Databases and Web Testing

這周比較沒有講新的技術或概念

大多是在介紹開發工具

Bugs and Vulnerabilities in Dependencies

  • Gemnasium : monitors your project dependencies and alerts you about updates and security vulnerabilities

Rake

  • command line tool to run simple utility tasks
raketask example
1
2
3
4
desc 'Tests API root route'
  task :api_spec do
  sh 'ruby specs/api_spec.rb'
end

Environment Variables

  • System-wide variables that running processes can access

  • 可以用來設定環境 存放credential key 等機密

SQLITE

  • sql db

  • store whole database in files

  • 雖然是輕量級,但 Max DB size 可以達到 140 terabytes

sequel

  • The Database Toolkit for Ruby

  • use active record design pattern

    • A database table or view is wrapped into a class

    • 我們可以像操作record,就樣平常我們對object一樣

1
2
3
4
5
6
7
8
9
# Group is a table in sqlite
# group is the first record in Group table
group = Group.first
# +----+-----------------+--------------------------------+
# | id | fb_id | name |
# +----+-----------------+--------------------------------+
# | 1 | 150352985174571 | Web Service Development @ NTHU |
# +----+-----------------+--------------------------------+
# 1 row in set

tux

  • The Tux gem provides a REPL with your Sinatra application running

  • 讓你可以在sinatra環境裡操作、debug

hirb

  • Pretty Print for Active Records

  • 讓sequel的結果易讀

Migrations(遷移)

  • 對資料庫更改(schema data)也能透過直接下sql指令達到

  • 但是用migration可以讓資料庫的修改也加入版本控制

Testing

  • write testing before coding !!

Security Threats

雖然用了Gemnasium解決了Dependencies的安全性問題

但使用database似乎尚未解決上週的問題

而且因為使用sql db,還多了兩個threats

  • Integrity: User could destroy earlier resources

    • Vulnerability: app does not check if :id key is being sent along with POST request
    • Vector: send :id along with POST request to see if app overwrite earlier resource

  • Integrity: Primary key id random generator could produce collisions

    • Vulnerability: random key generator produces same keys within given second
    • Vector: send mulitple POST ‘/resource’ requests within same second

  • Confidentiality: Stored resources could be stolen if server is compromised

    • Vulnerability: User resources are not being encrypted
    • Vector: Attacker with access to server can read whole data store

  • Authorization, Authentication: Information about resources is not private

    • Vulnerability: App does not check if user is authorized to see resource
    • Vector: Anyone can access any data by knowing its public URL

  • (new)Integrity, Authorization, Confidentiality: Mass Assignment Vulnerability

    • Vulnerability: Using column names supplied by user
    • Vector: HTTP requests

  • (new)Integrity, Authorization, Confidentiality, Availability: SQL Injection

    • Vulnerability: User input used to form SQL query; no validation of input
    • Vector: Enter SQL fragments into input form or URL