Tuesday, January 29, 2013

Rant on Rails

This isn't going to be particularly interesting, or make a whole lot of sense, to a lot of people. Probably best to just ignore it.

Over the last couple of weeks, there have been two major vulnerabilities identified in the parameter-parsing in Ruby on Rails - first in the YAML, then in the JSON bit. I don't really understand the ins and outs of it myself, but essentially it allows a malicious user to run unapproved code by forcing the Rails app to read input as if it was an object created in the application. This has knock-on risks for the database, which obviously isn't ideal.

Upgrading recent Rails apps is pretty straightforward; you just update your Gemfile to point to the new Rails gem, then bundle install and deploy your app.

One of our sites, however, runs an ancient version of Rails on an ancient version of Ruby - so old that I can't actually get it working right on my own PC at work. And that's without even trying to update Rails.

Long story short, I spent pretty much all of today trying to get things working on my own machine, and didn't get anywhere. I attempted to use a simpler solution to the problem on the live server, but that went horribly wrong and I had to roll it back pretty quickly.

I'm still not sure how I'm going to get this problem sorted. I don't think my preferred solution is going to be acceptable given the number of our customers who would flip out if this particular offering was to disappear - but it's getting so very, very tempting.

No comments: