|
Looking at the diffs, it seems like they constructed numbers, booleans and regexps from user input, which could be used to attacker's advantage. It's probably related to MySQL type conversions, it's often pretty lax about these things. Smol fucked around with this message at 21:50 on Jan 28, 2013 |
#
?
Jan 28, 2013 21:37
|
|
|
|
| # ? May 9, 2024 18:49 |
|
|
Smol posted:Looking at the diffs, it seems like they constructed numbers, booleans and regexps from user input, which could be used to attacker's advantage. I knew mysql was pretty lax about silent conversions and such, but it took this article to realize just how bad it was over there.
|
|
#
?
Jan 28, 2013 21:54
|
|
|
gently caress. At least I organized all of my apps by version number after the last securi-gate. I am in support hell.
|
|
#
?
Jan 28, 2013 21:59
|
|
|
Pardot posted:I knew mysql was pretty lax about silent conversions and such, but it took this article to realize just how bad it was over there. Yeah, that article is the reason why I brought up MySQL. But it seems like other databases are vulnerable as well. quote:No. SQL Server, Oracle, IBM and other NoSQL databases. Everything that runs on Rails that is not SQLite3 or PostgreSQL requires an upgrade. http://news.ycombinator.com/item?id=5129771
|
|
#
?
Jan 28, 2013 22:09
|
|
|
More Rails vulnerabilities out, this time 2.3 and 3.0 are vulnerable. Looks very similar to the previous YAML vulnerability. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo E: There is a proof-of-concept exploit in the wild, so upgrade ASAP. It's only a matter of time before it hits metasploit et al. and you'll have people automatically searching for vulnerable apps. Smol fucked around with this message at 00:50 on Jan 29, 2013 |
|
#
?
Jan 28, 2013 23:37
|
|
|
Smol posted:More Rails vulnerabilities out, this time 2.3 and 3.0 are vulnerable. Looks very similar to the previous YAML vulnerability. Managed to get emails sent out same-day this time. Practice makes perfect I suppose. MrDoDo posted:Anyone here gonna be at Heroku's Waza next month? I'll be there.
|
|
#
?
Jan 29, 2013 04:07
|
|
|
https://github.com/rapid7/metasploit-framework/commit/c42d4a661773550909484dba64104b72a128c294
|
|
#
?
Jan 29, 2013 07:53
|
|
|
Smol posted:https://github.com/rapid7/metasploit-framework/commit/c42d4a661773550909484dba64104b72a128c294 Here's a less bloated single script POC: https://gist.github.com/4660248 And a writeup: http://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.html
|
|
#
?
Jan 29, 2013 08:01
|
|
|
UxP posted:Here's a less bloated single script POC: https://gist.github.com/4660248 Cracking up at the filename on that one code:
|
|
#
?
Jan 29, 2013 14:59
|
|
|
Can someone explain or point me towards an overview of the threading model in rails? I'm curious in particular about the performance implications of server side network requests or file reads, etc.
|
|
#
?
Jan 30, 2013 17:58
|
|
|
Lexicon posted:Can someone explain or point me towards an overview of the threading model in rails? I'm curious in particular about the performance implications of server side network requests or file reads, etc. Short answer: don't do it, unless you're on JRuby. And even then, it depends. What version of Rails are you running?
|
|
#
?
Jan 30, 2013 20:47
|
|
|
Smol posted:Short answer: don't do it, unless you're on JRuby. And even then, it depends. What version of Rails are you running? 3.2.11 How would one handle an image proxy, say, in a rails app if server side requests are not a good idea?
|
|
#
?
Jan 30, 2013 20:50
|
|
|
Security is omakase.
|
|
#
?
Jan 30, 2013 21:06
|
|
|
b0lt posted:Security is omakase. You mean this "gem" that got posted to Rubygems.org today?
|
|
#
?
Jan 30, 2013 21:21
|
|
|
It wasn't posted, it was pushed up with the psych vulnerability (that should have been patched).
|
|
#
?
Jan 30, 2013 21:24
|
|
|
Lexicon posted:3.2.11 Do it in a separate app, running on rainbows.
|
|
#
?
Jan 30, 2013 21:31
|
|
|
b0lt posted:Security is omakase. What do you mean it wasn't a good idea to write a JSON parser with essentially YAML.load(json.gsub(/awesome_regex/, "awesome_replacement"))? Lexicon posted:3.2.11 It depends. I would most likely write it with something else entirely. But if that's not the case and if you're using a streaming-capable server, you could assign something like this to response_body, or perhaps bypass the rails stack entirely and do it in a Rack middleware. Ruby code:
|
|
#
?
Jan 30, 2013 21:40
|
|
|
I'm currently working on a webapp as a sideproject that I might want to launch, and I need some advice on hosting. As a poor student, I can't afford a huge monthly hosting bill to begin, as I have no idea if this idea will take off. So ideally I'm looking for hosting that can start real cheap but scale up if need by. Project is using postgresql. I was looking at EC2 since I'm using S3 for the storage duties, but even the small instance, with EBS to store data on would cost upwards of $50 a month, without the upfront fee for a reserved instance. I was also looking at heroku as it seems to be well loved, have a great postgres system, and the 1 free dyno seemed nice. However their smallest real database plan is $50 a month. I know they don't recommend it, but is the $9 a month plan suitable for small scale production use? Is there any hosting like what I'm looking for?
|
|
#
?
Jan 31, 2013 19:32
|
|
|
mmm11105 posted:I was also looking at heroku as it seems to be well loved, have a great postgres system, and the 1 free dyno seemed nice. However their smallest real database plan is $50 a month. I know they don't recommend it, but is the $9 a month plan suitable for small scale production use? The free plan at Heroku will be good enough until it isn't, at which point your app should make enough money to pay for a bigger plan. Just Use Heroku.
|
|
#
?
Feb 1, 2013 00:43
|
|
|
I have a set of pages that calls a few expensive database queries while being generated. This page is relatively high traffic, and also fairly static. "Page cache" seems to be what I want to use, but I can't figure out how to set it to expire after a certain amount of time. Apparently you have to manually expire things in cache. Is there a way to set the page cache to expire after 5 minutes? Am I going to have to individually cache each database call and/or set up a cron job to expire all of my caches?
|
|
#
?
Feb 1, 2013 06:50
|
|
|
A cached page will be served directly by the web server (it will just save the results of the action in public/foo/bar/baz.html) so it's not really possible to expire it from rails. Take a look at caches_action or expire it with that cronjob.
|
|
#
?
Feb 1, 2013 09:16
|
|
|
how!! posted:I have a set of pages that calls a few expensive database queries while being generated. This page is relatively high traffic, and also fairly static. "Page cache" seems to be what I want to use, but I can't figure out how to set it to expire after a certain amount of time. Apparently you have to manually expire things in cache. Is there a way to set the page cache to expire after 5 minutes? Am I going to have to individually cache each database call and/or set up a cron job to expire all of my caches? You can cache the rendered page using action caching, which still gives Rails the chance to check to see if the cache is expired before serving it.
|
|
#
?
Feb 1, 2013 17:36
|
|
|
I'm trying to get chunked/resumed uploads working with the jquery uploader (https://github.com/blueimp/jQuery-File-Upload). I seem to remember reading somewhere that rails isn't really optimal for dealing with bitrange html headers (or something) and that I should use Apache for the file serving aspect. Is this true?
|
|
#
?
Feb 2, 2013 21:16
|
|
|
This guy paints a particularly dire picture of the Rails security situation right now: http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ How much of this is bluster and how much should be taken seriously? Is Rails really that much worse than other environments, e.g. PHP?
|
|
#
?
Feb 3, 2013 17:09
|
|
|
Lexicon posted:This guy paints a particularly dire picture of the Rails security situation right now: It seems like the use of YAML is much more pervasive in Rails than expected. I knew about the security problems of YAML.load beforehand, but like many others, I assumed that its use in Rails was limited to loading configuration files. It's possible that more vulnerabilities like that will follow, but in the meanwhile, you can (hopefully) plug similar holes yourself by using this gem. As for the greater security situation, it's good to remember one thing: security is a process. There will be security vulnerabilities in all frameworks (unless they're written by djb) but the one of the main things you should look for is how quickly these vulnerabilities get fixed and how much of your time will applying the fixes take. This is an area where Rails has shined. Each one of these vulnerabilities has been fixed at the same time as they have been announced and Rubygems/Bundler makes upgrading Rails applications almost too easy. That said, Rails won't go down in history books as the Most Secure Web Framework Ever. Every Rails developer should take vulnerabilities like this very seriously, and additionally subscribe to the rubyonrails-security list, so that they can upgrade their apps right away if and when vulnerabilities like this are published. But you don't have to jump the ship just yet.
|
|
#
?
Feb 3, 2013 18:16
|
|
|
Thanks; that's a very well-reasoned and rational point of view. I've only been involved in rails in earnest for about 4 months - I love it unreservedly, and want to use it for some future project ideas, but this recent security flap has given me some pause.
|
|
#
?
