Welcome

The Ruby on Rails Security Project would like to help you make your Rails applications more secure. I'm Heiko Webers of bauland42 and I also do Rails security audits. You read the official Rails Security Guide? Great, so we know each other already, I wrote it. Contact me at 42 -the AT sign- bauland42.de or on Twitter.

Do you have a Rails security strategy?
Here's the new complete Rails guide to developing an overall security strategy. If you sign up today, I’ll give it to you for free.

Search
Feeds / Syndication
Most Popular
This site is currently being updated to be more useful, enter your email to be notified

Tuesday
May052015

A week with a Rails Security Strategy (and page update)

Two things, a page update and my new article "A week with a Rails Security Strategy".

Page update: This site hasn't been very active recently, I'm working to make it more useful. Enter your e-mail in the header to notify you when it's ready.

I published a new article "A week with a Rails Security Strategy" on my site:

You’re a busy person. Security is not a very visible feature in most applications, and so sometimes it’s not a priority. Of course you know it’s important, but how can you fit it into your busy schedule?

The answer may be in the power of habits and a Rails security strategy...
Saturday
Feb192011

Two MRI security vulnerabilities in Ruby 1.8 and 1.9

Two security fixes have been released for Ruby today. The first vulnerability affects the FileUtils.remove_entry_secure method which allowed local users to delete arbitrary files and directories. The second one affects the $SAFE level.

FileUtils.remove_entry_secure

This affects Ruby versions 1.8.6 (420), 1.8.7 (330), 1.9.1 (430), 1.9.2 (136) and the development versions. The problem has been fixed and is available for download.

$SAFE vulnerability

This affects only 1.8 Ruby versions. Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings. The variable $SAFE determines Ruby's level of paranoia. This problem has also been fixed.

Wednesday
Feb092011

Several vulnerabilities in Rails 2 & 3

Two new Ruby on Rails versions have been released yesterday because of 4 security vulnerabilities in Rails.

Potential XSS Problem with mail_to :encode => :javascript
Versions Affected:  All.
Not affected:       Applications which don't use :encode => :javascript
Fixed Versions:     3.0.4, 2.3.11

CSRF Protection Bypass in Ruby on Rails
Versions Affected:  2.1.0 and above
Not affected:       Applications which don't use the built in CSRF protection.
Fixed Versions:     3.0.4, 2.3.11
Do read the instructions carefully because it will affect your session and may require additional steps other than just updating. More here and in the Rails Security Guide.

Potential SQL Injection in Rails 3.0.x
Versions Affected:  3.0.0-3.0.3
Not affected:       Releases before 3.0.0
Fixed Versions:     3.0.4
Unfortunately this has been fixed in earlier versions already.

Versions Affected:  3.0.0-3.0.3
Not affected:       2.3.x versions and all earlier versions. Applications deployed on case-sensitive filesystems.
Fixed Versions:     3.0.4

Wednesday
Jan262011

Vulnerability in the Mail gem affecting Rails 3.0.x applications

As the Ruby on Rails Security group announced today, there is a vulnerability in the sendmail delivery agent of the Mail gem that could allow an attacker to pass arbitrary commands to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected:        Any application not using sendmail delivery
Fixed Versions:     2.2.15 or later

More information in the original post in Ruby's mailer Group.

Tuesday
Jun082010

Ruby on Rails 3 Security Updated

I hold a talk about Rails 3 Security at the RailsWayCon10. It is about the new Cross-Site Scription protection in Rails 3, what is going to change in ActiveRecord and other Rails Security topics. You can find the presentation at Slideshare.