Forum: Ruby on Rails Guarding "params" (for security reasons)

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ben K. (Guest)
on 2008-12-20 20:31
What's the most recommended technique for guarding Rails HTTP params?

For example, something like this can obviously be dangerous (e.g. SQL
injection)
    user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])

I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I'm
expecting), etc. but I wasn't sure if there are existing
plugins/libraries out there.

I was considering writing something like this:
    id = validate_params(params[:id], "string", 10)  # 10 being
max_length
rp8 -. (Guest)
on 2008-12-20 21:03
Ben K. wrote:
> What's the most recommended technique for guarding Rails HTTP params?
>
> For example, something like this can obviously be dangerous (e.g. SQL
> injection)
>     user_account = UserAccount.find(:first, :conditions => ["username =
> ?", params[:id])
>
> I am about to write a home-grown validation routine to check for string
> lengths, data types (e.g. numeric versus string, depending on what I'm
> expecting), etc. but I wasn't sure if there are existing
> plugins/libraries out there.
>
> I was considering writing something like this:
>     id = validate_params(params[:id], "string", 10)  # 10 being
> max_length

ActiveRecord has may validations callbacks such as validate_presence_of,
etc.

It's preferrable to validate data in the models instead of controllers.

Regards,

rp8
=======================
http://lun.competo.com/
Frederick C. (Guest)
on 2008-12-20 21:16
(Received via mailing list)
On 20 Dec 2008, at 18:31, Ben K. wrote:

>
> What's the most recommended technique for guarding Rails HTTP params?
>
> For example, something like this can obviously be dangerous (e.g. SQL
> injection)
>    user_account = UserAccount.find(:first, :conditions => ["username =
> ?", params[:id])
>
If you read the docs, you would know that this sanitizes parameters
precisely to guard against such injection :-)

Fred
Ben K. (Guest)
on 2008-12-21 01:09
Frederick C. wrote:
> If you read the docs, you would know that this sanitizes parameters
> precisely to guard against such injection :-)


Sorry, guys; my bad.  I should have explained that I'm probably least
worried about ActiveRecord.find stuff (even though I threw that example
up) and more worried about params in general (i.e. ones not passed to
ActiveRecord.find) and also worried about
ActiveRecord::Base.connection.select_all, count_by_sql, etc.  I do have
methods that accept params for non-ActiveRecord in a couple of places.

I have used many of ActiveRecord's validation callbacks (e.g.
validate_presence_of) but I'll dig deeper into those.  However, I'm
looking for a generic, non-ActiveRecord, params validation stuff.  If
you know of any, please let me know.

Thanks again, everyone.
Robby R. (Guest)
on 2008-12-21 02:39
(Received via mailing list)
Ben,

I suspect that you'll need to provide some more specific examples. I
also suspect that you're possibly over thinking things a bit (possibly
due to how you might have approached problems like this in previous
languages/frameworks)

Robby

On Sat, Dec 20, 2008 at 3:09 PM, Ben K.
<removed_email_address@domain.invalid> wrote:
> ActiveRecord::Base.connection.select_all, count_by_sql, etc.  I do have
>
> >
>



--
Robby R.
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting

http://www.planetargon.com/
http://www.robbyonrails.com/
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]
Ben K. (Guest)
on 2008-12-21 05:00
I've actually worked with Rails for 2+ years and published articles
about it, so I hope I'm not over-thinking things :-)

However, we recently began getting very long URLs with invalid
parameters, which is what got me thinking of these
things.  This is 10% of the how long the URLs are -- imagine this string
times 10:

{our
domain}/4/pick-up-your-toys?code=+%0d%0ahttp%3a%2f%2fwarn1207.hostevo.com%2fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+%0d%0ahttp%3a%2f%2fpetr3549.yourfreehosting.net%2fbaked-scrod-recipes.html+baked+spasagna+recipe+%0d%0ahttp%3a%2f
Maurício L. (Guest)
on 2008-12-21 06:35
(Received via mailing list)
I can't really understand what you're trying to do here.

What is this URL? Where is it being used to be dangerous? Is it in
activerecord code?

If it is and you're following the best practices (using placeholders
to your conditions), this isn't a problem (as Frederick has already
explained).

-
Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)



On Sun, Dec 21, 2008 at 12:00 AM, Ben K.
Ben K. (Guest)
on 2008-12-22 02:15
That URL is from our log files; I masked our domain name (see below).
We are getting calls made with very long parameters made every couple of
minutes and since they all from Windows NT machines, I suspect it's a
virus that the user might not even be aware of.  Anyway, whether it's a
virus or deliberate attempt to crack our systems, I would like to guard
our parameters, so only appropriate size and content is passed in.

http://www.ourdomain.com/4/pick-up-your-toys?code=...



Maurício Linhares wrote:
> I can't really understand what you're trying to do here.
>
> What is this URL? Where is it being used to be dangerous? Is it in
> activerecord code?
>
> If it is and you're following the best practices (using placeholders
> to your conditions), this isn't a problem (as Frederick has already
> explained).
>
> -
> Maur�cio Linhares
> http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
> (en)
>
>
>
> On Sun, Dec 21, 2008 at 12:00 AM, Ben K.
This topic is locked and can not be replied to.