[英]Is using RinRuby secure for web solutions?
I recall from some meetups I've attended in NYC that people in bell labs were trying to work on potential security issues with R on the web. 我记得在纽约参加的一些聚会中,贝尔实验室的人们正在尝试使用R在网络上解决潜在的安全问题。 There was potential risks of code injection into a Web App if R sessions were kept alive for the user. 如果R会话对用户有效,则存在将代码注入Web应用程序的潜在风险。
Now, this was presented in the context of HTML 5 and PHP, but I don't see how it would be different when using RoR with the RinRuby gem. 现在,这是在HTML 5和PHP的上下文中介绍的,但是我看不到将RoR与RinRuby gem一起使用时会有什么不同。 Is there a set of rules we as developers should follow to avoid common security pitfalls when using this gem? 作为开发人员,在使用此gem时,我们应遵循一些规则来避免常见的安全隐患吗?
R in general was not built with security in mind (see also this preprint at arXiv by Jeroen Ooms). 通常,R并不是在考虑安全性的情况下构建的(另请参见Jeroen Ooms在arXiv上的预印本 )。 It is also notorious for flaky parsing of numbers . 不稳定的数字解析也臭名昭著。
Judging from the source code (which was not updated for 2 years (!)) RinRuby doesn't seem to provide any kind of isolation from injection either - bare-bones eval
is a gateway to hell, they say :) 从源代码来看( 两年没有更新 !),RinRuby似乎也没有提供任何与注入的隔离-裸露的eval
是通向地狱的门户,他们说:)
Thus, it falls upon your shoulders to follow eg OWASP guidelines to avoid injection by carefully validating, parameterizing and whitelisting the input. 因此,遵循诸如OWASP指导原则来避免通过仔细验证,参数化和将输入列入白名单而避免注入的责任。 Having in mind the above-mentioned quirks in parsing numbers, you have to restrict inputs to sane intervals. 考虑到上述解析数字的怪癖,您必须将输入限制为合理的时间间隔。
Just my 2 cents... 只是我的2美分...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.