Guarding "params" (for security reasons)

What's the most recommended technique for guarding Rails HTTP params?

For example, something like this can obviously be dangerous (e.g. SQL
injection)
    user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])

I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I'm
expecting), etc. but I wasn't sure if there are existing
plugins/libraries out there.

I was considering writing something like this:
    id = validate_params(params[:id], "string", 10) # 10 being
max_length

Ben Knight wrote:

What's the most recommended technique for guarding Rails HTTP params?

For example, something like this can obviously be dangerous (e.g. SQL
injection)
    user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])

I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I'm
expecting), etc. but I wasn't sure if there are existing
plugins/libraries out there.

I was considering writing something like this:
    id = validate_params(params[:id], "string", 10) # 10 being
max_length

ActiveRecord has may validations callbacks such as validate_presence_of,
etc.

It's preferrable to validate data in the models instead of controllers.

Regards,

rp8

What's the most recommended technique for guarding Rails HTTP params?

For example, something like this can obviously be dangerous (e.g. SQL
injection)
   user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])

If you read the docs, you would know that this sanitizes parameters
precisely to guard against such injection :slight_smile:

Fred

Frederick Cheung wrote:

If you read the docs, you would know that this sanitizes parameters
precisely to guard against such injection :slight_smile:

Sorry, guys; my bad. I should have explained that I'm probably least
worried about ActiveRecord.find stuff (even though I threw that example
up) and more worried about params in general (i.e. ones not passed to
ActiveRecord.find) and also worried about
ActiveRecord::Base.connection.select_all, count_by_sql, etc. I do have
methods that accept params for non-ActiveRecord in a couple of places.

I have used many of ActiveRecord's validation callbacks (e.g.
validate_presence_of) but I'll dig deeper into those. However, I'm
looking for a generic, non-ActiveRecord, params validation stuff. If
you know of any, please let me know.

Thanks again, everyone.

Ben,

I suspect that you'll need to provide some more specific examples. I
also suspect that you're possibly over thinking things a bit (possibly
due to how you might have approached problems like this in previous
languages/frameworks)

Robby

I've actually worked with Rails for 2+ years and published articles
about it, so I hope I'm not over-thinking things :slight_smile:

However, we recently began getting very long URLs with invalid
parameters, which is what got me thinking of these
things. This is 10% of the how long the URLs are -- imagine this string
times 10:

{our
domain}/4/pick-up-your-toys?code=+%0d%0ahttp%3a%2f%2fwarn1207.hostevo.com%2fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+%0d%0ahttp%3a%2f%2fpetr3549.yourfreehosting.net%2fbaked-scrod-recipes.html+baked+spasagna+recipe+%0d%0ahttp%3a%2f

I can't really understand what you're trying to do here.

What is this URL? Where is it being used to be dangerous? Is it in
activerecord code?

If it is and you're following the best practices (using placeholders
to your conditions), this isn't a problem (as Frederick has already
explained).

That URL is from our log files; I masked our domain name (see below).
We are getting calls made with very long parameters made every couple of
minutes and since they all from Windows NT machines, I suspect it's a
virus that the user might not even be aware of. Anyway, whether it's a
virus or deliberate attempt to crack our systems, I would like to guard
our parameters, so only appropriate size and content is passed in.

http://www.ourdomain.com/4/pick-up-your-toys?code=+ http%3A%2F%2Fwarn1207.hostevo.com%2Fhome-rentals-in-brunswick.html+home+rentals+in+cape+cod+ http%3A%2F%2Fpetr3549.yourfreehosting.net%2Fbaked-scrod-recipes.html+baked+spasagna+recipe+ http%3A%2F

Maurício Linhares wrote: