LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GitHub incidents spawns Rails security debate

GitHub incidents spawns Rails security debate

Posted Mar 10, 2012 3:59 UTC (Sat) by kjm (subscriber, #4552)
In reply to: GitHub incidents spawns Rails security debate by bronson
Parent article: GitHub incidents spawns Rails security debate

> What else are you going to do, ignore user input?

You can selectively grab the fields you are expecting (for this request and account privilege level), validate them as necessary, and assign them, one by one, to the record.

> Overall, Rails has done such an excellent job of this that lots
> of other web frameworks are basically copying everything they do.

The Rails community has historically has been hostile to people pointing out bad security design decisions. I'm skeptical this new development will change anything.

A few years ago, there were similar questions about why Rails doesn't HTML-escape by default. The response was that it would break the entire framework and that you "just" need to remember to escape everywhere. Totally naive. Fortunately the world didn't end when Merb was merged and escaping by default was added.

While white-listing is easier than HTML-escaping everywhere, it involves work (and thought). Not to mention how you deal with different account privilege levels when you white-list at the database layer.

> Most rails sites don't even use mass assignment.

If you think mass-assignment isn't rampant, just look in the PragProg Rails book, or search the internet for tutorials. The examples everywhere show using mass assignment to create and update objects. The generated templates use it. GitHub obviously did too. Typing @foo.update_attributes(params[:foo]) is too easy, and you have to dig to find any mention of the security issues with it. Well, until now that is.

(Log in to post comments)

GitHub incidents spawns Rails security debate

Posted Mar 26, 2012 22:00 UTC (Mon) by bronson (subscriber, #4806) [Link]

Back in the day, the fact that you didn't have to have acres of

foo.address = params['foo']['address']
foo.city = params['foo']['city']
foo.state = params['foo']['state']

was one of the main selling points of Rails. It's not easy to draw the line between convenience and safety; sometimes you trip up. Despite Rails getting whitelisted-by-default wrong, it's still one of the most popular web platforms and Rails sites have a reputation for security... This just doesn't seem to be that big a deal.

That PragProg book is so full of bad ideas (spaghetti helpers, unhelpful tests, etc) that it's frustrating that people take it as the canonical guide. I haven't looked at it in years but, if it STILL doesn't mention mass assignment, then I guess that's sadly not surprising. If I could wave my magic wand and make it disappear I would. (except that it might replaced by something even more bizarre and contrived...)

Most example code is also missing error handling, unit tests, and other essentials. Just because it doesn't explicitly include whitelisting, I doubt that implies that most apps don't either.

Rails was hardly the only framework to get escaped-by-default wrong, and they (unlike some) take backward compatibility quite seriously. That's why they released a gem for those who needed it in 2.x, and waited until 3.0 before forcing it on everyone. I'd say this is a success story, no?

Strange that I'm the Rails apologist here. Normally I'm the one slagging the core team for being so out of touch (especially re RJS and Prototype vs jQuery).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds