Be Careful with GIDs in Rails
9 days ago
- #LLM
- #Rails
- #Security
- Rails Global IDs (GIDs) are string handles for referencing models in a Rails application, typically in the format `gid://app-name/ModelName/ID`.
- GIDs are primarily used in ActiveJob serialization, allowing jobs to reference models without serializing their attributes.
- GIDs can be dangerous when used with LLMs (Large Language Models) because they are not checked for authorization and can be manipulated.
- A key issue with GIDs is that they use `ActiveRecord::Base.find`, which can misinterpret non-integer IDs, leading to incorrect record lookups.
- LLMs can hallucinate GIDs, potentially causing security risks like information disclosure or unauthorized access.
- To mitigate risks, consider using a custom locator (`LLMSafeLocator`) that enforces stricter validation and authorization checks.
- Another safer alternative is using `signed_id` with a specific purpose, which is more secure than GIDs for LLM interactions.
- Always treat LLM input as untrusted user input to prevent security vulnerabilities.