Do you know the Rails.application.config.filter_redirect filter? It’s an undocumented configuration feature which lets you filter certain redirect URLs from your log files. This is handy when you’re redirecting to a URL with tokens in it so that they don’t show up in the log. A bit like config.filter_parameters.
Add the following to a new initializer and it will show “Redirected to [FILTERED]” in the log for redirects to a URL that contains that string. That means it will filter https://example.com, http://www.example.com and the like.
Rails.application.config.filter_redirect = ['example.com']
But now on to this week’s interesting (Rails) security articles:
CSV Injection in business.uber.com
Hack: Do you provide CSV exports, here’s an interesting hack with Excel method injection. A reminder to escape/sanitize according to the context.
Github added a feature for verified commits using PGP signatures.
Whitelisting input data from a short dictionary with #presence_in.
Gems with a dash in the name could possibly be hijacked, check yours, even if it’s not very likely.
The Content Security Policy HTTP header Github started with and what it looks like now.
A long-established enterprise security guideline is to frequently change the password, the British CESG advises against it now.
Subresource Integrity (SRI) against hijacked JavaScript files from CDNs and how to calculate the hash with various tools.
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.