Is there any way for a malicious user to view the controller/model code in my Rails app while it is running?

Question

This is probably a stupid question but I'll go ahead and humble myself.

The Ruby code in my controllers and models are interpreted so that a HTML result is sent to the browser. Ok, I get that part.

But is there any way for a mailicious user to somehow take a peek at the Ruby code in the controllers and models by bypassing the process that converts or interprets that code before it is sent to the browser?

The reason I'm concerned is I am planning on doing some order processing in my app and if a malicious user was able to do that, they might be able to figure out how to do all kinds of unpleasant things.

Answer 1

Nope. Try and navigate to the file yourself in the browser, you won't be able to see it. Your biggest worry should be someone trying to fake out GETs and POSTs because they know how REST works.

Answer 2

Assuming you have things set up correctly, then the web server in front of Rails is pointed to the /public directory. So anything in that directory may be open to direct attack. However, the web server intercepts the HTTP call based on certain criteria and redirects it to Rails for processing.

The architecture of Rails makes it impossible for model and controller code to be exposed to the public. There is a possibility that view code is viewable, but ONLY if you seriously mess up the code (I think). I have never managed to expose code to the client by accident, and I have never deliberately attempted to do so.

Answer 3

Side tip: make sure you use html_escape or h to escape user data and prevent someone from injecting code into your site. For example, use <%= h(person.name) %> so that someone can't put javascript in the name field and have it run when people view that page.