Ruby on Rails 源代码安全/混淆

发布于 2024-09-18 11:43:47 字数 402 浏览 8 评论 0原文

我刚刚开始 Ruby on Rails 开发,我有一个关于源代码“隐私”的问题。

据我所知(我还没有进行部署,仅在本地开发环境中使用过 RoR),当部署 RoR 应用程序时,所有源代码在服务器?

我如何保护我的代码;可以这么说吗? 我所说的保护,主要目的是让某人(例如 RoR 提供商的服务器管理员)无法通过轻松找出代码中的哪个位置来“破坏”代码和”。

Shopify、Yellowpages 等使用 RoR 的网站如何确保其代码不被“破坏”?

更新我真正想要的是,假设如果我有一些进行信用卡交易的代码,我不希望一些流氓员工阅读“纯文本源代码”并破坏我的网站,比如说阅读我的源代码,然后向每个注册用户收取 10 美元作为噱头。我该如何防止此类事情发生?

I'm just getting started with Ruby on Rails development and I have a question concerning source code "privacy".

From what I know so far (i have not done a deployment yet, only used RoR in a local development environment), that when a RoR application is deployed, all the source code is "visible" on the server?

How can I protect my code; so to speak?
By protection I mean, the main purpose being that someone (such as a server administrator on a RoR provider) not being able to "sabotage" the code by easily figuring out what place in the code to "fiddle with".

How do sites like Shopify, Yellowpages etc. that use RoR, ensure that their code isn't "sabotaged"?

UPDATE What I'm really looking for is, suppose if I have some code that's doing Credit Card transactions, I don't want some rogue employee reading "plain text source code" and sabotaging my website, say by reading my source code and then charging everyone of the signed-up users $10 as a gag. How do I prevent that sort of thing?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

弱骨蛰伏 2024-09-25 11:43:47

与马特·布里格斯(Matt Briggs)的观点类似的是,如果您不信任您的网络主机,那么您正在解决错误的问题。如果您的网络主机想要窃取您的数据,削弱您的网站,重定向您的用户等,那么没有什么可以阻止他们。即使代码是用汇编程序编写的完全编译的二进制代码,您的管理员仍然可以找到黑客、替换资源或完全替换您的代码。这个故事的寓意是,找到一个您信任的网络主机,不要费心去混淆您的代码

Similar to Matt Briggs's point is that if you don't trust your web host, you're addressing the wrong problem.If your web host wants to steal your data, cripple your website, redirect your users, etc., nothing can stop them. Even if the code is fully compiled binary code written in assembler, your admin could still find a hack, replace resources, or replace your code altogether. Moral of the story, find a web host you trust, don't bother obfuscating your code

遗忘曾经 2024-09-25 11:43:47

归根结底,这涉及到信任。如果你的管理员想搞砸你,他就会这么做,而混淆并不能阻止他。

At the end of the day, there is trust involved. If your admin wants to screw you, he will, and obfuscation won't do much to stop him.

好倦 2024-09-25 11:43:47

根据我的经验,当您销售部署到客户服务器的产品时。我用

http://rubyencoder.com/

它可以通过其加载器在许多平台上运行。但就像其他人所说的那样,导轨应该是开放的。

From my experience, When you sell a produce that deploy to customer server. I use

http://rubyencoder.com/

It works in many platform from its loader. But like other said, rails should be open.

笔芯 2024-09-25 11:43:47

我认为这就是您正在寻找的

http://rubyencoder.com/overview.html

I think that this is what you are looking for

http://rubyencoder.com/overview.html

星光不落少年眉 2024-09-25 11:43:47

我非常怀疑信誉良好的托管服务会篡改您的代码。他们非常忙于运行他们的服务器。如果他们想这么做,你也无能为力阻止他们。代码混淆(在任何语言中)都是一件愚蠢的事情。

关于您的安全问题,我只是希望您不要在您的网站上存储任何信用卡信息。为此,您必须遵守 PCI 标准,而这并不是一件容易实现的事情。在不符合 PCI 标准的情况下存储 CC 信息是非法的。

因此,您必须使用支付网关(如 PayPal 或 Authorize.net)进行付款,并且我相信用户将能够看到他们所收取的费用。

I highly doubt a reputable hosting service will fiddle with your code. They are busy enough running their servers. And if they wanted to, there's not much you can do to stop them. Code obfuscation (in any language) is a silly thing to do.

Regarding your security concerns, I just hope you are not going to be storing any credit card information on your website. You must comply to PCI standards in order to do that, and that's not an easy thing to accomplish. Storing CC info without being PCI compliant is illegal.

So you will have to use a payment gateway (like PayPal or Authorize.net) for your payments, and I believe the user will be able to see what they are being charged.

蔚蓝源自深海 2024-09-25 11:43:47

托管公司永远不会接触或调查您的代码,除非您正在做一些损害服务器的事情(例如无限循环,耗尽所有 CPU),即使在这种情况下,他们也会阻止该页面或 URL。

我可以想象,如果您将应用程序部署到一家公司的内部网,并且他们也有自己的开发人员,那么人们可能会害怕失去维护和支持费用,因为他们会接管自己。
但是那些你通过合同涵盖的事情。

如果存在明确的业务关系,那么直接访问您的 ruby​​ 源代码的人应该是同事或合作伙伴,并且通常这种业务关系更有价值。如果您不信任您的同事或与您一起工作或为您工作的人,那么我认为您应该重新考虑您的立场。

我什至相信,与客户保持尽可能宽松的关系(这是来源,如果需要,您可以对其进行编辑),通常会让他们更加信任您,并更有可能给您回电。

A hosting company will never ever touch or investigate your code, unless you are doing things that hurt there server (like infinite loops, eating away all CPU), and even in that case they will just block that page or url.

I can imagine if you deploy your application to an intranet of a company, and they also have their developers, that one might be afraid to loose out on maintenance and support fees because they would take over themselves.
But those things you cover with contracts.

The people having direct access to your ruby source-code are supposed to be co-workers or partners, were there is a clear business relationship, and normally this business-relationship is worth more. If you do not trust your co-workers or the people you work with or for, then i think you should reconsider your position.

I even believe that being as loose as possible with clients (here is the source, you can edit it if you want), generally makes them trust you even more and make them more likely to call you back.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文