Minor Changes to the Rails Security Policy

After reviewing the feedback on the two recent security announcements we’ve made a few minor changes to the Ruby on Rails security policy.

The first change we’ve made is to include more information on what to do if you don’t receive a response from the security team. In general reports to the security address should receive a response within 24 hours, however the sheer volume of spam to the address can, and has, lead to messages being caught in spam filters. In the event you don’t receive a response there are now two direct-emails to the people currently looking after security reports. That page will be kept up to date as responsibilities are reassigned.

The second change is to more clearly outline the announcement policy for rails vulnerabilities. In short, we notify vendor-sec ahead of the public notification to allow time for people distributing rails to prepare packages for their distributions. Then when the time has come for public notification an email is sent to the security announcement list. Finally the announcement is posted to this blog.

The security announcement list is extremely low volume and you’re strongly suggested to subscribe to it. This is the place which receives the first public announcements of all vulnerabilities in Rails, and also tends to receive additional notifications about vulnerabilities in ruby itself. We’ve been using this list for several years but judging by confusion and misinformed comments following the announcement of CVE-2009-1904, not enough people were aware of its existence.

If you have any comments on the security policy, please send them via email to security@rubyonrails.org.

Community Highlights: Ruby Heroes

This week I’m happy to tell you about a new set of articles which will be appearing here on the Rails blog called “Community Highlights”. This new series will feature people/projects/sites from the Rails community that may deserve a little extra recognition.

This week, we’re going to start with a few people who received awards on stage at Railsconf 2009, this years Ruby Heroes.

Brian Helmkamp

Brian has been a contributing member of the Ruby community for 4 years now, but is most well known for his testing library Webrat. He’s a contributer to Rails, RSpec, Rubinius, and is a co-author on the recent RSpec Book. More recently he’s been helping out the Rails core team with Rack:Test, and Rack:Debug.

His Blog: http://www.brynary.com/
Twitter: brynary

Aman Gupta

Aman has taken over the maintenance, new features, and the recent releases of EventMachine, which is an invaluable tool for writing fast ruby applications. He’s also the author behind amqp & xmpp4em gems which are deployed far and wide.

Github: http://github.com/tmm1
Twitter: tmm1

Luis Lavena

Luis has done a lot for the Ruby community in Argentina, but he’s most well known in our community for the work he’s done for windows users maintaining the One-Click Ruby Installer. Recently he’s put up a Plegie to help get the windows installer a new home.

His Blog: http://blog.mmediasys.com/
Twitter: luislavena

Pat Allan

Pat is the mastermind behind Thinking Sphinx which has become a standard when it comes to full-text search in Rails. He is also the author of the excellent Thinking Sphinx PDF book and one of the founders of Railscamp, where I hear he makes some killer pancakes.

His Blog: http://freelancing-gods.com/
Twitter: Pat

Dan Kubb

Dan been tirelessly working on one of the hardest Ruby projects around, DataMapper. He became the official maintainer after Sam Smoot and since then has completely rewritten the test suite to give DataMapper better coverage, has come up with a viable path to completion, and is currently working on making sure DataMapper works great with Rails 3.

Github: http://github.com/dkubb
Twitter: dkubb

John Nunemaker

Although John Nunemaker has released several widely used open source libraries, like HTTParty and HappyMapper, his main contribution in my opinion comes from his blog Rails Tips. Over the past year he’s written an incredible number educational blog posts on many Ruby and Rails topics.

RailsTips: http://railstips.org/
Twitter: jnunemaker

Those are your six Ruby Hero’s for 2009. If you’re interested you can also watch a video of the award ceremony which talks more about the methodology about how they were chosen and see 5 of these guys receive their awards on stage at Railsconf 2009.

DoS Vulnerability in Ruby

A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.

For upgrade instructions and information on affected ruby versions please see the ruby security team’s announcement.

All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.

NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release.

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

Thanks to Jose Fernández for reporting the vulnerability to the rails security team, and to the ruby security team for confirming the nature of the bug and handling the release process.

Security Problem with authenticate_with_http_digest

A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.

The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.

If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.

Fixed Versions

We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.

Steps to Protect your application.

Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:

authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end

Should instead be something like:

authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || false end

Disclosure Notes

Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.

