REST scaffold_resource security warning
Posted by Jim Morris Tue, 26 Jun 2007 22:14:04 GMT
This one is so blatantly obvious it bit me in the Butt at 4am this morning when I had to get up and fix it! I am so embarrassed, luckily no private data got out, as no-one has entered any private data yet.
I used the script/generate scaffold_resource to get started, and I left in those nice format.xml things in, thinking I may use them in the future. For the most part this is not a problem, but one of my controllers is a profile table. Much of the data in there is public anyway so no big deal, but a few columns are private data like email, date of birth, phone numbers etc. These are specifically private and not viewable publicly. This is enforced but not having a view that shows any of that stuff to the general public.
However the tricky little scaffold-generated code...
def index
@profiles = Profile.find(:all, :order => "first_name, last_name, alias")
respond_to do |format|
format.html # index.rhtml
format.xml { render :xml => @profiles.to_xml }
end
endHas this cool .to_xml stanza, which happily takes every column and converts it to XML and sends it back as a response to the query /profiles.xml
Yikes, I woke up with a start when I realized that, and rushed to test it and yep it works as it is supposed to.
Obviously this is easy to fix, Just exclude the attributes you don't want shown:
@profiles.to_xml(:only => [:first_name, :last_name])
But it sure is a nasty back door if you forget!
Caveat Programmer!
