How to check params security?

A

asdasda112017-11-20 19:09:20

Ruby on Rails

asdasda11, 2017-11-20 19:09:20

route of this nature: Different parameters can come. They are, shall we say, dynamic. But I need to check each of them for safety, so to speak. For example, comes params[:command]. How do I check that there is nothing tricky inside the parameter? Those. no scripts or anything else. Almost immediately, this params[:command] is sent to the OS console, i.e. will be executed on the system. And then he will get into the database and still be shown on the page. It turns out that I should check it in each separate direction or can I somehow do it all at once? Example. Let's say a request comes in: localhost:3000/command= "rm -rf /" If I immediately send it to execution, then everything will be bad. But I can't check every command. And if it also contains xss and sql injection?.....
match '*path', to:'public#index'

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

mletov, 2017-11-20
@asdasda11

Regarding sql:
use parameterized sql queries or some ORM or sql query constructor (in my opinion, now every language / framework has something like that).
Regarding xss:
Cut out the script tag with a regular expression, or do not perform further actions at all, if there is one in the request. Escape, replace tags with special characters, etc.
Some advanced frameworks do not allow saving such code themselves, they write something like "Potentially dangerous request content detected"
Regarding the request:
You send incoming data to the console. As I understand it, in any case, it will be a Linux command, maybe malicious, maybe allowed, but a command.
So there is no easy way. What options can be considered:
1) If the number of allowed commands is finite, then simply assign them serial numbers like localhost:3000/command=1, localhost:3000/command=2...
And, depending on the number passed, execute the command.
2) If the number of commands is not limited, then it is only possible to create a user with limited rights so that all commands transmitted by the request are executed under it.
3) If the number of commands is limited, but they have optional parameters (such as the path to the audience, the name of the file being created, etc.), then, as dimonchik2013 already suggested, fill in all valid patterns in regex.

E

Evgeny Kozlov, 2017-11-20
@lebron32rus

Running commands that came from the outside world on the server is not the best solution. It will be better if you decide on the functions that users will perform through the service and make secure endpoints in which there is no hint of terminal commands. When the user makes a request, we take a string constant defined somewhere in the application that will perform the action required by the user. IMHO, it is more correct from the point of view of safety.

D

Dimonchik, 2017-11-20
@dimonchik2013

leave only allowed characters with regexp

P

Pazzik, 2017-11-23
@Pazzik

I don't know the answer to your question. But I know who knows :) Hexlet has some kind of console from the browser to complete tasks. She works quite well. You can find out from the authors in Slack how it works for them. They have it spinning in the docker. So I suspect this is the secret.