|
Pollyanna posted:Ostensibly security, but in reality it doesn't matter cause the whole thing is a shitstorm anyway: https://github.com/rails/rails/issues/8832 The +1-ing on a bug report makes we want to vomit.
|
# ? Jun 9, 2015 20:54 |
|
|
# ? May 24, 2024 17:13 |
|
Internet Janitor posted:I wandered around the related issues and I'm trying to understand how nils represent a security risk. It sounds like the Rails ORM uses arbitrary JSON requests to construct SQL queries and the logic underlying that is incapable of validating input structure in certain ways such that nils can result in queries which return more rows than desired, possibly leaking sensitive information. This seems like an inherently insecure architecture which places unnecessary trust in user input. Could anyone more familiar with the issue clarify? The ORM itself doesn't do any permissions oriented validations, you have to use another gem or role your own. So yes, if you blindly go `SomeModel.where(params)` or whatever you have a huge security hole.
|
# ? Jun 9, 2015 21:00 |
|
Factor Mystic posted:Rails is bad. People who like it are neophytes or stockholmed. However when you're doing rails apps the "bad, because webdev" and "bad, because rails" all starts to blur together and after awhile it's easier to just go with the flow and get paid ¯\_(ツ)_/¯ Rails is omakase.
|
# ? Jun 9, 2015 21:20 |
|
Pollyanna posted:Rails by default compacts arrays when it munges incoming request parameters, which means that if you pass it a null value in an array it will silently remove it. https://github.com/rails/rails/issues/8832#issuecomment-15076137 posted:Difference between #9569 and #8862: I have to assume that `nil` isn't a legal value in a Ruby array, because otherwise I can't see how even the 9569 result would be acceptable. It gets even better later: https://github.com/rails/rails/issues/13420#issuecomment-31023144 posted:The new table looks like, and should have always looked like: Look at that final line. It's the exact same problem but with objects instead of arrays. Again, I hope Ruby just doesn't have a concept of an empty object/dict/associative array because otherwise that's absurd.
|
# ? Jun 9, 2015 22:34 |
|
Of course nil is a legal value in a Ruby array. And empty dicts, empty arrays, they're all real.
|
# ? Jun 9, 2015 22:48 |
|
qntm posted:I have to assume that `nil` isn't a legal value in a Ruby array, qntm posted:Again, I hope Ruby just doesn't have a concept of an empty object/dict/associative array because otherwise that's absurd.
|
# ? Jun 9, 2015 22:50 |
|
And yet.Factor Mystic posted:Rails is bad. People who like it are neophytes or stockholmed. However when you're doing rails apps the "bad, because webdev" and "bad, because rails" all starts to blur together and after awhile it's easier to just go with the flow and get paid ¯\_(ツ)_/¯ Color me curious: what should I use?
|
# ? Jun 10, 2015 03:49 |
|
Pollyanna posted:And yet. Literally anything else? It's not like the world is lacking for web frameworks.
|
# ? Jun 10, 2015 04:15 |
|
Rest assured they are pretty much all bad. ASP.NET MVC is good but you pretty much still have to be in windows world to develop a site with it which has its disadvantages. If you just want to get started with something quick, node.js is alright but I'm skeptical of it for anything big or important. I realize the web frameworks debate is a massive can of worms so I'm sorry for my relatively uninformed opinions.
|
# ? Jun 10, 2015 04:44 |
|
ExcessBLarg! posted:It does have that concept, and it is absurd. The provided JSON trivially translates to Ruby objects. In fact, if you just changed the colons to "=>", null to "nil", and removed the ellipses, it is syntactically correct Ruby. Which is exactly how the JSON module in Ruby's standard library parses it. Like a straight string replace + eval? TheBlackVegetable posted:It's horrors all the way down... It does kinda help with code organization and this code has been accreting for a decade, so some architectural ugliness is bound to happen. I've dealt with worse.
|
# ? Jun 10, 2015 04:49 |
|
fleshweasel posted:Rest assured they are pretty much all bad. ASP.NET MVC is good but you pretty much still have to be in windows world to develop a site with it which has its disadvantages. This will be less true in ~2 months when they release ASP .NET 5 / .NET Core. I was playing with it on my Mac with Visual Studio Code a few weeks ago and it was a pretty good experience. Of course, I haven't done anything Big and Serious with it yet.
