
An All New Rails Security Guide - brett
http://www.railsinside.com/misc/123-new-rails-security-guide.html
======
tptacek
Don't love it, don't hate it. Wish people would stop coming up with ad-hoc
Rails security guides, because you have to read all of them to catch the
collected wisdom now. For instance, this document is the first formal doc that
talks about Redcloth injection --- something you're not going to care about
until you happen to use Redcloth for Textile rendering.

Generally I think this particular guide is satisfactory on details but very
poor on structure. For instance, it starts the section on SQL Injection off by
saying that Rails is mostly immune to it, due to clever design choices.
Nonsense. The same corner cases that cause all modern apps to still have SQLi
apply to Rails as well --- sort columns on tables, query builders, and
everything else that requires you to concatenate SQL expression tokens instead
of using stored procedures. If you con yourself into believing Rails protects
you from this, you're the dev who's going to wind up with the Rails SQLi
vulns.

Not a particularly big fan of their coverage of session security, either: a
passing mention of httpOnly, just enough to give people the impression that it
does something that it doesn't do, but a total miss on something that is going
to cause Rails devs to fail PCI audits: poor domain scoping on cookies and
lack of the "secure" flag.

~~~
sfamiliar
nice, solid review.

if only there were some sort of wiki where all these ad-hoc Rails security
guides could be coalesced. hmm, what to do.

