Securing Ruby on Rails Applications: Part 2 (Input Validation)

Input validation is an essential part of web application security, as it ensures that data entered by users is in the expected format and doesn’t contain any malicious content. In Ruby on Rails, input validation can be implemented using various methods and libraries. In this article, we’ll explore some of these techniques and provide code examples.

1. Validating Models

One of the most common ways to validate input in Ruby on Rails is to use the built-in validation methods provided by ActiveRecord, the ORM (Object Relational Mapping) framework included in Rails. ActiveRecord provides a range of validation methods that can be used to validate model attributes before they are saved to the database.

For example, let’s say we have a User model with a name and an email attribute. We want to ensure that the name is present and the email is a valid email address. We can achieve this using the following code:

1
2
3
4
class User < ApplicationRecord
  validates :name, presence: true
  validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
end

In this code, we’ve used the validates method to specify the validation rules for each attribute. The presence validation ensures that the attribute is not blank, while the format validation checks that the email attribute is a valid email address.

2. Sanitizing Input

Another important aspect of input validation is sanitizing input to prevent against SQL injection attacks. Rails provides a number of built-in methods to sanitize user input, such as sanitize_sql_array and sanitize_sql_for_conditions.

For example, let’s say we have a simple search function that allows users to search for articles by title. We want to ensure that the search term is sanitized before it is used in the SQL query. We can achieve this using the following code:

1
2
3
4
5
class ArticlesController < ApplicationController
  def search
    @articles = Article.where("title like ?", "%#{sanitize_sql_like(params[:q])}%")
  end
end

In this code, we’ve used the sanitize_sql_like method to sanitize the search term before it is used in the SQL query. This helps to prevent against SQL injection attacks.

3. Using Validators

In addition to the built-in validation methods provided by ActiveRecord, Rails also provides a number of third-party validation libraries that can be used to further validate user input. One such library is the validates_timeliness gem, which can be used to validate dates and times.

For example, let’s say we have a Post model with a published_at attribute that contains a date and time. We want to ensure that the published_at attribute is a valid date and time. We can achieve this using the following code:

1
2
3
class Post < ApplicationRecord
  validates_datetime :published_at
end

In this code, we’ve used the validates_datetime method provided by the validates_timeliness gem to validate the published_at attribute.

In conclusion, input validation is a critical aspect of web application security, and it’s important to implement it correctly in order to prevent against attacks such as SQL injection and cross-site scripting (XSS). In Ruby on Rails, there are many techniques and libraries available to help with input validation, including the built-in validation methods provided by ActiveRecord, sanitizing input to prevent SQL injection attacks, and using third-party validation libraries. By implementing these techniques and libraries correctly, you can help to ensure that your Rails application is secure and protected against attacks.