Rails如何以安全的方式向ajax提供数据?
为了使用一些 AJAX 调用,我们经常使用一些输入类型=“隐藏”。但这些值可以很容易地改变。那么,它是一个内置的 Rails 功能,允许将日期发送到 AJAX,而不被用户使用,或者不能被用户更改吗?
在我当前的 Rails 应用程序中,我使用过滤器来丢弃控制器上的所有恶意操作。我不是在构建公共 API,所以我真的不需要更强大的检查。
但例如,我有一个 apotomo 小部件,使用一些隐藏的输入来显示一些数据。但如果你改变它,你就可以访问另一个数据集。就我而言,这并不是真正的问题,因为无论如何,所有这些用户都有权访问这些数据集。
但是否有某种方式以安全的方式向 ajax 调用提供数据?或者唯一的安全性是关于权限管理?
In order to use some AJAX calls, we use often some input type="hidden". But these values can be easily changed. So, is it a builtin rails feature than permit to send date to AJAX, withouth being usable by user, or than can't be changed by user ?
In my current rails apps, i'm using filters for discard all malicious actions on my controllers. I am not building a public API, so i don't really need more powerful checks.
But for examples, i have an apotomo widget displaying some data, using some input hidden. But if you change it, you can access to another data set. In my case, it's not really an issue, cause all these users have the right to access these data sets anyway.
But is it some manner to give datas to ajax call, in a secure way ? Or the only security, is about rights management ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
来自用户的所有输入都是不安全的,因为您无法控制它!用户甚至不需要网络浏览器,但可以使用其他程序(例如
curl或wget)来发送操纵的数据。正如您所说,使用白名单(不是黑名单,因为您永远无法确定所有坏事,但不能确定所有好事!)是一个很好的开始方式。
为了确保
隐藏字段没有被更改,您可以使用某种在服务器端使用固定秘密计算的校验和。这个秘密绝对不能暴露给您的访客!当这四个隐藏字段(field_1..3、hash)到达您的表单时,您可以重新计算哈希并将其与 params[:hash] 进行比较,以确保 field_1 到 field_3 没有更改。
All input that comes from the user is insecure as you do not have control over it! Users even do not need a webbrowser but can use some other program (like
curlorwget) to send manipulated data.As you state, using a whitelist (not a blacklist as you can never be sure of all bad, but of all good!) is a good way to start.
To make sure the
hiddenfields have not been changed you can use some kind of checksum that is calculated on server side using a fixed secret. This secret must never be exposed to your visitors!When these four hidden fields (field_1..3, hash) arrive in your form you can recalculate the hash and compare it with the params[:hash] in order to be sure the field_1 to field_3 have not been changed.