overview
Web frameworks were born to help programmers develop web applications quickly and conveniently. The frameworks provide a number of libraries or functions that programmers can use for specific tasks without having to execute code from scratch. Frameworks also often provide some functionality with built-in vulnerability defense mechanisms. For example, Ruby on Rails provides a number of database query functions that can combat SQL injection. Or Ruby on Rails application forms will be generated random tokens to resist CSRF error if we call the form’s csrf_token while creating the form.
However, if the framework does not already provide functions and is resistant to security holes, we will be completely safe when developing the application. The above is only true when the programmer uses it correctly according to the developer’s instructions and uses it safely. To better understand this issue, we will follow the examples of the errors presented below.
Security guides
Injection
The vulnerability occurs when a Rails application fails to validate user-supplied input.
Example
SQL Injection
Below is an example of incorrect use of database access functions leading to SQL Injection vulnerabilities:
1 2 3 4 | comments <span class="token punctuation">,</span> emails <span class="token operator">=</span> params <span class="token punctuation">[</span> <span class="token symbol">:id</span> <span class="token punctuation">]</span> <span class="token punctuation">.</span> split <span class="token punctuation">(</span> <span class="token string">"+"</span> <span class="token punctuation">)</span> <span class="token constant">Comment</span> <span class="token punctuation">.</span> update_all <span class="token punctuation">(</span> <span class="token string">"state = ' <span class="token interpolation"><span class="token delimiter tag">#{</span> params <span class="token punctuation">[</span> <span class="token symbol">:state</span> <span class="token punctuation">]</span> <span class="token delimiter tag">}</span></span> '"</span> <span class="token punctuation">,</span> "id <span class="token constant">IN</span> <span class="token punctuation">(</span> <span class="token comment">#{comments})") unless comments.blank?</span> |
The above code has an SQL Injection error in both parameters: params[:state]
and params