CSRF attacks because of GET and POST requests. "> CSRF attacks because of GET and POST requests. "> A Look at Security Risks in Ruby CodeCSRF attacks because of GET and POST requests. ">
  1. Computing
Send to a Friend via Email

A Look at Security Risks in Ruby Code

Analysis of Vulnerable Software

By

The following application represents a typical pre-Rails 2.0 blog application, similar to David Heinemeier Hansson's--the creator and architect of Ruby on Rails-- famous "15 Minute Blog" demonstration. You'll note that many things have been removed for the sake of brevity. Features like pagination, notice messages and so forth have been removed but do not effect the function of the application.

It's assumed that this Rails application was generated with a version of Rails before 2.0. This means features like protect_from_forgery are not enabled and normal routes are used instead of RESTful resources. Though Rails 2.0 and later versions do not generally suffer from such problems, projects ported from earlier versions of Rails often do.

 # File: app/controllers/posts_controller.rb
 class PostsController < ApplicationController
   before_filter :login_required, :except => [ :index, :show ]
 
   def index
     @posts = Post.find :all
   end
 
   def new
     @post = Post.new
   end
 
   def create
     @post = Post.new(params[:post])
     @post.user = current_user
 
     if( @post.save )
       flash[:notice] = "Post created."
 
       redirect_to :action => 'show',
         :id => @post.id
     else
       render :action => 'new'
     end
   end
 
   def edit
     @post = Post.find(params[:id])
   end
 
   def update
     @post = Post.find(params[:id])
 
     if( @post.update_attributes params[:post] )
       flash[:notice] = "Post updated."
 
       redirect_to :action => 'show',
         :id => @post.id
     else
       render :action => 'edit'
     end
   end
 
   def show
     @post = Post.find(params[:id])
   end
 
   def destroy
     @post = Post.find(params[:id])
     @post.destroy
 
     flash[:notice] = "Post destroyed."
     redirect_to :action => 'index'
   end
 end
 
 # File: app/controllers/application.rb
 class ApplicationController < ActionController::Base
   include AuthenticatedSystem
 end
 
 # File: app/models/post.rb
 class Post < ActiveRecord::Base
   belongs_to :user
 
   validates_presence_of :title, :body
   validates_length_of :title, :within => 3..100
 end
 
 # File: config/routes.rb
 ActionController::Routing::Routes.draw do |map|
   map.connect ':controller/:action/:id'
 end
 

©2014 About.com. All rights reserved.