Rails security on production server - ruby-on-rails

I am putting my first rails app on the internet, I have read the rails guide on security and have implemented the points listed in there but was interested to hear of anything else ?
Also I currently store my uploads in public/documents is this ok ? I noticed there is no htaccess files protecting the directory.

Storing your uploads in a predictable location is a bad idea if you want to keep them a secret. If you don't care about people accessing it then it doesn't matter. Using .htaccess to password protect the directory is a good solution.
You should test your application for vulnerablites using Acunetx($$) or Wapiti (open source).
You should also read: What should a developer know before building a public web site?

If your site allows anyone to upload, it is a bad idea to store your uploads in a place that non-logged-in users can get to them. This is because then your site can be used by unscrupulous people as a place to store things that you might not want stored, such as malware.

Related

What is the best way for an iOS app access data from a public website without overloading it?

I would like to use some publicly available data from a government website as a source of data in an iOS app. But I am not sure what is the best / most polite / scalable way have a large number of users request data from this website with the least impact on their servers and best reliability for me.
It is 1-50kb of static XML with a fixed URL scheme
It updates with a new XML once a day
New users would need to download past data
It has a Last-Modified header but no caching headers
It does not use compression or a CDN
It's a government website, so if someone even replies to my email I doubt they are going to change how they host it for me...
I'm thinking I could run a script on a server to download this file once a day and re-host for my app however my heart desires. But I don't currently run a server which I could use for this and it seems like a lot just for this. My knowledge of web development is not great, so am I perhaps missing something obvious and I just don't know what search terms I should be using to find the answer.
Can I point a CDN at this static data somehow and use that?
Is there something in CloudKit I could use?
Should I run a script on AWS somehow to do the rehosting without needing a full server?
Should I just not worry about it and access the data directly??
You can use the AWS S3 service (Simple Storage Service).
The flow is somewhat like this:
If the file doesn't exist on S3 yet, or, if the creation date of the file on S3 is yesterday, the iOS app downloads the XML from the gov site and stores it in S3.
If the file exists on S3 and is up to date, download it from S3.
After that, the data can be presented by the app without overloading to the site.
I think the best way for you is to create an intermediary database where you can store your data in a secure manner.
Create a pipeline that does some data transformation and store in you newly created database.
Create an api with pagination and you desired filters
Also make sure you are not violating any data policies in the process.
I hope this helps.

Sharing session between a Rails and a Symfony app?

I am building a Rails app that will live in the subdomain of a Symfony 2 app (PHP). They will be used by the same type of users, and so we want them to go back and forth between the apps and ideally only login once.
I've seen some solutions on how to share session between subdomains for the same kind of apps, but no solution for sharing session between Symfony and Rails. Is it possible?
I was particularly intrigued that Rails session_store can use a database backend -- the default is cookie. That makes me wonder if both apps were to use the database backend, would they be able to share the sessions?
What other alternatives can I use to make this work, if it can work?
Sure it is possible, but I don't know how much work you have to put in ;)
The main thing is the Session ID. It all depends on that. You must make both applications use the same session storage, else it's impossible.
It doesn't matter if you store the SessionId in a database, in a file (would be pretty slow) or somewhere else, as long as both applications use it.
As you mentioned, Rails supports sessions inside a database out of the box. There's also another way in Rails: Memchached Storage. It's more or less an own database, which is optimized for fast key-value lookups.
So you should look if there's a Symfony plugin that supports either SessionId in database or in a Memcache Storage.
Have a look here: http://watsonbox.github.com/blog/2012/05/01/sharing-session-between-rails-and-php/
Forgot to mention: Both applications must also use the same SESSION_ID name inside the cookie ;)

File storage backend for Rails

I have a Rails application that I want to add file upload to, so that the users have access to a "resources" section where they can upload and share (although not publicly) any type of file. I know I could build a solution using paperclip and S3 for example, but to try and avoid the admin overhead of all that I'm looking at API interfaces to drop.io and box.net. Does anyone have any experience of these? I've got a basic demo working rather well to drop.io, but I was just wondering if anyone had any better ideas or experiences.
Many thanks
D
I use attachment_fu with S3 backend. For User Interface goodness, I use YUI's file uploader.
Some of the files are uploaded with world read access, others with no public read access.
I use Attachement_fu to create self-signed urls to enable clients to access the private S3 files.
I did write some small helper routines for the S3 library for re-connecting after a timeout, handling various errors that the S3 library can raise, etc.
Building your own library for drop.io and/or box.net
Your idea of using the API for a commercial service is interesting but I haven't run into any problems with the above config. And the price for direct S3 access is very low.
If you do decide to go this route, you may want to open source your code. You'd benefit by getting testing, ideas, and possible code contributions from the community.
Note that if you have a lot of uploads, you can end up with a performance issue if the uploads are synchronous with the Rails thread--the rails process is busy uploading and can't do anything else until the upload is done.
HTH,
Larry

Securing S3 via your own application

Imagine the following use case:
You have a basecamp style application hosting files with S3. Accounts all have their own files, but stored on S3.
How, therefore, would a developer go about securing files so users of account 1, couldn't somehow get to files of account 2?
We're talking Rails if that's a help.
S3 supports signed time expiring URLs that mean you can furnish a user with a URL that effectively lets only people with that link view the file, and only within a certain time period from issue.
http://www.miracletutorials.com/s3-amazon-expiring-urls/
If you want to restrict control of those remote resources you could proxy the files through your app. For something like S3 this may defeat the purpose of what you are trying to do, but it would still allow you to keep the data with amazon and restrict access.
You should be careful with an approach like this as it could cause your ruby thread to block while it is proxying the file, which could become a real problem with the application.
Serve the files using an EC2 Instance
If you set your S3 bucket to private, then start up an EC2 instance, you could serve your files on S3 via EC2, using the EC2 instance to verify permissions based on your application's rules. Because there is no charge for EC2 to transfer to/from S3 (within the same region), you don't have to double up your bandwidth consumption costs at Amazon.
I haven't tackled this exact issue. But that doesn't stop me from having an opinion :)
Check out cancan:
http://github.com/ryanb/cancan
http://railscasts.com/episodes/192-authorization-with-cancan
It allows custom authorization schemes, without too much hassle.

Help me understand rails authentication w/r/t assets, like swfs

I am a rails noob. I am having a problem conceptualizing how assets work in an authenticated system.
All of the tutorials I've seen so far talk about putting your swfs in the public folder and embedding them in your view. However, the swf I'm using is a flex gui that should only be used by users logged-in through restful-authentication. I imagine that putting the gui into the public folder would be defeating the whole purpose of having an authentication system.
So what is everybody doing to restrict access to this kind static content?
You want to be a bit careful here. If your system is properly secured, an unauthenticated user who has the Flex GUI can't use it, right? He would also have to be logged in. So, is there any reason not to let any user download the SWF file?
If having the SWF file alone is enough "authentication" to use the site, you have a security hole. Consider
a) A user could give a copy of the downloaded SWF file to someone else, who could then use it, even if he were unable to download it from your site.
b) The Flex GUI uses HTTP to communicate with your site, to retrieve data and send commands. Anybody can write a program or use other means to send the same HTTP requests, without using the Flex GUI.

Resources