Reputation: 1895
Passing arbitrary data to rails cache
I am wondering whether is it safe or not to directly pass arbitrary data as a cache name in rails, for example:
Rail.cache.fetch(params[:unsafe_param], expires_in: 2.hours) do
'foo'
end
I am using the redis driver, and my concerns are about any SQL-Injection like attack to the cache, is this something I have to worry about or the driver itself does the sanitization?
Upvotes: 0
Views: 190
Answers (1)
Reputation: 12181
It depends on your usecase, but the general answer is yes. That is unsafe because Redis has no concept of authentication.
Keys are just strings, so a user could iterate over tons of param values to read anything you had in Redis. Furthermore, they would also be writing values to the cache for every one of those requests, opening you up to denial of service attacks. The attack strategy would be to simply fill up all of the memory on the machine where Redis lives by requesting billions of keys. If anything else is on that machine, it would go down as well.
So validate as many things as you can and only set keys with data you have validated and know to be finite.
Upvotes: 2
Related Questions
- Rails cache read_multi using array of keys
- Can I use my existing Redis for a custom rails cache?
- How to cache an arbitrary object in Rails(time-based)?
- Saving a HASH to Redis on a rails app
- Rails 4 Simple Model Caching With Redis
- Query caching in controller
- Low level caching for collection
- Cache values between requests
- Rails page cache with redis?
- Rails: adding additional methods to a model for cache retrieval