You are currently browsing the tag archive for the 'security' tag.
By now, you all know that you need to use attr_accessible to protect your application from having any old Active Record attribute changed by a malicious user. I find myself, in the course of consulting, looking at a great number of existing applications, and I’ve grown tired of having to open up every model and look. So, let’s be a bit smart: here’s a rake task that you can drop in any existing application to do the audit for you:
namespace :utility do
desc 'Find models that are not using attr_accessible'
task :audit_attr_accessible => :environment do
all_models = Dir.glob(
File.join(Rails.root, 'app', 'models', '*.rb')
).map{|path| path[/.+\/(.+).rb/,1] }
ar_models = all_models.select{|m|
m.classify.constantize < ActiveRecord::Base}
ar_models.each do |model|
model_class = model.classify.constantize
if model_class.send("attr_accessible").empty? &&
model_class.send("attr_protected").empty?
puts model_class.class_name +
" allows unprotected mass assignment"
end
end
end
end
(Hat tip Matt for the snippet to find all models).
I think the ActiveRecord Associations Guide I wrote may actually be finished.
- Dynamic Rails Error Help - Making the default validation messages more useful with a bit of javascript.
- Exceptional - This online error-tracker for Rails apps is now in open beta.
- Is Your Rails Application Safe? - If you’re inadvertently allowing mass assignment, probably not.
- MysqlTableSyncer - Command-line tool to synch up two MySQL tables.
- turl - My contribution to a little scripting fest on Twitter yesterday. If you have FF3 + Ubiquity, you can use “turl <userid>” to go straight to a Twitter user’s web site.
Checked in another contribution to the DocRails project yesterday - A Guide to Active Record Associations.
- Analytics with Capistrano - Interesting idea, though much is left as an exercise for the reader.
- SQL Injetion issue in :limit and :offset parameter - A Rails security issue worth paying a bit of attention to.
Yes, I’m still underemployed, despite some potential contracts on hold. If you’re looking for a Rails dev, let’s talk.
- Multiple Vulnerabilities in Ruby - Oh boy, more security to worry about. I haven’t seen anything definitive about Rails compatibility with the latest patch level that fixes these.
- Raphael - JavaScript library for easy vector graphics manipulation.
- Ruby on Rails Flashcards - From YoYoBrain.
- Ruby Hoedown Day 1 - Useful reporting from the Rails Envy crew.
- AuthSMTP - Professionally managed commercial SMTP servers.
- finder_filter gem released - Another way to DRY up your controllers.
- Chandler 1.0 - Amazing, they actually shipped. Looks like it could even be useful.
- Announcing a newly developed database adapter for MonetDB - MonetDB being a high-performance database that I’m ashamed to say I had never actually heard of before. But you can get to it from ActiveRecord now.
- Localizing Rails - A Tutorial embedded in an application. (via RubyFlow)
Solr is not playing nice in deployment. Ugh.
- Kete 1.0 - Open source digital library (sort of wiki + CMS) built in Rails.
- Rails Security Audit - The latest PDF from PeepCode.
- Pragmatic Screencasts - A new place to look for screencasts on dynamic languages.
Worn out from yesterday’s trip to Holiday World. Hoping today’s huge pile of work is more relaxing.
- Real World CSRF: Update Your Radiant Now - A good reason to move up to the most recent version of Radiant.
I really don’t like being in a situation where I don’t know whether the tests are bad or the code is bad.
- Use attr_protected or we will hack you - How to tighten up security on your user models.
- A three finger salute to git - Combining the latest “swipe” gestures on Mac touchpads with git commands.
- iPhone SDK Bug Filing - Rogue Amoeba appears to be leading the charge to make the iPhone a more open system. Good luck with that.
- SVN Externals are Evil; Use Piston or Braid - Why you don’t want to keep your plugins in your repo as externals.
- Braid - Like piston, but can handle SVN or git repos.
