๐ ๐ Database Security in TuskLang - Ruby Edition
๐ Database Security in TuskLang - Ruby Edition
"We don't bow to any king" - Securing Data with Ruby Vigilance
Database security in TuskLang provides comprehensive protection against SQL injection, unauthorized access, data breaches, and other security threats. In Ruby, this integrates seamlessly with Rails security features, provides advanced encryption, and offers robust access control mechanisms.
๐ Basic Security Features
SQL Injection Prevention
require 'tusklang'TuskLang configuration for SQL injection prevention
tsk_content = <<~TSK
[security]
# Parameterized queries for injection prevention
secure_user_query: @db.query("SELECT * FROM users WHERE id = ? AND active = ?", [
@sanitize.integer(@request.user_id),
@sanitize.boolean(@request.active)
])
.validateInput()
.escapeOutput()
# Secure search with parameter binding
secure_search: @db.query("""
SELECT * FROM products
WHERE name LIKE ?
AND category_id = ?
AND price BETWEEN ? AND ?
""", [
"%#{@sanitize.string(@request.search_term)}%",
@sanitize.integer(@request.category_id),
@sanitize.float(@request.min_price),
@sanitize.float(@request.max_price)
])
.validateInput()
.escapeOutput()
# Secure dynamic query building
secure_dynamic_query: @db.buildQuery("SELECT * FROM users")
.where("active = ?", [@sanitize.boolean(@request.active)])
.whereIf(@request.role, "role = ?", [@sanitize.string(@request.role)])
.whereIf(@request.created_after, "created_at > ?", [@sanitize.date(@request.created_after)])
.orderBy("created_at DESC")
.limit(@sanitize.integer(@request.limit, 100))
TSKRuby implementation
class SecureQueryManager
include TuskLang::Secure
def execute_secure_queries
tusk_config = Rails.application.config.tusk_config
# Execute secure queries
user = tusk_config.execute_secure_query('secure_user_query', {
user_id: 1,
active: true
})
search_results = tusk_config.execute_secure_query('secure_search', {
search_term: 'ruby',
category_id: 1,
min_price: 10.00,
max_price: 100.00
})
dynamic_results = tusk_config.execute_secure_query('secure_dynamic_query', {
active: true,
role: 'admin',
created_after: '2024-01-01',
limit: 50
})
puts "Retrieved secure user: #{user[:name]}"
puts "Found #{search_results.length} secure search results"
puts "Retrieved #{dynamic_results.length} dynamic results"
end
endInput Validation and Sanitization
TuskLang configuration with input validation
tsk_content = <<~TSK
[input_validation]
# Comprehensive input validation
validated_user_creation: @db.query("""
INSERT INTO users (name, email, password, role, created_at)
VALUES (?, ?, ?, ?, ?)
""", [
@validate.required(@sanitize.string(@request.name, {max_length: 100})),
@validate.email(@sanitize.email(@request.email)),
@encrypt(@validate.password(@request.password, {min_length: 8}), "bcrypt"),
@validate.choice(@request.role, ["user", "admin"], "user"),
@now()
])
.validateInput()
.logSecurityEvent("user_creation")
# Advanced validation with custom rules
advanced_validation: @db.query("""
UPDATE users
SET name = ?, email = ?, updated_at = ?
WHERE id = ?
