The latest articles on DEV Community by Szymon Lipka (@szymonlipka). https://dev.to/szymonlipka https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1057293%2F642c0005-ab47-42ed-a482-d2929c64a074.jpg https://dev.to/szymonlipka en Szymon Lipka Thu, 06 Apr 2023 20:20:37 +0000 https://dev.to/szymonlipka/security-sinks-in-ruby-on-rails-part-1-1i2g https://dev.to/szymonlipka/security-sinks-in-ruby-on-rails-part-1-1i2g <p>In Security, there are such concepts as <strong>sinks</strong> and <strong>sources</strong>. Sinks are dangerous functions in the code, whereas sources are arguments of the sinks.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--HeneYsuQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wdpb89gs0k515ujze4a0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--HeneYsuQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wdpb89gs0k515ujze4a0.png" alt="Source and sink" width="203" height="63"></a></p> <p>In this case, there is a dangerous function <code>eval</code> and a source is <code>params[:name]</code>.</p> <p>In code reviews, I tend to search for such functions and analyze what can be their argument/source of data. This helps me identify potential vulnerabilities before they reach production.</p> <p>I want to go with you through some basic sinks, that should turn on the yellow light.</p> <h2> Cross Site Scripting(XSS) </h2> <p>Let's go through Cross Site Scripting first. XSS is a vulnerability that allows execution scripts in browsers with malicious sources. More about them can be read <a href="https://www.synopsys.com/glossary/what-is-cross-site-scripting.html">here</a>. The most popular ways of allowing this security issue are methods <code>raw</code> and <code>html_safe</code>. By default in Rails, everything that is being returned by <code>&lt;%= %&gt;</code> is being interpreted as a text, but when you use those methods, you tell that it can be interpreted as HTML.</p> <p>For example, on code review you see a line in a <code>.erb</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>raw t('user_name', name: user.name) </code></pre> </div> <p>or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t('user_name', name: user.name).html_safe </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># config/locales/en.yml en: user_name: "&lt;p&gt;User name is %{name}&lt;/p&gt;" </code></pre> </div> <p>This is I would say common case because it's from my experience often that we want to introduce HTML into translation. It might result in XSS. <code>user.name</code> is a source and it shouldn't be user input. If it is, a malicious user might define it for example <code>&lt;script&gt;alert(1)&lt;/script&gt;</code> and the alert pops at the time of rendering the erb file.</p> <p>In general, I would avoid <code>html_safe</code> or <code>raw</code> methods, unless they are obligatory.</p> <p>Sometimes you might say that you know that it is XSS, but it is Self-XSS(the person who can be affected by XSS is the person who writes the script). I don't encourage you to ignore such cases, because in the future there might be a different business logic, which would result in Self-XSS becoming XSS.</p> <p>When it comes to XSS, it's very important to mention CSP - a policy that is a last resort against XSS. It's rather simple to implement it in Rails, docs you can find <a href="https://api.rubyonrails.org/classes/ActionDispatch/ContentSecurityPolicy.html">here</a>, and more about the policy itself you can find <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">here</a>.</p> <h2> To be continued </h2> webdev security rails xss Szymon Lipka Mon, 03 Apr 2023 17:44:09 +0000 https://dev.to/szymonlipka/lets-expect-change-and-reload-1dhp https://dev.to/szymonlipka/lets-expect-change-and-reload-1dhp <p>It's often that we create a service that is supposed to change an attribute on an ActiveRecord object. Testing such a service is tricky at times.</p> <h2> Expect change </h2> <p>Let's say we have an incorrect service that is supposed to update <br> a name of a user in a database, which is looking like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="k">class</span> <span class="nc">UpdateUserName</span> <span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="vi">@user</span> <span class="o">=</span> <span class="n">user</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">call</span> <span class="c1"># TODO: Will be done in close future, until 2200</span> <span class="k">end</span> <span class="kp">private</span> <span class="nb">attr_reader</span> <span class="ss">:user</span> <span class="k">end</span> </code></pre> </div> <p>And we have a spec that is supposed to test it:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">UpdateUserName</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"should update user name"</span> <span class="k">do</span> <span class="n">user</span> <span class="o">=</span> <span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="n">described_class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="nf">call</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nf">name</span><span class="p">).</span><span class="nf">to</span> <span class="n">eq</span> <span class="s2">"funny name"</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>What happens when we run the spec?