahoo Messenger
• 19 Jul 2004 » Lindows makes Phone GAIM
• 17 Jul 2004 » PHP5 - sqlite, thttpd + more
• 02 Jul 2004 » The great gmail account giveaway
• 01 Jul 2004 » Skype- Too good
• 01 Jul 2004 » Microsoft launch preview of new search engine
• 18 Jun 2004 » Ihug beats Woosh to Wireless VoIP
• 06 Jun 2004 » The problem with project PROBE
• 06 Jun 2004 » How to call me for free over the internet
• 21 May 2004 » Woosh II
• 11 May 2004 » Google Blog
• 08 May 2004 » Woosh Wireless, it's crap!
• 06 May 2004 » Free MySQL gui for linux and windows
• 01 May 2004 » Gmail Invite
• 30 Apr 2004 » Students- Accommodation in Auckland
• 30 Apr 2004 » Cheap mp3s
• 30 Apr 2004 » bBlog 0.7.x
• 27 Jan 2004 » Orkut
• 16 Jan 2004 » PC
• 14 Jan 2004 » The end of traditional photography?
• 14 Jan 2004 » Back at work
• 19 Dec 2003 » Coromandel
• 12 Dec 2003 » Commission only web design
• 07 Dec 2003 » Google launches Froogle..
• 06 Dec 2003 » kCapture
• 27 Oct 2003 » Robots.txt
• 21 Oct 2003 » Anti-GE protest, 11th Oct 03
• 31 Aug 2003 » Yahoo adds RSS feeds. ( and Styli )
• 26 Aug 2003 » Feeling Geeky?
• 10 Aug 2003 » Auckland
• 28 Jul 2003 » LAMP Blog
• 20 Jul 2003 » GigaBlog
• 19 Jul 2003 » the b
• 13 Jul 2003 » bBlog Trackback
• 10 Jul 2003 » Alexa mesuring site speed.
• 30 Jun 2003 » More Linux
• 27 Jun 2003 » Kmail designed by geeks
• 18 Jun 2003 » Google launches adsense
• 11 Jun 2003 » PHP-Nuke goes commercial
• 01 Jun 2003 » bBlog
• 24 May 2003 » TxpCal.php
• 23 May 2003 » b2 == wordpress ?
• 21 May 2003 » Open Development and Open Source
• 19 May 2003 » Weblog technology directory
• 17 May 2003 » ISSN?
• 14 May 2003 » Update on smarty plugin.
• 13 May 2003 » Gigabogomips
• 12 May 2003 » The missing smarty plugin type
• 12 Apr 2003 » Textpattern