<johnjaye>
leftylink: your impersonation of an ordinary person was flawless
doyle has joined #ruby
<doyle>
Olá! humanos
ixti has quit [Remote host closed the connection]
desnudopenguino1 has joined #ruby
desnudopenguino has quit [Ping timeout: 260 seconds]
desnudopenguino1 is now known as desnudopenguino
doyle has quit [Read error: Connection reset by peer]
markong has quit [Ping timeout: 268 seconds]
ap4y has quit [Ping timeout: 246 seconds]
kenichi has quit [Server closed connection]
kenichi has joined #ruby
kenichi has quit [Changing host]
kenichi has joined #ruby
brokkoli_origin has quit [Quit: (Leaving)]
brokkoli_origin has joined #ruby
<mooff>
= :hola
<ruby-eval>
=> :hola
caedmon has joined #ruby
caedmon has quit [Ping timeout: 260 seconds]
FetidToot has joined #ruby
moldorcoder7 has quit [Read error: Connection reset by peer]
nektro has quit [Server closed connection]
nektro has joined #ruby
justache has quit [Server closed connection]
justache has joined #ruby
panella32 has joined #ruby
<panella32>
Hi
<panella32>
I have something to ask. Let me know please if you have any idea
<panella32>
Considering this erb tag: <%= image_tag @movie.cover_path %>
<panella32>
What is the recommended way to add a static directory path in front of @movie.cover_path preferably without using string interpolation?
<leftylink>
it sounds like the way to go would be to modify cover_path to return the value, including the path that should be added in front, no?
panella32 has quit [Ping timeout: 240 seconds]
caedmon has joined #ruby
panella32 has joined #ruby
<panella32>
leftylink Sorry I got disconnected. You right but logic aside I'd like to know what's the proper way to add string inside a erb tag? I've heard string interpolation could be dangerous..
<leftylink>
then I think the best course of action is to seek clarification from the sources that said it could be dangerous - we would have trouble defending against a danger we do not understand
<leftylink>
we do not want to be either too cautious (and avoid a good solution because of groundless potential dangers that turn out to never surface) or too careless (and run into a problem that we should have avoided)
<leftylink>
but if instead all we know is "it's dangerous" without understanding why, we can get nowhere.
<panella32>
"if a developer writes a query manually using string concatenation or interpolation, without properly sanitizing or validating user input, it can leave the application vulnerable to SQL injection attacks."
<panella32>
So I thought I'd better avoid string interpolation specially when it comes to dealing with user input data.
<leftylink>
so now you know that the danger is coming from anywhere where a potential attacker could control the contents of the string. now we consider the question previously asked which is how to prepend a static path in front. this static path presumably cannot be controlled by an attacker (unless they have the ability to change the code that the server is running), so adding a fixed prefix to the string does not
<leftylink>
introduce any danger beyond any danger that was already present (for example, if an attacker can specify cover_path).
<panella32>
Sorry if it was ambiguous. The static part is okay and I did not count it as a user input data, but the instance variable coming from db somehow could be set by users (at least the image name as a part of image path, I'm not sure because it's not implemented yet)
<leftylink>
indeed, so that will be a problem, regardless of whether the static part is added or not
<leftylink>
so the static part seems irrelevant to this question, then
<panella32>
Why not. Considering my 'string interpolation' version of than line it indeed is relevant: <%= image_tag "some/static/path/#{@movie.cover_path}" %>
_ht has joined #ruby
<leftylink>
well, what I mean by irrelevant is that <%= image_tag "some/static/path/#{@movie.cover_path}" %> is exactly equally as dangerous as <%= image_tag @movie.cover_path %>
<leftylink>
thre is no world in which one is dangerous and the other isn't. it's either both or neither
mexen has joined #ruby
<panella32>
The whole time I consider the <%= image_tag @movie.cover_path %> totally safe because I thought it would be sanitized by rails (ver7) by default even if there was any malicious data in db
<panella32>
Thanks for clarifying.
<leftylink>
@movie.cover_path is a string being passed to the function image_tag. "some/static/path/#{@movie.cover_path}" is also a string being passed to the function image_tag
<panella32>
Thanks I am actively checking a related section of a course that I've already took just to compare with this scenario... Should not take too long!
<leftylink>
so we see the string interpolation is the wrong place to look for the danger. instead, it's any place where an attacker-controlled string can appear in HTML, not just interpolation. so for example anywhere where image_tag is used
<leftylink>
it's possible image_tag does something to help here, but I wouldn't know since this isn't the rails channel and therefore I wouldn't know about rails
<panella32>
I think you right overal. Even though I may be able to provide the source later but for the record I do remember an instructor once said we must avoid "string interpolation" when it comes to writing activerecord queries. MaybeI had that in mind and its the reason I am too careful and try to avoid SI at any cost! Thanks anyway.
<panella32>
And as you said such thing (in this case: activerecord) is a #rubyonrails thing
<panella32>
"if you use a string, avoid dropping values into that string using string interpolation. This is unsafe and it may create a vulnerability to SQL injection. Instead, the safe way to do it is to use an array with a string that has a question mark in it as a placeholder and then the second element of the array is the value to insert at that placeholder. Rails will sanitize the value before it inserts it."
<leftylink>
yes from this we see that the place where user-controlled strings are used leads us to the type of vulnerability we need to look out for. if it's in a SQL query, we look out for SQL injection. and if it's in HTML we look out for cross-site scripting
<panella32>
Thanks! It was an eye-opening discussion for me :) As a beginner learned a lot through it
hightower2 has quit [Ping timeout: 246 seconds]
panella32 has quit [Ping timeout: 240 seconds]
_ht has quit [Remote host closed the connection]
roadie has joined #ruby
jprokop has joined #ruby
pavelz has quit [Server closed connection]
pavelz has joined #ruby
teclator has joined #ruby
friendlypunk has quit [Remote host closed the connection]
yassernasc has quit [Remote host closed the connection]
nmollerup has quit [Remote host closed the connection]
<wakaflaka>
hey
roadie has quit [Ping timeout: 240 seconds]
szkl has joined #ruby
<leftylink>
I used to like that song
<leftylink>
I guess I never stopped liking it so I shouldn't have used the past tense, it's just that I haven't thought about the song in a while so I didn't think to use present tense
roadie has joined #ruby
yetoo has quit [Quit: Leaving]
gasbag has joined #ruby
roadie has quit [Ping timeout: 240 seconds]
gr33n7007h has quit [Ping timeout: 260 seconds]
gr33n7007h has joined #ruby
ruby[bot] has quit [Remote host closed the connection]