I recall from some meetups I've attended in NYC that people in bell labs were trying to work on potential security issues with R on the web. There was potential risks of code injection into a Web App if R sessions were kept alive for the user.
Now, this was presented in the context of HTML 5 and PHP, but I don't see how it would be different when using RoR with the RinRuby gem. Is there a set of rules we as developers should follow to avoid common security pitfalls when using this gem?
R in general was not built with security in mind (see also this preprint at arXiv by Jeroen Ooms). It is also notorious for flaky parsing of numbers .
Judging from the source code (which was not updated for 2 years (!)) RinRuby doesn't seem to provide any kind of isolation from injection either - bare-bones eval
is a gateway to hell, they say :)
Thus, it falls upon your shoulders to follow eg OWASP guidelines to avoid injection by carefully validating, parameterizing and whitelisting the input. Having in mind the above-mentioned quirks in parsing numbers, you have to restrict inputs to sane intervals.
Just my 2 cents...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.