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdutxx86iifg5r5j73fmz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdutxx86iifg5r5j73fmz.png" alt="Passing spec"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftxzilqvtic8tolkarjbe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftxzilqvtic8tolkarjbe.png" alt="Wtf"></a></p> <p>Why has it passed you shall ask. The name of the user was always "funny name" although the call of service did not change anything, the spec passed.</p> <p>We shall rewrite it to something like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">UpdateUserName</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"should update user name"</span> <span class="k">do</span> <span class="n">user</span> <span class="o">=</span> <span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="n">expect</span> <span class="p">{</span> <span class="n">described_class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="nf">call</span> <span class="p">}.</span><span class="nf">to</span> <span class="n">change</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="ss">:name</span><span class="p">).</span><span class="nf">to</span> <span class="s2">"funny name"</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67zyhakrr9ldeutdjfbv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67zyhakrr9ldeutdjfbv.png" alt="Failing spec"></a></p> <p>Awesome! We've discovered an incorrect implementation with a spec!</p> <h2> Reload an object </h2> <p>Going forward with the same example of spec:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">UpdateUserName</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"should update user name"</span> <span class="k">do</span> <span class="n">user</span> <span class="o">=</span> <span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="ss">name: </span><span class="s2">"not so funny name"</span><span class="p">)</span> <span class="n">expect</span> <span class="p">{</span> <span class="n">described_class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="nf">call</span> <span class="p">}.</span><span class="nf">to</span> <span class="n">change</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="ss">:name</span><span class="p">).</span><span class="nf">to</span> <span class="s2">"funny name"</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>but we have upgraded our service and it is looking like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="k">class</span> <span class="nc">UpdateUserName</span> <span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="vi">@user</span> <span class="o">=</span> <span class="n">user</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">call</span> <span class="n">user</span><span class="p">.</span><span class="nf">name</span> <span class="o">=</span> <span class="s2">"funny name"</span> <span class="k">end</span> <span class="kp">private</span> <span class="nb">attr_reader</span> <span class="ss">:user</span> <span class="k">end</span> </code></pre> </div> <p>What happens if I run the test?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq44v13czwdxil4l26r5s.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq44v13czwdxil4l26r5s.png" alt="Passing spec"></a></p> <p>Is the service implemented correctly? In this particular case, we expect it to persist changes to database, so it is not correct, but spec is passing.</p> <p>Let me fix the spec:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">UpdateUserName</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"should update user name"</span> <span class="k">do</span> <span class="n">user</span> <span class="o">=</span> <span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="ss">name: </span><span class="s2">"not so funny name"</span><span class="p">)</span> <span class="n">expect</span> <span class="p">{</span> <span class="n">described_class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">user</span><span class="p">).</span><span class="nf">call</span> <span class="p">}.</span><span class="nf">to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">reload</span><span class="p">.</span><span class="nf">name</span> <span class="p">}.</span><span class="nf">to</span> <span class="s2">"funny name"</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv1zhji417vs1nx8igvh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv1zhji417vs1nx8igvh.png" alt="Failing spec"></a></p> <p>So now we've discovered incorrect implementation again! Let me fix the service:</p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="k">class</span> <span class="nc">UpdateUserName</span> <span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="vi">@user</span> <span class="o">=</span> <span class="n">user</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">call</span> <span class="n">user</span><span class="p">.</span><span class="nf">name</span> <span class="o">=</span> <span class="s2">"funny name"</span> <span class="n">user</span><span class="p">.</span><span class="nf">save</span> <span class="k">end</span> <span class="kp">private</span> <span class="nb">attr_reader</span> <span class="ss">:user</span> <span class="k">end</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl14z4ic1vl5tuwa3hzk0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl14z4ic1vl5tuwa3hzk0.png" alt="Passing specs"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdmzbk52xuf7n74o0mru.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdmzbk52xuf7n74o0mru.png" alt="Victory"></a></p> <h2> Conclusion </h2> <p>Usually, when we want to test services, we should expect a change of an attribute and reload it to see if the change really happened or maybe it is only on the object passed.</p> ruby rails testing webdev