Never trust input
One of the most common vulnerabilities in Ruby web applications comes from trusting input given by the user. Let's say you have a Struct
subclass named Fruit
. This keeps track of individual pieces of fruit, such as the type of fruit, the color of the fruit, and the price of the fruit:
Fruit = Struct.new(:type, :color, :price)
You store all your Fruit
instances in a hash named FRUITS
, keyed by a number assigned to the fruit:
FRUITS = {} FRUITS[1] = Fruit.new('apple', 'red', 0.70) FRUITS[2] = Fruit.new('pear', 'green', 1.23) FRUITS[3] = Fruit.new('banana', 'yellow', 1.40)
You have a web application where you want to allow the user to ask for either the type, the color, or the price of a specified piece of fruit. You decide to try the Roda web framework to implement this application and find it is very simple to get started with:
Roda.route do |r| r.get "fruit", Integer...