10. OWASP Top Ten Security Risk
1. Injection
2. Cross Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object Reference
5. Cross Site Request Forgery
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure To Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
11. OWASP Top Ten Security Risk
1. Injection
2. Cross Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object Reference
5. Cross Site Request Forgery
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure To Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Problems related specifically to view layer.
12. The Rails Way to security:
CSRF protection
XSS protection
13. Cross Site Request Forgery
/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
end
/app/views/layouts/application.html.erb
<head>
<%= csrf_meta_tags %>
</head>
<meta content="authenticity_token" name="csrf-param">
<meta content="KklMulGyhEfVztqfpMn5nRYc7zv+tNYb3YovBwOhTic="
name="csrf-token">
14. Cross Site Scripting
<div id="comments">
<% @post.comments.each do |comment| %>
<div class="comment">
<h4><%= comment.author %> say's:</h4>
<p><%= comment.content %></p>
</div>
<% end %>
</div>
<%# Insecure! %>
<%= raw product.description %>
15. The Rails Way to routing:
Non-Resourceful routes
Resourceful routes
SEO friendly URL's
16. Non-Resourceful Routes
match 'products/:id' => 'products#show'
GET /products/10
post 'products' => 'products#create'
POST /products
namespace :api do
put 'products/:id' => 'api/products#update'
end
PUT /api/products/10
17. Non-Resourceful Routes
match 'photos/show' => 'photos#show', :via => [:get, :post]
match 'photos/:id' => 'photos#show', :constraints => { :id => /
[A-Z]d{5}/ }
match "photos", :constraints => { :subdomain => "admin" }
match "/stories/:name" => redirect("/posts/%{name}")
match 'books/*section/:title' => 'books#show'
root :to => 'pages#main'
18. Resourceful Routes
resources :photos
get '/photos' => 'photos#index'
get '/photos/new' => 'photos#new'
post '/photos' => 'photos#create'
get '/photos/:id' => 'photos#show'
get '/photos/:id/edit' => 'photos#edit'
put '/photos/:id' => 'photo#update'
delete '/photos/:id' => 'photo#destroy'
19. Resourceful Routes
resource :profile
get '/profile/new' => 'profiles#new'
post '/profile' => 'profiles#create'
get '/profile' => 'profiles#show'
get '/profile/edit' => 'profiles#edit'
put '/profile' => 'profile#update'
delete '/profile' => 'profile#destroy'
24. Response Rendering
class UsersController < ApplicationController
def new
@user = User.new new.html.erb
end
def create
@user = User.new(params[:user])
if @user.save
redirect_to :action => :show show.html.erb
else
render :new new.html.erb
end
end
end
42. AJAX
/app/controllers/products_controller.rb
class ProductsController < ApplicationController
def create
@product = Product.new(params[:product])
respond_to do |format|
if @product.save
format.html { redirect_to @product }
else
format.html { render :action => 'new' }
format.js
end
end
end
end
46. Page Caching
class ProductsController < ActionController
caches_page :index
def index
@products = Product.all
end
def create
expire_page :action => :index
end
end
Page caching won't work with filters.
47. Action Caching
class ProductsController < ActionController
before_filter :authenticate_user!
caches_action :index
def index
@products = Product.all
end
def create
expire_action :action => :index
end
end
48. Fragment Caching
<% cache do %>
All available products:
<% @products.each do |p| %>
<%= link_to p.name, product_url(p) %>
<% end %>
<% end %>
expire_fragment(
:controller => 'products',
:action => 'recent',
:action_suffix => 'all_products'
)
49. Sweepers
class ProductSweeper < ActionController::Caching::Sweeper
observe Product
def after_create(product)
# Expire the index page now that we added a new product
expire_page(:controller => 'products', :action => 'index')
# Expire a fragment
expire_fragment('all_available_products')
end
end
50. Conditional GET support
class ProductsController < ApplicationController
def show
@product = Product.find(params[:id])
if stale?(:last_modified => @product.updated_at.utc, :etag => @product)
respond_to do |format|
# ... normal response processing
end
end
end
end
51. Memoization
class City < ActiveRecord::Base
attr_accesible :name, :zip, :lat, :lon
def display_name
@display_name ||= "#@zip #@name"
end
end
52. The Rails Way to solve
typical problems:
N+1 Problem
Fetching object in batches
53. N+1 Problem
class User
def recent_followers
self.followers.recent.collect do |f|
f.user.name
end
end
end
Select followers where user_id=1
Select user where id=2
Select user where id=3
Select user where id=4
Select user where id=5
Source: http://www.codeschool.com/courses/rails-best-practices
54. N+1 Problem
class User
def recent_followers
self.followers.recent.includes(:user).collect do |f|
f.user.name
end
end
end
Select followers where user_id=1
Select users where user_id in (2,3,4,5)
Bullet Gem:
https://github.com/flyerhzm/bullet
Source: http://www.codeschool.com/courses/rails-best-practices
55. Fetching objects in Java
List<Tweet> tweets = tweetDao.findAllForUser(user);
for (Tweet tweet : tweets) {
// ...
}
for (Tweet tweet : user.getTweets()) {
// ...
}
56. Fetching objects in Rails
Tweet.where(user: user).find_each do |tweet|
# ...
end
user.tweets.find_each(batch_size: 5000) do |tweet|
# ...
end
By default pulls batches of 1,000 at a time