|
# ? Jun 10, 2015 04:50 |
|
uncurable mlady posted:Literally anything else? It's not like the world is lacking for web frameworks. I said "should", not "could". If Rails is a bad option, what is considered a good option? fleshweasel posted:Rest assured they are pretty much all bad. Actually, let's go with this.
|
# ? Jun 10, 2015 05:12 |
|
Pollyanna posted:And yet. Django, Flask, Dropwizard, my butt.
|
# ? Jun 10, 2015 05:16 |
|
Yesod is my personal favorite.
|
# ? Jun 10, 2015 05:16 |
|
Seconding .net mvc. The skills translate well to many other things, but most especially it's because Visual Studio is a pleasure to work in.
|
# ? Jun 10, 2015 06:28 |
|
C# is a great language and ASP.net MVC is a ... good framework.fleshweasel posted:If you just want to get started with something quick, node.js is alright but I'm skeptical of it for anything big or important. I think node.js might be one of the only frameworks you could have picked that is actually worse than Rails. Probably your first concern when picking a framework is picking a language.
|
# ? Jun 10, 2015 08:12 |
|
node.js isn't a framework, at least not in the way that Flask or Rails or ASP.NET or Play or Snap is.
|
# ? Jun 10, 2015 09:05 |
|
Pollyanna posted:And yet. Whiskey. Lots of it.
|
# ? Jun 10, 2015 10:08 |
|
Pollyanna posted:And yet. CGI + Perl
|
# ? Jun 10, 2015 12:47 |
Most people I talk to swear by flask+sqlalchemy for any sort of webdev. Admittedly most of those people hang out together and have the same ideas about things so
|
|
# ? Jun 10, 2015 13:45 |
|
Flask + SQLAlchemy is actually, unironically pretty good.
|
# ? Jun 10, 2015 14:18 |
|
Ithaqua posted:This will be less true in ~2 months when they release ASP .NET 5 / .NET Core. I was playing with it on my Mac with Visual Studio Code a few weeks ago and it was a pretty good experience. Of course, I haven't done anything Big and Serious with it yet. It's really cool until you want to use a library that's not supported yet, then it becomes a pain in the rear end. Of course, as it matures and more people port their stuff over it will get better, but for the short term it can be a pain. It is nice to just have a site run on all of those platforms though with minimal effort. EF 7 is also still kinda flaky, but has come a long way in a short time and they are quite responsive when issues arise.
|
# ? Jun 10, 2015 14:20 |
|
Drastic Actions posted:It's really cool until you want to use a library that's not supported yet, then it becomes a pain in the rear end. Of course, as it matures and more people port their stuff over it will get better, but for the short term it can be a pain. It is nice to just have a site run on all of those platforms though with minimal effort. EF 7 is also still kinda flaky, but has come a long way in a short time and they are quite responsive when issues arise. I hate EF anyway, I'm just hoping nHibernate is ported over soon.
|
# ? Jun 10, 2015 14:25 |
|
Munkeymon posted:Like a straight string replace + eval?
|
# ? Jun 10, 2015 15:30 |
|
Bug, assigned to me.
|
# ? Jun 10, 2015 19:24 |
|
ExcessBLarg! posted:JSON.parse doesn't actually do a straight string replace and eval though. That's what I was wondering about - just didn't word it well.
|
# ? Jun 10, 2015 19:33 |
|
Drastic Actions posted:Bug, assigned to me. People have no sense of humor, I swear.
|
# ? Jun 10, 2015 20:14 |
|
Drastic Actions posted:Bug, assigned to me. reply with: ☞( ゚∀゚)☞ ¯\_(ツ)_/¯ [wontfix]
|
# ? Jun 10, 2015 20:28 |
|
I enjoy "expected result: unexpected xxx should not.." Thanks for the detail!
|
# ? Jun 10, 2015 20:41 |
|
Clearly you should be using 😸
|
# ? Jun 10, 2015 20:48 |
|
No Safe Word posted:reply with:
|
# ? Jun 10, 2015 21:03 |
|
Drastic Actions posted:Bug, assigned to me. I mean, if you're not familiar with little ascii drawings of people, that emote kinda looks like a pair of boobs, so I could see someone being bugged by it.
