Ruby on Rails bottom up security – sensitive data exposure

Reading Time: 1 minute

TL;DR

This post is about risk sensitive data exposure in your Ruby on Rails application. It will cover unauthorized access and cross site request forgery check (CSRF).

Unauthorized access risk is simple. User can access data that it is not supposed to access. Here you need to check source code of every controller. Your job is easier if developer named controllers by their purpose. For example:

z.rb

and

doctor.rb

make a big difference.

Rails application is using controller filters, for example:

before_action

If controller is public, then there would not be any before_action filter authorization method. If authorization is required, then there would be  before_action filter, for example, auth_user or auth_admin, depending on controller context.

And this is perfect candidate for automatization code. Developer should write simple tests with call for every controller, and result checks of HTTP status code that should be 403 for authorized controllers, and 200 for public one.

If there is role access, check authorization controllers with appropriate role credentials.

Cross site request forgery is when hacker tricks user to execute in his browser http request that modifies data (PUT, POST, DELETE). Ruby has out of the box CSRF protection, that adds additional hidden token parameter in all such requests. Of course, that protection could be turned off.

You should search your code base for:

grep -H -r 'protect_from_forgery except:' * | less

and you should discuss with developer do you really need that exception.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *