restricted properties in Ronin

4 views
Skip to first unread message

Gus Prevas

unread,
Mar 6, 2012, 3:14:22 PM3/6/12
to ronin...@googlegroups.com
Hey everyone,

You may have heard about a security breach at github.com on Sunday which was caused by a mass assignment vulnerability intrinsic to Rails (or more accurately, to a poorly configured Rails application).

I figured I'd take the opportunity to remind you all about a feature in Ronin which is meant to prevent this kind of attack.  Software security requires constant vigilance, so you should always strive to be aware of your frameworks' security features.  The relevant section of the Ronin docs are included below.  Feel free to share, and enjoy!

-Gus

Restricting properties

Setting properties on a parameter via request parameters could conceivably pose a security risk. For instance, say you have a page where a user can edit their profile. This page posts to the following controller method:



  1. 

  function saveUser(u : User) {
    2. 


  2.     [code to save User object to database]
    3. 


  3.   }
    4.

An attacker could trick a user into posting to this method with the parameter u.Password set to some value known to the attacker.

For this reason, Ronin allows you to specify that certain properties should never be set automatically from request parameters. There are two ways to do this. If the property in question is on a Gosu class, you can use the @Restricted annotation:



  1. 

  @Restricted
  2. 

  var _password : String as Password
    3.

On the other hand, if the property is on another kind of type, or if you don't have control over the class where it's defined (e.g. it's part of a third-party library), you can set the RestrictedProperties from the constructor of your RoninConfig class:



  1. 

  RestrictedProperties = { User#Password, User#Salt, ... }
    2.
Reply all
Reply to author
Forward
0 new messages