Community feedback for the future of Rails

A few months ago, we announced the creation of a “forum” to discuss the future of Rails and what the community is interested in. Since then, many important suggestions/topics were addressed, many features were completed or started. My goal in this post is to give you a quick overview on the status of the uservoice forum.

rails uservoice

##Suggestions mentioned and completed:

  • Nested Model forms This is something that was actually started before we put the forum together and this feature is now available since Rails 2.3.x

  • Rails magazine Olimpiu Metiu already released two issues of his Rails Magazine. The PDF versions are available for free but you can also purchase the print version.

  • Better Wiki A lot of people have put efforts in building the new wiki and I’m sure a lot more content will be provided. We have also made the wiki available for translation.

##Accepted/started suggestions:

  • Improved performance This is something that already started in the Rails3 branch, go check the work done by Josh, Yehuda, Carl and others to make Rails perform even better.

  • Public and plugin API This is something that’s particularly important for 3rd party developers and therefore plugin users. There is still a lot of work to be done with 3rd party developers and “advanced users” before we can get a fixed API. However, once we will have this API, Rails updates and plugin compatibility should be much smoother.

  • Slices/Engine Rails 2.3 came with the ability to have engines in your plugins and if you were at RailsConf, you might have attended Yehuda and Carl’s talk on mountable apps. Thanks to some work done on the router and Action Controller, you should be able to mount a Rails app inside another one sometime in the future.

  • Easier to read code The refactoring has already started and the internal code should be cleaner and easier to read. Remember that Rails is 5 years old, such a task isn’t easy.

  • Better support for non relational databases Thanks to Action ORM and some more refactoring, non RDBMS and other data stores will be better supported.

  • Unbind Test::Unit and Prototype Agnosticism is a big theme in Rails 3. Even though, Test::Unit and prototype will be the default, Rails won’t make any assumptions about users using one framework or the other. Watch David’s keynote at RailsConf for more information.

  • Make Action Mailer consistent with regular controllers This task was started as part of the work done on Abstract Controller.

Don’t forget that you can still make your suggestions and/or pick one that is already listed and start working on it!

New code contributor index

Xavier Noria (code) and José Espinal (design) have created an awesome code contributor index for Rails core submissions. It’s being updated automatically every night and tracks the number of commits and which particular commits to individuals in the community. You can even track the commits over time, as in who’s been most active this month.

The site now lives at contributors.rubyonrails.org. Thanks to Xavier and José for putting in the work on this!

Railsconf 2009 in Review

Railsconf wrapped up last week, and I think we all survived Vegas. If you weren’t able to make the conference, there is plenty of video, slides, and blog entries to get a taste of what went on.

First up you can get a summary of the conference by checking out my Railsconf in 34 minutes video. Thanks to O’Reilly you can also watch all the keynotes, the Rails Core panel, the Women in Rails panel, and the Ruby Heroes Award Ceremony. I also put together a few videos during the conference which were played before the Keynotes (Tutorial Day, Tuesday, Wednesday, and a demo of Rubystein thanks to the guys from Phusion).

If you’re looking for written material, the slides are available online and you can find a great list of blogs here which covered the event.

Unfortunately the sessions at the conference weren’t recorded, but we’re really hoping that this is the last year that happens.

More speakers on RailsConf Vegas

RailsConf is going down next week in Vegas. I’m sure it’s going to be a great show and can’t wait to get out there. A few of the presenters have been blogging about the presentations that they’re doing.

Alexander Dymo is doing a session on Advanced Performance Optimization of Rails Applications, Jason Rudolph has one on testing JavaScript in Rails projects, Pat Maddox is talking about dealing with legacy Rails projects, and finally Sean Schofield just has five good reasons to attend the conference.

Check out the entire schedule for the conference and signup if you haven’t already. See you in Vegas!

This Week in Edge Rails

April 18, 2009 – April 24, 2009

Edge Rails has been undergoing major surgery for the past week, as the core team gets ready for a Rails 3.0 alpha release at RailsConf. We saw about 50 commits to the master branch in GitHub this week. Here’s a quick overview of the recent changes.

Rails 2.3.x Changes

Before digging into the changes on the master branch, there were a few things committed to the 2-3-stable branch. If you’re running on 2.3 edge, these are ready for you; they’re also ported to the master branch already.

