Skip to content

Commit

Permalink
Merge pull request #50301 from p8/guides/ror-security-links
Browse files Browse the repository at this point in the history 
Remove some outdated security advice from Security guide [ci-skip]
  • Loading branch information
@p8
p8 committed Jan 5, 2024
2 parents 0b72868 + f30c097 commit 26ec5e5
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions guides/source/security.md
View file
Expand Up @@ -661,7 +661,8 @@ SELECT * FROM projects WHERE (name = '') UNION

The result won't be a list of projects (because there is no project with an empty name), but a list of usernames and their password. So hopefully you [securely hashed the passwords](#user-management) in the database! The only problem for the attacker is, that the number of columns has to be the same in both queries. That's why the second query includes a list of ones (1), which will be always the value 1, in order to match the number of columns in the first query.

Also, the second query renames some columns with the AS statement so that the web application displays the values from the user table. Be sure to update your Rails [to at least 2.1.1](https://rorsecurity.info/journal/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter.html).
Also, the second query renames some columns with the AS statement so that the
Web application displays the values from the user table.

#### Countermeasures

Expand Down Expand Up @@ -865,7 +866,8 @@ This example, again, showed that a restricted list filter is never complete. How

If you want to provide text formatting other than HTML (due to security), use a mark-up language which is converted to HTML on the server-side. [RedCloth](https://github.com/jgarber/redcloth) is such a language for Ruby, but without precautions, it is also vulnerable to XSS.

For example, RedCloth translates `_test_` to `<em>test<em>`, which makes the text italic. However, up to the current version 3.0.4, it is still vulnerable to XSS. Get the [all-new version 4](https://github.com/jgarber/redcloth) that removed serious bugs. However, even that version has [some security bugs](https://rorsecurity.info/journal/2008/10/13/new-redcloth-security.html), so the countermeasures still apply. Here is an example for version 3.0.4:
For example, RedCloth translates `_test_` to `<em>test<em>`, which makes the
text italic. However, RedCloth doesn’t filter unsafe html tags by default:

```ruby
RedCloth.new('<script>alert(1)</script>').to_html
Expand Down

0 comments on commit 26ec5e5

Please sign in to comment.