""", [
@validate.custom(@request.name, (value) => {
if (value.length < 2) throw "Name too short"
if (value.length > 100) throw "Name too long"
if (!/^[a-zA-Z\s]+$/.test(value)) throw "Invalid name format"
return @sanitize.string(value)
}),
@validate.email(@sanitize.email(@request.email)),
@now(),
@validate.integer(@request.user_id)
])
.validateInput()
.requireAuthentication()
.requireAuthorization("update_user")
TSKRuby implementation with validation
class InputValidator
include TuskLang::Secure
def create_validated_user(user_data)
tusk_config = Rails.application.config.tusk_config
# Validate and create user
result = tusk_config.execute_validated_query('validated_user_creation', {
name: user_data[:name],
email: user_data[:email],
password: user_data[:password],
role: user_data[:role]
})
puts "Created validated user: #{result[:id]}"
end
def update_user_with_validation(user_id, user_data)
tusk_config = Rails.application.config.tusk_config
# Update with advanced validation
result = tusk_config.execute_validated_query('advanced_validation', {
user_id: user_id,
name: user_data[:name],
email: user_data[:email]
})
puts "Updated user with validation: #{result[:affected_rows]} rows"
end
end๐ Advanced Security Features
Encryption and Hashing
TuskLang configuration for encryption
tsk_content = <<~TSK
[encryption]
# Sensitive data encryption
encrypt_sensitive_data: @db.query("""
INSERT INTO users (name, email, password, ssn, credit_card)
VALUES (?, ?, ?, ?, ?)
""", [
@sanitize.string(@request.name),
@sanitize.email(@request.email),
@encrypt(@request.password, "bcrypt", {cost: 12}),
@encrypt(@request.ssn, "AES-256-GCM", {key: @env("ENCRYPTION_KEY")}),
@encrypt(@request.credit_card, "AES-256-GCM", {key: @env("ENCRYPTION_KEY")})
])
.validateInput()
.logSecurityEvent("sensitive_data_creation")
# Decrypt sensitive data
decrypt_sensitive_data: @db.query("""
SELECT
name,
email,
@decrypt(ssn, "AES-256-GCM", {key: @env("ENCRYPTION_KEY")}) as ssn,
@decrypt(credit_card, "AES-256-GCM", {key: @env("ENCRYPTION_KEY")}) as credit_card
FROM users
WHERE id = ?
""", [@validate.integer(@request.user_id)])
.requireAuthentication()
.requireAuthorization("view_sensitive_data")
.auditAccess()
# Hash verification
verify_password: @db.query("""
SELECT id, password
FROM users
WHERE email = ?
""", [@sanitize.email(@request.email)])
.then((user) => {
if (@verifyHash(@request.password, user.password, "bcrypt")) {
return user
} else {
throw "Invalid password"
}
})
TSKRuby implementation with encryption
class EncryptionManager
include TuskLang::Secure
def create_user_with_encryption(user_data)
tusk_config = Rails.application.config.tusk_config
# Create user with encrypted sensitive data
result = tusk_config.execute_encrypted_query('encrypt_sensitive_data', {
name: user_data[:name],
email: user_data[:email],
password: user_data[:password],
ssn: user_data[:ssn],
credit_card: user_data[:credit_card]
})
puts "Created user with encrypted data: #{result[:id]}"
end
def retrieve_sensitive_data(user_id)
tusk_config = Rails.application.config.tusk_config
# Retrieve and decrypt sensitive data
user_data = tusk_config.execute_encrypted_query('decrypt_sensitive_data', {
user_id: user_id
})
puts "Retrieved sensitive data for user: #{user_data[:name]}"
end
def verify_user_password(email, password)
tusk_config = Rails.application.config.tusk_config
# Verify password hash
user = tusk_config.execute_secure_query('verify_password', {
email: email,
password: password
})
puts "Password verified for user: #{user[:id]}"
end
endAccess Control and Authorization
TuskLang configuration for access control
tsk_content = <<~TSK
[access_control]
# Role-based access control
rbac_query: @db.query("""
SELECT * FROM users
WHERE id = ?
""", [@validate.integer(@request.user_id)])
.requireAuthentication()
.requireRole(["admin", "manager"])
.requirePermission("read_users")
.auditAccess()
# Row-level security
row_level_security: @db.query("""
SELECT * FROM posts
WHERE author_id = ? OR status = 'public'
""", [@request.current_user_id])
.requireAuthentication()
.enforceRowLevelSecurity("posts", {
user_column: "author_id",
public_columns: ["status"],
public_values: ["public"]
})
# Column-level security
column_level_security: @db.query("""
SELECT
id,
name,
email,
@if(@hasPermission("view_sensitive_data"), ssn, NULL) as ssn,
@if(@hasPermission("view_financial_data"), salary, NULL) as salary
FROM users
WHERE id = ?
