In order to use some AJAX calls, we use often some input type="hidden". But these values can be easily changed. So, is it a builtin rails feature than permit to send date to AJAX, withouth being usable by user, or than can't be changed by user ?
为了使用一些AJAX调用,我们经常使用一些输入类型=“隐藏”。但这些价值观很容易改变。那么,它是一个内置的rails功能,而不是允许向AJAX发送日期,而不是用户可以使用,或者用户无法更改?
In my current rails apps, i'm using filters for discard all malicious actions on my controllers. I am not building a public API, so i don't really need more powerful checks.
在我目前的rails应用程序中,我使用过滤器来丢弃我的控制器上的所有恶意操作。我没有构建公共API,所以我真的不需要更强大的检查。
But for examples, i have an apotomo widget displaying some data, using some input hidden. But if you change it, you can access to another data set. In my case, it's not really an issue, cause all these users have the right to access these data sets anyway.
但是作为示例,我有一个显示一些数据的apotomo小部件,使用隐藏的一些输入。但是如果你改变它,你可以访问另一个数据集。就我而言,这不是一个真正的问题,因为所有这些用户都有权访问这些数据集。
But is it some manner to give datas to ajax call, in a secure way ? Or the only security, is about rights management ?
但是以某种方式以安全的方式为ajax调用提供数据吗?或唯一的安全,是关于权利管理?
1 个解决方案
#1
1
All input that comes from the user is insecure as you do not have control over it! Users even do not need a webbrowser but can use some other program (like curl or wget) to send manipulated data.
来自用户的所有输入都是不安全的,因为您无法控制它!用户甚至不需要webbrowser,但可以使用其他程序(如curl或wget)来发送操纵数据。
As you state, using a whitelist (not a blacklist as you can never be sure of all bad, but of all good!) is a good way to start.
正如您所述,使用白名单(不是黑名单,因为您永远无法确定所有不好,但一切都很好!)是一个好的开始方式。
To make sure the hidden fields have not been changed you can use some kind of checksum that is calculated on server side using a fixed secret. This secret must never be exposed to your visitors!
为确保隐藏字段未被更改,您可以使用某种校验和,该校验和是使用固定密钥在服务器端计算的。这个秘密决不能暴露给你的访客!
hash = md5(field_1 + field_2 + field_3 + my_secret)
When these four hidden fields (field_1..3, hash) arrive in your form you can recalculate the hash and compare it with the params[:hash] in order to be sure the field_1 to field_3 have not been changed.
当这四个隐藏字段(field_1..3,hash)到达您的表单时,您可以重新计算哈希并将其与params [:hash]进行比较,以确保field_1到field_3没有被更改。
#1
1
All input that comes from the user is insecure as you do not have control over it! Users even do not need a webbrowser but can use some other program (like curl or wget) to send manipulated data.
来自用户的所有输入都是不安全的,因为您无法控制它!用户甚至不需要webbrowser,但可以使用其他程序(如curl或wget)来发送操纵数据。
As you state, using a whitelist (not a blacklist as you can never be sure of all bad, but of all good!) is a good way to start.
正如您所述,使用白名单(不是黑名单,因为您永远无法确定所有不好,但一切都很好!)是一个好的开始方式。
To make sure the hidden fields have not been changed you can use some kind of checksum that is calculated on server side using a fixed secret. This secret must never be exposed to your visitors!
为确保隐藏字段未被更改,您可以使用某种校验和,该校验和是使用固定密钥在服务器端计算的。这个秘密决不能暴露给你的访客!
hash = md5(field_1 + field_2 + field_3 + my_secret)
When these four hidden fields (field_1..3, hash) arrive in your form you can recalculate the hash and compare it with the params[:hash] in order to be sure the field_1 to field_3 have not been changed.
当这四个隐藏字段(field_1..3,hash)到达您的表单时,您可以重新计算哈希并将其与params [:hash]进行比较,以确保field_1到field_3没有被更改。