|
# ? Jun 10, 2015 21:13 |
|
LeftistMuslimObama posted:I mean, if you're not familiar with little ascii drawings of people, that emote kinda looks like a pair of boobs, so I could see someone being bugged by it. I thought it was breasts.
|
# ? Jun 10, 2015 21:18 |
|
LeftistMuslimObama posted:I mean, if you're not familiar with little ascii drawings of people, that emote kinda looks like a pair of boobs, so I could see someone being bugged by it. That was the issue. The QA tester had zero clue what that was. For slightly more background: When you submit a new component to the Xamarin component store and finish, this is the view you get For updating components though, the process was basically a hacked version of the edit component screen, with some different session variables. It was a lovely experience and most users had to have their hand held to actually update their stuff. That's not a good process, so I wrote a new component update page, and an actual new landing when you finish: I was just riffing on the :-) thing. After this bug was filed, I went to my boss and a few others to see what they thought the ascii was. Some knew it was a high five, but others were stumped. So instead of fighting, I just took it out . Not saying it won't reappear though somewhere . I thought there could be bugs written for what I wrote. Just not for this.
|
# ? Jun 10, 2015 21:20 |
|
http://blog.parse.com/learn/how-we-moved-our-api-from-ruby-to-go-and-saved-our-sanity/ Kind of an interesting & apropos article the article posted:The hardest part of the rewrite was dealing with all the undocumented behaviors and magical mystery bits that you get with Rails middleware. Parse exposes a REST API, and Rails HTTP processing is built on a philosophy of “be liberal in what you accept”. So developers end up inadvertently sending API requests that are undocumented or even non-RFC compliant … but Rails middleware cleans them up and handles it fine. Rails and/or webdevs ¯\_(ツ)_/¯ a commenter posted:Also, you want performance ? Rails is not for speed, it does 10,000 things until your code kicks in, it does 10,000 things to make life of thousands of developers easier, who don't run popular API thank need to process thousand requests per second. You want speed in ruby ? Write a Rack application or use micro framework such as 'cuba.is', you will get ten times better performance than Rails. Does it mean Rails sucks ? NO, Rails is $%^&$% amazing if you use it for what it makes sense. Comparing Rails vs Go, is just plain stupid. Rails does 10,000 things before your code, and this is good, except it is slow, which also... somehow doesn't mean rails is bad. Also, why in the world would anyone compare two backend languaegs for a website?? ¯\_(ツ)_/¯ Factor Mystic fucked around with this message at 21:24 on Jun 10, 2015 |
# ? Jun 10, 2015 21:22 |
|
Factor Mystic posted:http://blog.parse.com/learn/how-we-moved-our-api-from-ruby-to-go-and-saved-our-sanity/ There's nothing wrong with accepting performance tradeoffs with ease of development / hiring developers if you're not going to be affected by those performance issues. That said, obviously these guys chose the wrong tradeoffs, but most people have had to scrap a prototype when new requirements became apparent TheBlackVegetable fucked around with this message at 22:02 on Jun 10, 2015 |
# ? Jun 10, 2015 21:53 |
|
Not everything needs to be maximally fast.
|
# ? Jun 10, 2015 21:56 |
|
Factor Mystic posted:http://blog.parse.com/learn/how-we-moved-our-api-from-ruby-to-go-and-saved-our-sanity/ Unexpected behaviour: lots of weird symbols in the middle of this post. Expected behaviour: no unexpected symbols in the middle of this post.
|
# ? Jun 10, 2015 22:41 |
|
In the HN comments the people involved say that in retrospect Rails was the correct choice to build the first version in, and all that they'd change given a time machine is migrate away a bit sooner.
|
# ? Jun 10, 2015 22:45 |
|
|
# ? May 24, 2024 17:13 |
|
TheBlackVegetable posted:That said, obviously these guys chose the wrong tradeoffs, but most people have had to scrap a prototype when new requirements became apparent In startups, maybe. In big companies and government work, you scrap the new requirements instead.
|
# ? Jun 11, 2015 01:30 |