| |||||||||||||
GitHub incidents spawns Rails security debateGitHub incidents spawns Rails security debatePosted Mar 26, 2012 22:00 UTC (Mon) by bronson (subscriber, #4806)In reply to: GitHub incidents spawns Rails security debate by kjm Parent article: GitHub incidents spawns Rails security debate
Back in the day, the fact that you didn't have to have acres of
foo.address = params['foo']['address']
was one of the main selling points of Rails. It's not easy to draw the line between convenience and safety; sometimes you trip up. Despite Rails getting whitelisted-by-default wrong, it's still one of the most popular web platforms and Rails sites have a reputation for security... This just doesn't seem to be that big a deal.
That PragProg book is so full of bad ideas (spaghetti helpers, unhelpful tests, etc) that it's frustrating that people take it as the canonical guide. I haven't looked at it in years but, if it STILL doesn't mention mass assignment, then I guess that's sadly not surprising. If I could wave my magic wand and make it disappear I would. (except that it might replaced by something even more bizarre and contrived...)
Most example code is also missing error handling, unit tests, and other essentials. Just because it doesn't explicitly include whitelisting, I doubt that implies that most apps don't either.
Rails was hardly the only framework to get escaped-by-default wrong, and they (unlike some) take backward compatibility quite seriously. That's why they released a gem for those who needed it in 2.x, and waited until 3.0 before forcing it on everyone. I'd say this is a success story, no?
Strange that I'm the Rails apologist here. Normally I'm the one slagging the core team for being so out of touch (especially re RJS and Prototype vs jQuery).
(Log in to post comments)
|
|||||||||||||