Feb 3, 2013 18:53
|
|
|
Also, remember how much Rails does by default to protect you. Do you know what an IP spoofing attack is? Or how to use cryptographic signatures in a way that does not expose you to timing attacks? What characters do you need to escape to prevent XSS vulnerabilities? Exactly.
|
|
#
?
Feb 3, 2013 19:38
|
|
|
Is there a way around adding a gem to your project and then having to run bundle install again? Just add the one new gem without using bundler? I was at Starbucks earlier and was actually motivated but the wifi sucks and it was too slow or timing out and I kept getting errors like: code:code:
|
|
#
?
Feb 3, 2013 22:45
|
|
|
Smol posted:Also, remember how much Rails does by default to protect you. Do you know what an IP spoofing attack is? Or how to use cryptographic signatures in a way that does not expose you to timing attacks? What characters do you need to escape to prevent XSS vulnerabilities? Exactly. Very true. Today I was wondering: is the dynamic nature of ruby something that necessarily poses risks within rails (or python and django) that wouldn't occur in a statically typed language? Java, for example, is truly horrendous to work with, but I imagine its a lot harder to actually inject malicious code. Am I off base here?
|
|
#
?
Feb 4, 2013 05:44
|
|
|
Lexicon posted:Java, for example, is truly horrendous to work with, but I imagine its a lot harder to actually inject malicious code. Am I off base here? Almost the same thing happend in java struts: http://struts.apache.org/2.3.4/docs/s2-001.html
|
|
#
?
Feb 4, 2013 05:52
|
|
|
Bob Morales posted:Is there a way around adding a gem to your project and then having to run bundle install again? Just add the one new gem without using bundler? If you already have the gem installed, you should be able to just require it somewhere early on in your app.
|
|
#
?
Feb 4, 2013 06:28
|
|
|
Another security question: I'm working on an app where users are asked to enter a zip code, and this is posted to a rails route, and eventually entered into the Submission.zipcode model attribute in the database. It goes without saying that I'll be checking for valid zipcode-ness on the client side. What about on the server side, as someone could construct a malicious post if they were so inclined. I assume ActiveRecord has some degree of SQL injection protection, but what's the best practice here? It's easy to use model validation in the case of a zip code, but what about an arbitrary text field? Phrased differently, what's an appropriate level of paranoia?
|
|
#
?
Feb 6, 2013 04:02
|
|
|
Lexicon posted:Another security question: I'm working on an app where users are asked to enter a zip code, and this is posted to a rails route, and eventually entered into the Submission.zipcode model attribute in the database. ActiveRecord will handle escaping the data for you along with validating that it is a string unless you do something stupid like Model.executes("INSERT INTO `table.... It's up to you to enforce further constraints on the data that it's actually a valid ZIP code. Validating the format is easy in ActiveRecord with validations; using a combination of length and numericality gets you most of the way there. Actually verifying that it's a valid ZIP code requires an up to date list of ZIP codes.
|
|
#
?
Feb 6, 2013 04:42
|
|
|
dexter posted:ActiveRecord will handle escaping the data for you along with validating that it is a string unless you do something stupid like Model.executes("INSERT INTO `table.... It's up to you to enforce further constraints on the data that it's actually a valid ZIP code. Thanks... That confirms everything I thought. Just wanted to be sure I wasn't missing something important.
|
|
#
?
Feb 6, 2013 05:00
|
|
|
Lexicon posted:It goes without saying that I'll be checking for valid zipcode-ness on the client side. You've got it backwards. It goes without saying that you'll be checking the validity of the zipcode on the server-side. The function of client-side validations is only to enhance the user experience, they do not enhance security. Also, you can add constraints to your routes. See e.g. this, this and this for more info.
|
|
#
?
Feb 6, 2013 21:21
|
|
|
If you are using mysql, sql server, or db2 for your rails app, there is a new security announcement.
|
|
#
?
Feb 7, 2013 07:02
|
|
|
Stupid question I know, but how do I make sure my ruby/rails is up to date?
|
|
#
?
Feb 8, 2013 14:13
|
|
|
Dakha posted:Stupid question I know, but how do I make sure my ruby/rails is up to date? Check the version in your Gemfile.lock. If it's out of date, modify your Gemfile version declaration and run bundle update.
|
|
#
?
Feb 8, 2013 15:19
|
|
|
Does anyone here use carmen and carmen-rails? I am having a terrible time getting the demo app working. It looks like I cannot derive the country code from an official name, or I'm not calling it right.
|
|
#
?
Feb 8, 2013 20:22
|
|
|
|
| # ? May 9, 2024 18:49 |
|
|
Update Rack if you're using it, more security fun: http://rack.github.com/
|
|
#
?
Feb 8, 2013 22:46
|
|