mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove some outdated security advice from Security guide [ci-skip] 

Upgrading Rails to "at least 2.1.1" is outdated advice. Applications
should run 7.0.Z or 7.1.Z.
Also, RedCloth version 4 is from 2009, so I don't think it's that "new".
This commit is contained in:
Petrik 2023-12-08 10:11:43 +01:00
parent c057edaaad
commit f30c097525
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
guides/source/security.md
View File

@ -661,7 +661,8 @@ SELECT * FROM projects WHERE (name = '') UNION
The result won't be a list of projects (because there is no project with an empty name), but a list of usernames and their password. So hopefully you [securely hashed the passwords](#user-management) in the database! The only problem for the attacker is, that the number of columns has to be the same in both queries. That's why the second query includes a list of ones (1), which will be always the value 1, in order to match the number of columns in the first query.
Also, the second query renames some columns with the AS statement so that the web application displays the values from the user table. Be sure to update your Rails [to at least 2.1.1](https://rorsecurity.info/journal/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter.html).
Also, the second query renames some columns with the AS statement so that the
Web application displays the values from the user table.
#### Countermeasures
@ -865,7 +866,8 @@ This example, again, showed that a restricted list filter is never complete. How
If you want to provide text formatting other than HTML (due to security), use a mark-up language which is converted to HTML on the server-side. [RedCloth](https://github.com/jgarber/redcloth) is such a language for Ruby, but without precautions, it is also vulnerable to XSS.
For example, RedCloth translates `_test_` to `<em>test<em>`, which makes the text italic. However, up to the current version 3.0.4, it is still vulnerable to XSS. Get the [all-new version 4](https://github.com/jgarber/redcloth) that removed serious bugs. However, even that version has [some security bugs](https://rorsecurity.info/journal/2008/10/13/new-redcloth-security.html), so the countermeasures still apply. Here is an example for version 3.0.4:
For example, RedCloth translates `_test_` to `<em>test<em>`, which makes the
text italic. However, RedCloth doesnt filter unsafe html tags by default:
```ruby
RedCloth.new('<script>alert(1)</script>').to_html