  • A couple of bugs involving associations with hash conditions have been fixed, notable to make sure that :dependent => :delete will work.
  • The PostgreSQL Active Record adapter now does the right thing if you use tables in non-default schemas. You need to set the table name in your model class, of course: set_table_name 'other_schema.customers' commit
  • Also in the PostgreSQL adapter, a couple of bugs related to wrong quoting of names with capital letters are fixed.

ActionView::Path Refactoring

One major chunk of change in Rails 3 this week comes from the continued work to refactor Action Pack. This time, ActionView::Path was the target. Changes in commit include decoupling ActionView::Path from Action Controller and Action Mailer, which gives us two major benefits. First, consolidating similar code in one place makes it easier to understand and maintain. Second, by abstracting this stuff and giving it an API, we’ll make it possible for other components to participate in the controller layer, beyond mailers and traditional controllers.

There’s also some work here to set up for the future. The plan is to decouple templates from the file system, and to decouple localization from ActionView. Stay tuned!

Pluggable JSON Backends

You may recall that recently Rails went to pluggable XML support. This week, thanks to work from Rick Olson, we have pluggable JSON. This means that you can replace the default YAML-based JSON support with the JSON gem:

ActiveSupport::JSON.backend = "JSONGem"

As part of this change, Rails now uses ActiveSupport::JSON.encode() wherever it needs JSON. This replaces using #to_json, and Rails team is recommending that you do the same. If you do choose to use #to_json, you need to be aware that some libraries might override it. You can use this pattern to make sure that you’re getting Rails’ own definition of #to_json:

gem 'json'
# JSON gem loaded, which overwrites to_json
ActiveSupport::JSON.backend = "JSONGem"

class ActiveRecord::Base
  # replace the gem's to_json with Rails' own to_json
  alias to_json rails_to_json

Active Support à la carte

In Rails 2.x, require "active_support" pulls in all core extensions at once. In Rails 3, require "active_support" only makes the extensions available; you have to explicitly require those you wish to use. Many of this week’s changes were concerned with breaking up Active Support so you can take just what you need and nothing more.

The end result is that it’s easy to cherry-pick features from Active Support without feeling like you’ve invited a portly gentleman for a piggyback ride. As an added bonus, all core extension documentation is now consolidated in one place: the core class. You don’t have to go poking around every extension module to find a method.

Internally, the core extensions have been reorganized so they can be directly required without assuming all of Active Support is available. Want inflections like "car".pluralize? require "active_support/core_ext/string/inflections" and you’ve got them. Note: the implementation and organization will change as we settle on the best way to provide core extensions.

Other Edge Changes

  • The Rails extension to Pathname was dropped, since it was only used in one spot in the code. commit
  • Support for the DRb cache store has been removed. commit
  • The sqlite Adapter joins the PostgreSQL adapter in supporting microsecond resolution. commit

2009 Rails Google Summer of Code Projects

The Google Summer of Code program has announced this year’s funding winners, and Rails has four student slots. Here’s what our students will be working on this summer:

Joshua Peek will be refactoring some of the Rails internals, with the goal of finishing the work on Active Model. The idea behind this particular Rails component is to extract some of the commonalities from Active Record and Active Resource, which in turn will make it easier to maintain the higher-level components and make the more consistent.

Nelson Crespo is planning on adding some Dtrace probes into a Rack module. These probes should make it possible to see what’s going on in a Rails application (or any other Rack-based application) with much finer detail than can be easily retrieved now. When the probes are ready, he’ll be working up some visualizations.

Jose Valim is tackling a rewrite of the Rails generator code. Right now, the generators are tightly-coupled to particular architectural choices; the goal is to make it possible to select, for example, a testing library, an ORM, and a Javascript library when you choose to generate a scaffold, and have the generated code use your preferred pieces.

Emilio Tagua will be working on Active Relation. This is another refactoring of the ActiveRecord code, covering the query generation capabilities. With Active Relation as a separate component, Rails will be better positioned to move towards ORM agnosticism.

We’d like to thank all of the students and mentors who participated in the Summer of Code selection process – it was tough to get down to four projects, considering all the great proposals we had. In particular, we had six runners-up whose proposals were excellent: Carlos Kirkconnell, Florian Gross, Hector Gomez, Ian Ownbey, Luciano Panaro, and Daniel Luz. We’re looking forward to seeing what all of our students bring to Rails this summer, and hope not to lose touch with others who are also excited about the prospects for Rails 3.0.