Reputation: 1795
Rails security issue
I have a rails 4 app on heroku, users can choose an option from a drop down menu ( course name) then click post, and the post will appear on the index page. Someone was able to create a post with an option that was not in the drop down menu at all, how is this possible? What can I do about it?
Upvotes: 0
Views: 33
Answers (2)
Reputation: 1681
First, the problem. It's very easy to recreate it using chrome developer. Here's the steps on recreating the error
- Using chrome developer tool, find and inspect the dropdown
- Right click on it and choose Edit as html
- Add a new value to the dropdown
- Select the new value and press create
Now the solution:
I will just add a validation that checks weather the value passed in is part of the options in the dropdown http://edgeguides.rubyonrails.org/active_record_validations.html#inclusion
Upvotes: 1
Reputation: 878
Put your options of drop-down menu to private method and permit only those values under your controller. No need to provide attr_accessible under your model if you are writing over there.
Upvotes: 1
Related Questions
- Simple Rails Security Questions
- Security issue with controller
- How to fix Insufficient Authorization in Rails?
- How to make sure my security and authentication mechanism in Rails is safe enough?
- Securing Local Development Ruby on Rails
- Rails security concerns
- How to implement security in Rails 3?
- Rails security on production server
- Url security trouble
- Some security and error handling issues?