""", [@validate.integer(@request.user_id)])
.requireAuthentication()
.enforceColumnLevelSecurity({
"ssn": ["view_sensitive_data"],
"salary": ["view_financial_data"]
})
TSKRuby implementation with access control
class AccessControlManager
include TuskLang::Secure
def execute_rbac_query(user_id)
tusk_config = Rails.application.config.tusk_config
# Execute role-based access control query
user = tusk_config.execute_rbac_query('rbac_query', {
user_id: user_id
})
puts "Retrieved user with RBAC: #{user[:name]}"
end
def execute_row_level_security(current_user_id)
tusk_config = Rails.application.config.tusk_config
# Execute row-level security query
posts = tusk_config.execute_row_level_security('row_level_security', {
current_user_id: current_user_id
})
puts "Retrieved posts with RLS: #{posts.length} posts"
end
def execute_column_level_security(user_id)
tusk_config = Rails.application.config.tusk_config
# Execute column-level security query
user_data = tusk_config.execute_column_level_security('column_level_security', {
user_id: user_id
})
puts "Retrieved user with CLS: #{user_data[:name]}"
end
end๐ Advanced Security Patterns
Audit Logging and Monitoring
TuskLang configuration for audit logging
tsk_content = <<~TSK
[audit_logging]
# Comprehensive audit logging
audited_query: @db.query("""
UPDATE users
SET name = ?, email = ?, updated_at = ?
WHERE id = ?
""", [
@sanitize.string(@request.name),
@sanitize.email(@request.email),
@now(),
@validate.integer(@request.user_id)
])
.audit({
action: "user_update",
user_id: @request.current_user_id,
ip_address: @request.ip_address,
user_agent: @request.user_agent,
timestamp: @now(),
changes: {
name: @request.old_name + " -> " + @request.name,
email: @request.old_email + " -> " + @request.email
}
})
.logSecurityEvent("user_modification")
# Security event monitoring
security_monitoring: @db.monitor({
track_failed_logins: true,
track_suspicious_activity: true,
track_data_access: true,
alert_on_anomalies: true,
retention_period: "90d"
})
# Real-time security alerts
security_alerts: @db.alerts({
failed_login_threshold: 5,
suspicious_query_patterns: [
"DROP TABLE",
"DELETE FROM users",
"UPDATE users SET role = 'admin'"
],
data_export_threshold: 1000,
alert_channels: ["email", "slack", "webhook"]
})
TSKRuby implementation with audit logging
class AuditLogger
include TuskLang::Secure
def update_user_with_audit(user_id, user_data, current_user)
tusk_config = Rails.application.config.tusk_config
# Update user with comprehensive audit logging
result = tusk_config.execute_audited_query('audited_query', {
user_id: user_id,
name: user_data[:name],
email: user_data[:email],
current_user_id: current_user.id,
ip_address: current_user.ip_address,
user_agent: current_user.user_agent,
old_name: user_data[:old_name],
old_email: user_data[:old_email]
})
puts "Updated user with audit: #{result[:affected_rows]} rows"
end
def start_security_monitoring
tusk_config = Rails.application.config.tusk_config
# Start security monitoring
tusk_config.start_security_monitoring('security_monitoring')
tusk_config.configure_security_alerts('security_alerts')
puts "Security monitoring started"
end
endData Masking and Anonymization
TuskLang configuration for data masking
tsk_content = <<~TSK
[data_masking]
# Data masking for sensitive fields
masked_user_query: @db.query("""
SELECT
id,
@mask(name, "partial", {start: 0, end: 2}) as name,
@mask(email, "email", {show_domain: true}) as email,
@mask(phone, "phone", {show_last: 4}) as phone,
@mask(ssn, "ssn", {show_last: 4}) as ssn
FROM users
WHERE id = ?
