Jump to content

Don't blindly rely on a framework


Recommended Posts

I know there was quiet some buzz about Ruby last year or so, and I wonder how many of you actually tried it. Well, even if Ruby or Rail offer some interesting things, it's ALWAYS important to understand what the framework offer and what are the pitfalls. Sadly no softs are 100% secure so it's up to us coder to ensure that we understand what we do before we get hacked... if possible.

The last news I got is: github hacked... and this via one of the most common hack with Ruby. Basically Ruby on Rail define automatically some "interface" to the database and your objects, and if you don't specify if some stuff are accessible or not, they will all be accessible via web. Without any control. Sad news is that it seems that most software developed with Ruby are vulnerable to this, in the sense that you could end up giving commands you should not like

update users set role='admin'

Why? Because Ruby tries to make your life easy and give access to all fields of your table automatically, unless you define it otherwise. And if you don't control the kind of operations like "update all", then all is allowed. So by default Ruby allows all... and you as coder have to restrict it.

Is that a failure for Ruby? No, however it shows how hard it is for developers to grab the information of what's going on and how something can be secure or not. It's exactly the same issue we have with PHP and the tons of SQL injections / XSS hacks.

I doubt any framework is 100% secure by itself, so it's our job as developers to try to understand what's going on and how we can prevent those. Yet with frameworks being more and more complex every days, I wonder if we are not simply heading in a situation where people will simply stop understanding what they are doing... and this Ruby story seems to show exactly that.

Link to comment
Share on other sites

Ruby has it's advantages over other languages, just like it also has it's downfalls.

To those who want to read about the Github hack, read here:http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted

And the issue a_bertrand talked about in details, is here: https://github.com/rails/rails/issues/5228

Most mainstream languages are secure, it's just the developers that fail to implement certain features effectively.

Even a compiled language like C is threatened by attackers.

The only failure point in an insecure applications is the developer themselves.

Luckily the damage to Github was very limited.

Good post, Alain.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...