I'm making my own API and I was wondering: How to secure the received params?

Example:

• I have a Car model with brand and color attributes.

My endpoint receives those params in the payload. With this received payload I search in my db:

car = Car.where(color: params[:color])
# or
car = Car.find_by(brand: params[:brand])
# or writing
Car.first.update!(brand: params[:brand])

But I'm so worried about what if someone tries to exploit with SQL or XSS? How do you work with this?

Thanks a lot :)

CodePudding user response：

The examples from your question are all protected against SQL injection automatically.

Relevant quotes from the official Rails Guides:

7.2.1 Introduction

SQL injection attacks aim at influencing database queries by manipulating web application parameters. A popular goal of SQL injection attacks is to bypass authorization. Another goal is to carry out data manipulation or reading arbitrary data. Here is an example of how not to use user input data in a query:

Project.where("name = '#{params[:name]}'")

Then later in the same document:

7.2.4 Countermeasures

Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character, and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure. But in SQL fragments, especially in conditions fragments (where("...")), the connection.execute() or Model.find_by_sql() methods, it has to be applied manually.

Instead of passing a string, you can use positional handlers to sanitize tainted strings like this:

Model.where("zip_code = ? AND quantity >= ?", entered_zip_code, entered_quantity).first

The first parameter is a SQL fragment with question marks. The second and third parameter will replace the question marks with the value of the variables.

You can also use named handlers, the values will be taken from the hash used:

values = { zip: entered_zip_code, qty: entered_quantity }
Model.where("zip_code = :zip AND quantity >= :qty", values).first

Additionally, you can split and chain conditionals valid for your use case:

Model.where(zip_code: entered_zip_code).where("quantity >= ?", entered_quantity).first

CodePudding user response：

You should avoid passing strings as parameters to Active Records methods.

Use arrays or hashes instead. So to fix the vulnerable code, avoid the following:

car = Car.where(color: params[:color])

And instead of using user input directly, you should pass it as a parameter:

car = Car.where(["color = ?", params[:color])

This approach can be applied to pretty much all methods and therefore help you avoid almost all SQL injection vulnerabilities.

Another you can do is to use attribute-based finder methods:

car = Car.find_by(brand: params[:brand])

By doing so, Active Records will automatically properly escape unwanted characters, which normally allow SQL injection to happen.

For more see:

• https://www.stackhawk.com/blog/sql-injection-prevention-rails/
• https://www.netsparker.com/blog/web-security/sql-injection-ruby-on-rails-development/