""", [@validate.integer(@request.user_id)])
.requireAuthentication()
.requirePermission("view_masked_data")
# Data anonymization for analytics
anonymized_analytics: @db.query("""
SELECT
@anonymize(user_id, "hash") as anonymous_user_id,
@anonymize(email, "hash") as anonymous_email,
COUNT(*) as activity_count,
DATE(created_at) as activity_date
FROM user_activities
WHERE created_at >= ?
GROUP BY anonymous_user_id, activity_date
""", [@date.subtract("30d")])
.requirePermission("view_analytics")
.anonymize({
retention_period: "1y",
hash_salt: @env("ANONYMIZATION_SALT")
})
# PII detection and masking
pii_detection: @db.query("""
SELECT
id,
@detectAndMaskPII(content, {
patterns: ["email", "phone", "ssn", "credit_card"],
mask_type: "redact"
}) as sanitized_content
FROM posts
WHERE id = ?
""", [@validate.integer(@request.post_id)])
.requireAuthentication()
TSKRuby implementation with data masking
class DataMaskingManager
include TuskLang::Secure
def retrieve_masked_user(user_id)
tusk_config = Rails.application.config.tusk_config
# Retrieve user with masked sensitive data
user = tusk_config.execute_masked_query('masked_user_query', {
user_id: user_id
})
puts "Retrieved masked user: #{user[:name]}"
end
def get_anonymized_analytics
tusk_config = Rails.application.config.tusk_config
# Get anonymized analytics data
analytics = tusk_config.execute_anonymized_query('anonymized_analytics')
puts "Retrieved anonymized analytics: #{analytics.length} records"
end
def sanitize_content_with_pii_detection(post_id)
tusk_config = Rails.application.config.tusk_config
# Sanitize content with PII detection
post = tusk_config.execute_pii_detection('pii_detection', {
post_id: post_id
})
puts "Sanitized content with PII detection: #{post[:id]}"
end
end๐ง Rails Integration
Rails Security Integration
TuskLang configuration for Rails integration
tsk_content = <<~TSK
[rails_security]
# Rails CSRF protection
csrf_protected_query: @db.query("""
INSERT INTO posts (title, content, author_id, created_at)
VALUES (?, ?, ?, ?)
""", [
@sanitize.string(@request.title),
@sanitize.text(@request.content),
@validate.integer(@request.current_user_id),
@now()
])
.requireCSRFToken(@request.csrf_token)
.validateInput()
.auditAccess()
# Rails session-based security
session_secured_query: @db.query("""
SELECT * FROM users
WHERE id = ? AND session_token = ?
""", [
@validate.integer(@request.user_id),
@validate.string(@request.session_token)
])
.validateSession(@request.session_id)
.requireValidSession()
# Rails strong parameters integration
strong_parameters_query: @db.query("""
UPDATE users
SET name = ?, email = ?, updated_at = ?
WHERE id = ?
""", [
@strongParams(@request.user, [:name]),
@strongParams(@request.user, [:email]),
@now(),
@validate.integer(@request.user_id)
])
.requireStrongParameters()
.validateInput()
TSKRuby implementation for Rails security
class RailsSecurityManager
include TuskLang::Secure
def create_post_with_csrf_protection(post_data, current_user)
tusk_config = Rails.application.config.tusk_config
# Create post with CSRF protection
result = tusk_config.execute_csrf_protected_query('csrf_protected_query', {
title: post_data[:title],
content: post_data[:content],
current_user_id: current_user.id,
csrf_token: post_data[:csrf_token]
})
puts "Created post with CSRF protection: #{result[:id]}"
end
def authenticate_user_with_session(user_id, session_token, session_id)
tusk_config = Rails.application.config.tusk_config
# Authenticate with session security
user = tusk_config.execute_session_secured_query('session_secured_query', {
user_id: user_id,
session_token: session_token,
session_id: session_id
})
puts "Authenticated user with session: #{user[:name]}"
end
endRails model with security
class User < ApplicationRecord
include TuskLang::Secure
# Secure associations
has_many :posts, dependent: :destroy
has_one :profile, dependent: :destroy
# Secure validations
validates :name, presence: true, length: { minimum: 2, maximum: 100 }
validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
validates :password, presence: true, length: { minimum: 8 }, if: :password_required?
