Default routing considered harmful

February 25, 2008 – 9:07 am

An unexpected back door in London

(I always wanted to write one of those “considered harmful” posts)

In case you haven’t realized it yet, if you’re writing a RESTful application in Rails 2, you should probably delete the default route at the bottom of your routes file:

map.connect ':controller/:action/:id'

The reason is that this provides a back-door into any of your RESTful actions that you’d otherwise think are protected.

Take the following resource declaration, for instance:

map.resources :puppies

To update a puppy record, you have to PUT data to /puppies/[id], right? The PUT is of course simulated with a POST, but if the body of the POST doesn’t include _method=PUT (or the request forgery protection hash), your Rails app will reject it.

Unless, that is, you still have the default route declared. If that’s the case, then you can get around the HTTP method restriction (and request forgery protection!) by just requesting /puppies/update/[id] - you could even do it via a GET request, if you wanted.

If you’re writing a RESTful Rails application, then, be sure to delete the default route. Otherwise, you’re just asking for an URL-hacker to come in and play.

(photo of a back door in London from 2create on Flickr)

  1. 4 Responses to “Default routing considered harmful”

  2. Hear, hear! I always delete the default routes. I’m never comfortable unless I have explicit routes for all my controllers.

    By josh on Feb 25, 2008

  3. What if you put attribute accessors so nothing can be modified unless explicitly set? Usually when that’s the case it really doesn’t matter how they modify it because it’ll happen one way or another.

    By Daniel Fischer on Feb 25, 2008

  4. @Daniel: You should definitely be using attr_accessible (or its weaker cousin attr_protected) on your models, but that only prevents part of the problem here. The overarching problem is that the default routes do something that for most people is completely unexpected - they give users a back door to your actions. You may think you’ve locked down your destroy account action by requiring a DELETE request, but Google Web Accelerator sees that URL and GETs it, and your account is gone just the same.

    By Ben on Feb 25, 2008

  5. +1. I always do this for all my projects. I’d be nice if that default route was just removed from the default routes.rb.

    This was at the top of my list of “my first Rails app” mistakes: http://railspikes.com/2007/10/27/my-first-rails-app

    By Luke Francl on Feb 26, 2008

Post a Comment

culann.com is proudly powered by WordPress Entries (RSS) and Comments (RSS). Designed by Bob