Recently in Ruby On Rails Category
It was the Scotland on Rails 2009 conference on Friday/Saturday of last week. A great couple of days with loads of interesting Ruby and Rails talks (I'm planning more of a recap once the videos are out)
I presented on Web Application Security (slides here), which seemed to go down reasonably well.
One of the main themes of my presentation was that, whilst Rails provides a variety of mechanisms to help developers to create secure applications, it still leaves a lot to the individual to think about, and relies on implementation of the protection that it provides.
One major example of this it Rails default protection mechanism from XSS which is the h() function. This HTML encodes the contents of the argument passed to it. This is an effective defense against XSS but relies on developers to use it consistently, which can be tricky to remember.
There's a couple of potential ways for improving this situation with plugins.
The Safe ERB plugin is designed to help developers by raising an exception when information pulled from an ActiveRecord model is displayed in a view without h() being used.
The other way to approach the problem of XSS is to validate input when it's passed to the application. There are a number of Rails plugins which take this approach including Sanitize Params and XSS Terminate
I'm doing some research at the moment for a presentation I'm doing for the Scotland on Rails conference, later this month. As part of that I've been downloading some sample Rails applications to get an idea of common security issues that I can discuss.
Interestingly on popular applications that I've downloaded so far, I'm 2 for 2 on the exact same problem.
Both of them have XSS vulnerabilities from the user-->admin sides of the site. So the end-user pages have output encoding to restrict XSS but the admin sections don't consistently provide the same protection.
It's also interesting that both applications seem to be relying on output encoding as a defence as opposed to input validation. In my experience the best defence is a combination of the two...
Of course that leads to some potentially nasty exploits around stealing admin credentials from the site in question. Hey looks like I'll have some stuff to talk about anyway :)
Ever gone looking for some insight into your latest rails conundrum and ended up finding answers for the wrong language that mention ruby elsewhere in the page? I know I have.
Here's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search.
I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results. Also while you can get the same effect by using the site: parameter, doing that about 20 or 30 times per search doesn't really appeal.
So here's a Ruby on rails Search. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or volunteer to help out on the search engine front page.
edit: Looks like quite a few people in the RoR community had this idea.... so rather than have lots of different searches doing the same thing I've removed my one.
But if you're looking for a RoR search engine head over here to the Ruby Inside Search Engine
Site Listing
http://www.rubyforge.org/
http://www.ryandaigle.com/
http://weblog.rubyonrails.com/
http://www.loudthinking.com/
http://www.slash7.com/
http://www.oreillynet.com/ruby/
http://www.rubyonrailsforum.com/
http://www.ruby-forum.com/
http://www.bigbold.com/snippets/tags/rails
http://wiki.rubyonrails.com/
http://dev.rubyonrails.org/
http://www.ruby-lang.org/en/
http://www.37signals.com/
http://www.rubyonrails.com/
http://blog.t0fuu.com/
http://weblog.jamisbuck.org/
http://www.railtie.net/
http://www.rubyonrailsblog.com/
http://cardboardrocket.com/
http://www.danwebb.net/
http://mephistoblog.com/
http://curthibbs.wordpress.com/
http://www.softiesonrails.com/
http://nubyonrails.com/
http://www.rubyinside.com/
http://www.height1percent.com/
http://www.straw-dogs.co.uk/blog/
SimpleConsole - Building Console Apps
Interesting looking idea. I know that a lot of the work I do tends to revolve around writing little command-line scripts so anything that helps with that can only be a good thing
Re: (newbie) Why doesn't this line work?
Every time I work on my app. I feel like I learn something new about every 30 minutes...
this time it was that the :confirm parameter on :link_to (which pops up a confirmation box when you click a link), is an HTML option and thus needs syntax like
<%= link_to "delete", {:action => delete, :id => @item.id}, {:confirm => 'Are you sure?'} %>
Riding Rails: Associations aren't :dependent => true anymore
Some useful info. about how :dependent works in rails 1.1+ . Handy if you've got items that are dependent on one another and want to get rid of the child objects when you delete the parent.
the other part of this post is a continuation of something I touched on before. Ruby on Rails is great but it really moves too fast for print books. This is a good example.
In my copy of Ruby on Rails: Up and running, the bit on cascading relationships says that you specify :dependent => :true , however that doesn't work (as I found out when I tried it), cue 10 minutes of searching around for the answer which led to the post above.
Now this is probably the most recent book published about RoR and I only got my copy about 3 weeks ago, but I've found more than a couple of areas which don't match up with my rails deployment and I'm not even using Edge rails!