# Secure callbacks
before_save :encrypt_password, if: :password_changed?
after_create :log_user_creation
after_update :log_user_modification
# Secure scopes
scope :active, -> { where(active: true) }
scope :admins, -> { where(role: 'admin') }
private
def encrypt_password
self.password = TuskLang.encrypt(password, 'bcrypt')
end
def log_user_creation
TuskLang.log_security_event('user_creation', {
user_id: id,
ip_address: Current.request&.remote_ip
})
end
def log_user_modification
TuskLang.log_security_event('user_modification', {
user_id: id,
changes: saved_changes
})
end
end๐งช Testing and Validation
Security Testing
TuskLang configuration for security testing
tsk_content = <<~TSK
[security_testing]
# SQL injection tests
sql_injection_tests: {
test_1: @db.testSecurity("""
SELECT * FROM users WHERE id = '1' OR '1'='1'
""", {
expected_result: "blocked",
test_type: "sql_injection"
}),
test_2: @db.testSecurity("""
SELECT * FROM users WHERE name = 'admin'--'
""", {
expected_result: "blocked",
test_type: "sql_injection"
})
}
# Authentication tests
authentication_tests: {
test_valid_login: @db.testAuthentication({
username: "valid_user",
password: "valid_password",
expected_result: "success"
}),
test_invalid_login: @db.testAuthentication({
username: "invalid_user",
password: "invalid_password",
expected_result: "failure"
})
}
# Authorization tests
authorization_tests: {
test_authorized_access: @db.testAuthorization({
user_id: 1,
resource: "users",
action: "read",
expected_result: "allowed"
}),
test_unauthorized_access: @db.testAuthorization({
user_id: 2,
resource: "admin_panel",
action: "access",
expected_result: "denied"
})
}
TSKRuby implementation for security testing
class SecurityTester
include TuskLang::Secure
def run_security_tests
tusk_config = Rails.application.config.tusk_config
# Run SQL injection tests
injection_tests = tusk_config.execute_security_tests('sql_injection_tests')
injection_tests.each do |test_name, result|
puts "#{test_name}: #{result[:status]}"
end
# Run authentication tests
auth_tests = tusk_config.execute_authentication_tests('authentication_tests')
auth_tests.each do |test_name, result|
puts "#{test_name}: #{result[:status]}"
end
# Run authorization tests
authz_tests = tusk_config.execute_authorization_tests('authorization_tests')
authz_tests.each do |test_name, result|
puts "#{test_name}: #{result[:status]}"
end
end
endRSpec tests for security
RSpec.describe SecureQueryManager, type: :model do
let(:security_manager) { SecureQueryManager.new }
describe '#execute_secure_queries' do
it 'prevents SQL injection attacks' do
expect {
security_manager.execute_secure_queries
}.not_to raise_error
end
it 'validates input parameters' do
# Test with malicious input
malicious_input = { user_id: "1' OR '1'='1", active: true }
expect {
security_manager.execute_secure_queries(malicious_input)
}.to raise_error(TuskLang::SecurityError)
end
end
end๐ฏ Summary
TuskLang's database security system in Ruby provides:
- SQL injection prevention with parameterized queries and input validation - Advanced encryption for sensitive data with multiple algorithms - Comprehensive access control with role-based and row-level security - Audit logging and monitoring for security event tracking - Data masking and anonymization for privacy protection - Rails integration with CSRF protection and strong parameters - Security testing with automated vulnerability detection - Real-time security alerts for suspicious activity - PII detection and protection for compliance requirements
The Ruby implementation maintains TuskLang's rebellious spirit while providing enterprise-grade security capabilities that "don't bow to any king" - not even the most sophisticated security threats.
Ready to revolutionize your Ruby application's database security with TuskLang? ๐