title |
---|
Rails4 中的 strong parameter |
-
strong parameter : https://github.com/rails/strong_parameters
-
burp: http://portswigger.net/burp/ http://portswigger.net/burp/help/suite_gettingstarted.html
-
github安全漏洞: https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation
如果有 mass assignment 我们可以
attrs = {:first => "John", :last => "Doe", :email => "[email protected]"}
user = User.new(attrs)
如果没有 mass assignment
attrs = {:first => "John", :last => "Doe", :email => "[email protected]"}
user = User.new
user.first = attrs[:first]
user.last = attrs[:last]
user.email = attrs[:email]
java -jar -Xmx1024m /path/to/burp.jar
preference -> advanced setting -> proxy 127.0.0.1 8080
private
# Use callbacks to share common setup or constraints between actions.
def set_user
@user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:first, :last)
end