a_bertrand Posted March 6, 2012 Share Posted March 6, 2012 I know there was quiet some buzz about Ruby last year or so, and I wonder how many of you actually tried it. Well, even if Ruby or Rail offer some interesting things, it's ALWAYS important to understand what the framework offer and what are the pitfalls. Sadly no softs are 100% secure so it's up to us coder to ensure that we understand what we do before we get hacked... if possible. The last news I got is: github hacked... and this via one of the most common hack with Ruby. Basically Ruby on Rail define automatically some "interface" to the database and your objects, and if you don't specify if some stuff are accessible or not, they will all be accessible via web. Without any control. Sad news is that it seems that most software developed with Ruby are vulnerable to this, in the sense that you could end up giving commands you should not like update users set role='admin' Why? Because Ruby tries to make your life easy and give access to all fields of your table automatically, unless you define it otherwise. And if you don't control the kind of operations like "update all", then all is allowed. So by default Ruby allows all... and you as coder have to restrict it. Is that a failure for Ruby? No, however it shows how hard it is for developers to grab the information of what's going on and how something can be secure or not. It's exactly the same issue we have with PHP and the tons of SQL injections / XSS hacks. I doubt any framework is 100% secure by itself, so it's our job as developers to try to understand what's going on and how we can prevent those. Yet with frameworks being more and more complex every days, I wonder if we are not simply heading in a situation where people will simply stop understanding what they are doing... and this Ruby story seems to show exactly that. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted March 7, 2012 Share Posted March 7, 2012 Ruby has it's advantages over other languages, just like it also has it's downfalls. To those who want to read about the Github hack, read here:http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted And the issue a_bertrand talked about in details, is here: https://github.com/rails/rails/issues/5228 Most mainstream languages are secure, it's just the developers that fail to implement certain features effectively. Even a compiled language like C is threatened by attackers. The only failure point in an insecure applications is the developer themselves. Luckily the damage to Github was very limited. Good post, Alain. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.