27 comments

[ 2.7 ms ] story [ 55.9 ms ] thread
I hate myself. My first thought was being happy my version of Rails was not vulnerable to this one.
Someone explain this to be like I'm 5?
If you are running Rails 4.0.0, 4.0.1, 4.0.2 or 4.1.0.beta1, AND you use PostgreSQL AND you use Array columns therein, then you are affected. Upgrade ASAP to 4.0.3 or 4.1.0.beta2.

The exploit is does not allow arbitrary SQL to be run (aka an attacker can't start deleting things), but it does allow data to be created/modified when it shouldn't be. Not terrifying, but a vulnerability nonetheless.

If you are running Rails 3.2 or less, or if you do not use PostgreSQL, or if you do not use Array columns, you don't need to drop everything and should simply upgrade at your leisure.

You're substantially right with who isn't affected, but I would recommend prioritizing this as Immediate Remediation Required if any part of your app is affected.

You should treat "attacker gets to modify columns of their choosing" as being epsilon away from "remote code execution." There exist multiple plausible paths to getting it which are widely implemented in Rails projects.

Two of many:

1) The attacker writes arbitrarily serialized objects into your queuing system, such as Delayed::Job. They either execute attacker-chosen instructions or the deserialization of them executes attacker-chosen instructions, in a fashion similar to the January of Fun YAML issues.

2) The attacker uses this vulnerability to compromise the admin users (and/or make their user into an admin user), thereby gaining access to your admin dashboard, and either a) causes business damage via malicious use of admin-only commands, b) achieves privilege escalation from the dashboard to e.g. an admin's email account (game over almost always), or c) they attack your app's vulnerable underbelly since who worries about a company employee exploiting appsec bugs.

It is possible that your app is resilient to these and other bugs, but until you know you are, treat this CVE as a gun pointed at your face. It may not be loaded and the trigger might not eventually be pressed, but it's still a gun pointed at your face, so prudence suggests removing the gun pointing at your face ASAP.

Bad framework, with too much magic, poor security, poor performance, not good for anything beyond the five minute blog.
You are indirectly blaming a WHOLE LOTTA people with this comment. Learn to play nicely with others and maybe someone will listen to your complaints. Chances are, you don't care. <---- that's a blaming statement.
Sadly, I tend to agree. It seems anyone starting a new publicly-accessible web site with Rails are aiming for a shot at their own feet. Rails might still be usable for Intranet servers in a trusted network setting or prototyping web site ideas before transitioning to a "serious" framework. The continuing security issues and lack of focus on performance make it terrible choice for any production web site.
With respect, you don't know what the hell you are talking about. All software suffers from security issues, and Rails' performance issues are overstated.
Rails does suffer disproportionately from security issues. The framework code has become increasingly bloated and serious security vulnerabilities are being continuously discovered (see http://www.cvedetails.com/vulnerability-list/vendor_id-12043...) both on the low and high level code (the seriousness of this specific vulnerability depends on application). While I like Rails, I would not choose it as a server-side framework for my product anymore: painful to maintain (backwards-compatibility is not a priority) and slow (compared to say, Go, anyway).

Rails is nowadays easily replaced. Most of the fancy server-side bits are not really that useful, and on the front-end the zeitgeist are JavaScript frameworks, where the server acts as an API but serves static HTML/JS/CSS files.

Comparing Rails to Go doesn't make any sense.

Rails regularly has security vulnerabilities reported because it's popular, mature, deployed in a lot of places, and thus gets a lot of attention. When something like Play or whatever is equivalent in the Go world is similarly exposed I would expect to see security vulnerabilities reported there, too.

Software only _gets_ widely reported CVEs if it's popular. The lack of these reports for smaller, less popular frameworks does not indicate the lack of security flaws.

It does not suffice that a software is popular to render it insecure. OpenSSH is wildly more popular than Rails will ever be, yet it has a superior security record ( http://www.cvedetails.com/product/585/Openbsd-Openssh.html?v... ). Good strategy to avoid security issues is to use the smallest possible set of well-tested tools to achieve your task. Rails is almost the complete opposite of this: a large package of pretty much everything, of which most will ever use only a small portion.
You're comparing a web app framework to a language and then to encrypted communication software which has been around for over a decade? You're grasping at straws here and it is telling you quote the OpenSSH security record but not that of other frameworks.

Even comparing it to Go is pretty flawed, because of course Go is a language, not a framework, and it has not been tested extensively or attacked extensively, nor have the apps you have written in it. You can expect those apps to have some vulnerabilities you don't even know about as yet, unless you have had a security audit?

Like many projects, Rails is continually discovering potential security problems, though I wouldn't say it is significantly worse than other comparable frameworks/stacks, and some of the flaws they are fixing nowadays are pretty much harmless for normal use (some not, like this one, which is dangerous for the subset of users using these advanced features (probably under 5% of users)).

Pick any other widely used app framework, and you will find a similar history of security exploits discovered, though I'm sure some are better than others. It's fine to say that Rails has worse security than project x, backed up by figures, but saying anyone using Rails is shooting themselves in the foot is hyperbole.

