开发具有“级别”的 RoR 应用程序困难的

发布于 2024-10-28 01:31:37 字数 524 浏览 2 评论 0原文

我正在构建一个具有不同“难度”级别的 RoR 应用程序。该网站特意设计为可攻击的，以教导学生如何更好地保护他们的网络应用程序。

随着难度的增加，消毒/安全检查也会稍微高级一些。作为 SQL 注入的示例：

初级 - 只需插入 ' 即可中断为 RAW sql
中级 - 插入 ' 会中断为 RAW sql，但某些关键字（如 DROP、 ALTER 等）被“阻止”...
高级 - 用户名和密码密码已完全清理，但容易受到来自不同字符集等的攻击......

以 DRY 方式编码的最佳方法是什么？现在，我正在使用一种（可怕的）模式，例如：

if level == 1
  # code for beginner
elsif level == 2
  # code for intermediate
else
  # code for advanced
end

这种情况发生多次:(。实现这种模式的最佳方法是什么？

原文

I'm building a RoR application with varying levels of "difficulty." The site is intentionally designed to be hackable, to teach students how to better secure their web applications.

At each increasing level of difficulty, sanitization/security checks will be slightly more advanced. As an example for SQL injection:

Beginner - simply insert ' and you break out into the RAW sql
Intermediate - inserting ' breaks into RAW sql, but certain keywords (like DROP, ALTER, etc) are "blocked"...
Advanced - username & password are fully sanitized but vulnerable to attacks from a different charset, etc...

What's the best way to code this in a DRY manner? Right now, I'm using a (terrible) pattern like:

if level == 1
  # code for beginner
elsif level == 2
  # code for intermediate
else
  # code for advanced
end

This happens multiple times :(. What's the best way to implement this kind of pattern?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

甜味拾荒者 2024-11-04 01:31:37

这似乎是使用 Monkeypatching 的好地方，在 lib/ 中使用模块。

假设您想要一个 Client 资源。首先将“通用”（由所有难度级别共享）功能放在默认文件上（或者，您可以将“简单”实现放在那里）

# /app/models/client.rb
class Client < ActiveRecord::Base
  def foo
    # default and/or "easy" implementation
  end
end

# /app/controllers/client_controller.rb
class ClientController < ApplicationController
  def bar
    # default and/or "easy" implementation
  end
end

client.rb 和 client_controller 的 Monkeypatches “中等”难度的 .rb 可以放置在 /lib/medium 模块内：

# /lib/medium/models/client_patch.rb
class Client
  def foo
    # medium implementation
  end
end

# /lib/medium/controllers/client_controller_patch.rb
class ClientController
  def bar
    # medium implementation
  end
end

您将需要一个包含所有这些补丁（具体取决于难度）的文件。一个简单的解决方案是一个像这样的简单文件：

# /lib/medium.rb
require 'medium/models/client_patch'
...
require 'medium/controllers/client_controller_patch'

因此您可以从初始化程序中要求它：

# /config/initializers/difficulty.rb

# require 'easy'
require 'medium'
# require 'difficult'

然后您可以启动应用程序的三个不同实例，一个是简单的，一个是中等的，一个是困难的。代码将被共享，但difficulty.rb 初始化程序除外（我假设您还需要不同的数据库配置文件、日志文件等）。

This seems like a good place to use monkeypatching, using modules inside lib/.

Say you want a Client resource. You start by putting the "common" (shared by all dificulty levels) functionality on the default files (Alternatively, you can put the "easy" implementation there)

# /app/models/client.rb
class Client < ActiveRecord::Base
  def foo
    # default and/or "easy" implementation
  end
end

# /app/controllers/client_controller.rb
class ClientController < ApplicationController
  def bar
    # default and/or "easy" implementation
  end
end

Monkeypatches for client.rb and client_controller.rb on the 'medium' difficulty could be placed inside the /lib/medium module :

# /lib/medium/models/client_patch.rb
class Client
  def foo
    # medium implementation
  end
end

# /lib/medium/controllers/client_controller_patch.rb
class ClientController
  def bar
    # medium implementation
  end
end

You will need a file that includes all those patches depending on the difficulty. A simple solution would be a simple file like this:

# /lib/medium.rb
require 'medium/models/client_patch'
...
require 'medium/controllers/client_controller_patch'

So you can require it from an initializer:

# /config/initializers/difficulty.rb

# require 'easy'
require 'medium'
# require 'difficult'

You can then launch three different instances of the application, one on easy, one on medium and one on difficult. The code will be shared, with the exception of the difficulty.rb initializer (and I'll assume that you will also need different configuration files for the database, log files etc).

回复收藏 0 原文

情深已缘浅 2024-11-04 01:31:37

使用辅助功能或为您的学生分配一些级别。

学生将有一个级别，并且在您的应用程序控制器中，您有一个

def level_of(student)

或其他东西。或者您可以使用某种身份验证协议，其中某些用户只能访问某些模块/控制器/什么：

https://github .com/stffn/declarative_authorization 或 https://github.com/plataformatec/devise

中声明式身份验证您可以将其放入您的 config/authorization_rules.rb:

authorization do

  role :beginner do
    has_permission_on [:simple_inserts], :to => :manage
  end

  role :intermediate do
    has_permission_on [:simple_inserts], :to => :manage
  end 
end

等

中。您所要做的就是告诉我们的控制器它正在使用声明式身份验证，然后它将完成其余的工作。

use a helper function or assign some levels to your students.

Student will have a level and in your application controller, you have a

def level_of(student)

or something. OR you could use some sort of authentication protocol where certain users can only access some modules/controllers/whatnot:

https://github.com/stffn/declarative_authorization or https://github.com/plataformatec/devise

in declarative auth you can put this in your config/authorization_rules.rb:

authorization do

  role :beginner do
    has_permission_on [:simple_inserts], :to => :manage
  end

  role :intermediate do
    has_permission_on [:simple_inserts], :to => :manage
  end 
end

etc etc.

All you have to do is to tell our controllers that it's using declarative auth and it will do the rest.

回复收藏 0 原文