0
0
Ruby on Railsframework~20 mins

Security best practices in Ruby on Rails - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Rails Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding CSRF Protection in Rails

What is the primary purpose of the protect_from_forgery method in a Rails controller?

AIt prevents Cross-Site Request Forgery attacks by verifying authenticity tokens in non-GET requests.
BIt encrypts all user passwords before saving them to the database.
CIt automatically sanitizes all user input to prevent SQL injection.
DIt disables cookies to enhance session security.
Attempts:
2 left
💡 Hint

Think about how Rails protects forms and non-GET requests from unauthorized actions.

component_behavior
intermediate
1:30remaining
Effect of Strong Parameters on Mass Assignment

Given the following controller code snippet, what will happen if a user tries to submit a form with an extra parameter admin: true?

def user_params
  params.require(:user).permit(:name, :email, :password)
end
AThe <code>admin</code> parameter will be ignored and not assigned to the user model.
BThe <code>admin</code> parameter will be assigned, making the user an admin.
CThe application will raise a <code>ForbiddenAttributesError</code> exception.
DThe <code>admin</code> parameter will overwrite the <code>email</code> attribute.
Attempts:
2 left
💡 Hint

Consider how permit controls which parameters are allowed for mass assignment.

📝 Syntax
advanced
2:00remaining
Identifying Secure Session Store Configuration

Which of the following Rails session store configurations correctly enhances security by preventing session fixation and ensuring cookie confidentiality?

ARails.application.config.session_store :cache_store, key: '_app_session', secure: false, httponly: true
BRails.application.config.session_store :cookie_store, key: '_app_session', secure: false, httponly: false
CRails.application.config.session_store :active_record_store, key: '_app_session', secure: false, same_site: :lax
DRails.application.config.session_store :cookie_store, key: '_app_session', secure: true, httponly: true, same_site: :strict
Attempts:
2 left
💡 Hint

Look for options that enable secure cookies and restrict JavaScript access.

🔧 Debug
advanced
2:00remaining
Debugging SQL Injection Vulnerability

Consider the following Rails code snippet in a controller:

def search
  @users = User.where("name = '#{params[:name]}'")
end

What is the main security issue with this code?

AIt will raise a syntax error due to incorrect string interpolation.
BIt is vulnerable to SQL injection because user input is directly interpolated into the query string.
CIt prevents SQL injection by escaping user input automatically.
DIt uses parameterized queries, so there is no security issue.
Attempts:
2 left
💡 Hint

Think about how user input is used inside the SQL query string.

state_output
expert
2:30remaining
Output of Content Security Policy Header Configuration

Given the following Rails configuration in config/application.rb:

config.action_dispatch.default_headers = {
  'Content-Security-Policy' => "default-src 'self'; img-src https://trusted.com; script-src 'none'"
}

What will be the effect on the browser when loading this app?

AThe browser will block all resources including images and scripts from loading.
BThe browser will allow scripts from any source but block images from external domains.
CThe browser will only load resources from the same origin, images from https://trusted.com, and block all scripts.
DThe browser will ignore the header because it is misconfigured.
Attempts:
2 left
💡 Hint

Review how Content Security Policy directives control resource loading.