tag:blogger.com,1999:blog-37798047.post3964269704876661796..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: The Ruby/GitHub hack: translatedDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-37798047.post-69427021539655350812013-01-17T01:50:08.492-05:002013-01-17T01:50:08.492-05:00Ruby on Rails is designed to make it simpler for ...<a href="http://www.rizecorp.com/ruby-on-rails-development.html" rel="nofollow"> Ruby on Rails </a> is designed to make it simpler for Ruby on Rails developers to develop applications and websiteAnonymoushttps://www.blogger.com/profile/13499063742475905482noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-12526072598779650092012-03-12T11:12:49.810-04:002012-03-12T11:12:49.810-04:00I keep seeing a few comments about it is the devel...I keep seeing a few comments about it is the developers problem, however, this is a relatively quiet feature, and not raising it's awareness up means that there are 1000's of developers unaware of the implications.<br /><br />I for one have been pretty diligent in various security aspects of rails and other languages and was unaware of the significance of this and will be more diligent in the future thanks to this article.Bill Leeperhttps://www.blogger.com/profile/02334867007110377592noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-8449760234113979442012-03-09T14:09:45.200-05:002012-03-09T14:09:45.200-05:00to the statement "But GitHub can’t be sure th...to the statement "But GitHub can’t be sure that there aren’t more mass assignment problems in their source code waiting to be discovered." I say brakemanscanner.org. It is not an absolute, but it is the only static code analysis tool built for Rails. The GitHub folks should be using it to scan their code. It's free. It's good.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-79484754872802722422012-03-07T05:44:16.317-05:002012-03-07T05:44:16.317-05:00You forgot to mention how the Rails core-team and ...You forgot to mention how the Rails core-team and the community are responding to this issue.<br /><br />Rails has changed the generators to enable whitelisting of attributes by default:<br />https://github.com/rails/rails/commit/06a3a8a458e70c1b6531ac53c57a302b162fd736<br /><br />Yehuda Katz (of the great Rails3 refactoring fame) also proposed a more thorough solution which sparked an interesting discussion:<br />https://gist.github.com/1974187postmodernhttp://postmodern.github.com/noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-50385847463445483352012-03-07T00:15:26.486-05:002012-03-07T00:15:26.486-05:00I am just wondering: is this issue lies in Python ...I am just wondering: is this issue lies in Python Framework "Django" like rails?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-37760572472369422082012-03-06T17:25:58.538-05:002012-03-06T17:25:58.538-05:00There is two ways to build a system security:
- Al...There is two ways to build a system security:<br />- All denied by default and you should enable explicitly features which you wan't. This is how the most OS(any Linux distribution, FreeBSD, Windows 2008 Server) was built. This is how any serious production system should be built.<br />- All enabled by default. This is how Rails is developed. And this is very sad to hear what Rails developers can't understand such basics. Rails very good product, but with such agresive denial of fault their developers and their comunity put yourself into awkward situation.Stounehttps://www.blogger.com/profile/05207890549729283996noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-25836870991153416172012-03-06T17:14:44.980-05:002012-03-06T17:14:44.980-05:00the fix i mentioned should not break any sites at ...the fix i mentioned should not break any sites at all. The generator is invoked whenever a new app is created. This would mean any new app would be more protected. Doesn't solve the problem for old apps, however.Raymond Forbesnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-44760881797896747792012-03-06T16:47:29.407-05:002012-03-06T16:47:29.407-05:00Raymond Forbes: "It seems like this is a real...Raymond Forbes: "<b>It seems like this is a really easy fix for the Rails team</b>"<br /><br />It is really easy, fixing it just as you describe.<br /><br />But they don't think it's their problem, and it would break a lot of websites -- insecure websites.<br /><br />Thus, I doubt they will fix it, at least, not until the next major version (a point when people expect old code to break).Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-16870034770860382072012-03-06T16:15:07.560-05:002012-03-06T16:15:07.560-05:00So, I am not sure it is fair to call this a blackl...So, I am not sure it is fair to call this a blacklist problem. It is easy to white list fields in the model using attr_accessible. In fact, most rails tutorials and books show the use of this method. If you add attr_accessible to the model at that point none of the fields are available through mass-assignment. Anything that needs to be assigned through a form would then need to be explicitly passed to the model.<br /><br />It seems like this is a really easy fix for the Rails team, if they wanted and that is to add attr_accessible to the model generator with no fields passed to it and require the developer to define what fields to include.Raymond Forbesnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-15583290400462317132012-03-06T14:25:32.539-05:002012-03-06T14:25:32.539-05:00I'm sure the same crowd who uses RoR specifica...I'm sure the same crowd who uses RoR specifically because it "makes things easy" is the exact same crowd who will carefully craft their code to avoid this security hole.<br /><br />That makes perfect sense. After all, making it 10% easier to write a web app while making it 90% harder to secure is a good trade-off.Cliff Wellshttps://www.blogger.com/profile/06819587790275503111noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-20800215956630597642012-03-06T14:23:41.201-05:002012-03-06T14:23:41.201-05:00It is a Rails problem.
As I explained in my post,...It is a Rails problem.<br /><br />As I explained in my post, mass assignment makes it easy to create insecure sites, but makes it much harder to create a secure site. <br /><br />I can remove all the safeties from a gun, and this will make the gun easier to shoot -- but it will also make the gun too dangerous to own.<br /><br />The only sane implementation is to force the developer to declare which values can be mass assignable, rather than declaring which cannot be. Until that changes, Rails mass assignment bugs will be a constant source of hacks.<br /><br />As for first sentence, the issue isn't that we should be concerned with all possible issues, or even all of the OWASP top 10, but you'd be a fool to ignore the OWASP Top 4. This issue is #4, and really needs to be fixed.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-2772755437732944682012-03-06T13:08:17.159-05:002012-03-06T13:08:17.159-05:00That's like saying: OMG I'll never program...That's like saying: OMG I'll never program anything on Android because an app had a security issue!<br /><br />FYI, the issue is not Rails', it was GitHub's. Rails allows mass assignment by default in order to make things easy, but it's the developer who has to restrict which attributes the final user can modify. So if you, as a developer, allow the final user to modify the "admin" flag, it's your fault, not the framework you're using.<br /><br />Don't blame Rails for that. Inform yourself. Learn some Rails before commenting on such things, please.<br /><br />Thank you.Marchttps://www.blogger.com/profile/01218350325812392256noreply@blogger.com