The worst recent issue in rails I can remember is the JSON parsing incident, which also affected some python users. Just as an example comparison, in Golang if you are lazy and unmarshal into an interface or map[string]interface you might end up with similar problems of unintended data leakage, and if you unmarshal into your own struct without carefully checking what you get, you might end up with unexpected nils which only surface much later or data overwritten which was unintended. You're unlikely to get clobbered just as the Ruby JSON parser was, but you could easily introduce vulns without knowing it.

I actually prefer golang to ruby for other reasons, but the frameworks are neither mature nor battle tested, so it's not a great example to compare on security, and neither is OpenSSH.

How is it going to help anyone whose web application has been hacked to know that the problem was expected because the platform they were using was so popular/complex/whatever? From a purely practical security point of view, using Rails currently for new applications is taking an aim at your own feet, because there exists less vulnerable solutions as well.
I'm not making excuses for Rails, which is comparable to many other frameworks on security issues in my experience, I'm pointing out (as many others have done) that your argument is based on false premises. If your home-grown solution is based on golang and you've had security audits done with nothing found, congratulations, but if you haven't, it is almost certainly more vulnerable to a wide range of flaws, some in the libraries, some in your code. For example what CSRF protection do you use, what XSS protections?

I'm quite willing to believe that most of the golang web libraries are more solid than rails 1.0 ever was, because they were written by far more experienced programmers initially, but this is a complex topic, they do not cover everything you would need, and everyone makes mistakes. As an example, here is an exploit in play.golang.org:

http://codearcana.com/posts/2013/04/23/exploiting-a-go-binar...

You have provided no evidence that other options are significantly less vulnerable, unless you serve your web pages with OpenSSH?

You keep putting words to my mouth. I have not compared OpenSSH, Go or Rails as web frameworks. I compared Ruby's speed to Go and Rails' security record to OpenSSH. But I give you misrepresentation is a great way to make someone look stupid.

My personal intuition is that Rails is insecure and becoming increasingly insecure. I have cited a high number of CVEs. If you disagree, go ahead and use Rails for your app. You'll save some time, but remember to remain vigilant about security issues.

The intention wasn't to make you look stupid but to point out the absurdity of the comparison between rails and OpenSSH.

I completely agree on speed and (perhaps more importantly) memory size, minimal golang apps far surpass rails. On security, I'm not convinced a home-grown solution in plain go or any of the extant frameworks will be significantly more secure than Rails, nor that Rails is becoming more insecure. If anything I think they're putting more effort and time into security than they did previously.

> Like many projects, Rails is continually discovering potential security problems, though I wouldn't say it is significantly worse than other comparable frameworks/stacks

Compared to Django, a framework similar both in feature and popularity, Rails is definitely worse. Especially compared with the most serious flaws (code execution, SQL injections).

http://www.cvedetails.com/product/18211/Djangoproject-Django... http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-...

Not sure about the JSON incident you mention. Maybe you thought about YAML?

Thanks for the links, which I think would lead to a more productive discussion because they are a comparison of similar frameworks. There are of course difficulties with gauging how much attention each gets (a lower CVE count is not proof of security), but overall Django looks better here.

I was thinking of the third one on this page (I suppose strictly speaking a vuln in a gem outside rails) which was pretty serious:

http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12...

but there was a related YAML bug too at the same time with serialize, which also allowed users to supply input that was then instantiated (madness!). Do lots of people use serialize? I've never explicitly used it, unless it is used behind the scenes somewhere. I remembered the fuss being over JSON because of broader impact but may have misremembered.

Ya you don't know what the hell you're talking about. For crying out loud, I would say Rails is probably the most popular framework of choice of YC startups.
Not sure how to respond. I am arguing for concrete technical points here. Something being popular does not equate it being right. Does the YC community diswelcome those making critical arguments, or what?
Critical arguments are welcome but baseless ones are always challenged. Saying Rails isn't a serious framework discredits the billions of dollars in valuations of companies using it in production today. Even Rails itself is backed by 37signals (now Basecamp), a for-profit company with serious problems that needs serious solutions for its widely popular product. Does Rails win in every technical aspect against other frameworks? Of course not, we all admit it has its flaws. But what it wins at it is developer productivity, getting shit done, and getting new developers up to speed. It does enough to enable a startup to get off the ground and become a million or even billion dollar company. That in itself makes it serious enough.
.. because those are the reasons startups fail?
It would be interesting to see an analysis of the number and severity of Rails security issues as compared to similar frameworks with similarly sized user-bases. I would be happy to be convinced by _actual and relevant data_ that Rails has an unusual problem with security.

But until then, to me, the people complaining about Rails security sound a lot like the people that complain about Windows security. When you have a product that's used by a whole lot of people, then there's going to be a lot of incentive to find security holes and a whole lot of people using the product in sometimes hard to predict ways. This does not necessarily mean that the product is inherently less secure than alternatives, it just means it's popular.

What kind of "serious" frameworks are you thinking about? Every large framework I can think of has similar issues as Rails, while minimalist frameworks avoid security holes by encouraging users to implement their own.
Very telling that you felt the need to create a new account to make these idiotic comments - you're obviously unwilling to have your real account associated with them.

So even you know you're talking shit. Knock it off, why don't you?

(comment deleted)