undefined | Better HN

0 pointsboundlessdreamz14y ago0 comments

Hmm? The vulnerability is in github's code (not open source) and not in rails.

0 comments

It actually looks like the vulnerability is on Rails itself, which Github is built on...

The vulnerability is that Rails is insecure by default. That used to be the case for a lot of things, then finally people noticed how the real world works, and started fixing them. Apparently the Rails developers have actively resisted the lesson everyone else already learned.

boundlessdreamzOP14y ago

The vulnerability is still Github's. Rails provide the tools to do this right. Whether rails should provide stricter defaults is another question altogether.

I was replying to the parent, who attributed this to the power of "open source & eyeballs looking at your code" but this is not such an instance.

nknight14y ago

Lots of projects provided the tools to do lots of things right in years past, but they eventually came to recognize that if they didn't provide secure defaults, they were ultimately harming everyone out of some twisted sense of principle. Insecure defaults are thus now considered a vulnerability in the original project.

rsbrown14y ago

This was not a case of "Rails is insecure by default".

There's very popular idiom in Rails development of updating model data from a form POST/PUT in one line of code in a controller:

my_object.update_attributes(params[:object])

Because many users follow this approach, it made this hack widely exploitable. You can either assign parameters piecemeal in the controller or explicitly set the attr_accessible attributes in the model. There's nothing inherent in Rails that caused this vulnerability, rather it was programming practices by developers.

kijin14y ago

There's a fine line between (1) "insecure by default" and (2) the existence of a very popular idiom that is dangerous unless accompanied by other checks.

Many PHP apps used to rely on register_globals without proper input checking, and when those apps got hacked, it was clearly their their own fault. Just like GitHub is primarily responsible for today's exploit. But that didn't prevent people from calling PHP "insecure by default" for enabling register_globals in the first place.

j / k navigate · click thread line to collapse

0 comments

eddington14y ago

It actually looks like the vulnerability is on Rails itself, which Github is built on...

nknight14y ago

boundlessdreamzOP14y ago

The vulnerability is still Github's. Rails provide the tools to do this right. Whether rails should provide stricter defaults is another question altogether.

I was replying to the parent, who attributed this to the power of "open source & eyeballs looking at your code" but this is not such an instance.

nknight14y ago

rsbrown14y ago

This was not a case of "Rails is insecure by default".

There's very popular idiom in Rails development of updating model data from a form POST/PUT in one line of code in a controller:

my_object.update_attributes(params[:object])

kijin14y ago

There's a fine line between (1) "insecure by default" and (2) the existence of a very popular idiom that is dangerous unless accompanied by other checks.

j / k navigate · click thread line to collapse