Update Rails or not – security issues either way
browserbite.comNo question: update Rails.
The security issues attributable to Rails upgrades are small in number and relatively minor.
The security issues attributable to not upgrading Rails, and in particular in not upgrading during upgrade cycles where the Rails community was reassuring itself that everything was fine and that normal apps wouldn't be affected by security flaws, are much larger in number and extremely significant.
If there was one lesson I'd hope people would take away from Rails Winter of Security Madness, it is be ready to patch at all times. That's a good lesson for every platform, not just Rails, but Rails teams now have specific reasons to be on top of this.
When Rails announces security flaws, patch ASAP. If you're a professional Rails team, dry-run this well in advance; know you can patch at a moments notice, don't just hope.
How do you dry-run a Rails patch? I mean I know how to do `bundle update rails`. The problems with updates tend to be patch-specific.
If the only mechanism you have to update Rails is to do a "bundle update", start by fixing that.
Huh? No, I am familiar with Ruby development and use of git and patch files. I still don't understand your point. How do you a dry-run of a patch that doesn't exist?
If you are seriously on top of Rails security, you're ready to deploy workarounds if you have to, instead of waiting for the "tested" fix to percolate into Ruby gems. So, start by making an innocuous but testable patch. Add a class to ActiveSupport or something.
Also, when you drill this stuff (I think you should do it quarterly as soon as you have customers), spend as much time drilling how you'll profile your environment as you do in ensuring that your patch deployment is flawless. I worry more about hidden stale deployments than I do about production app servers.
I think Thomas is coming at this from a different place from many folks here, so let me explain what is animating this comment: many of you may have "monorails" apps, where everything you company does is one single Rails application. Most Rails shops eventually outgrow this architecture choice. (It's cool, I used it for ~4 years, I'm on your side.)
After you break the one app barrier, you tend to break it by a lot. Many of them will not be customer facing. For example, churn.example.com might be a simple dashboard coded up by an intern which sits behind HTTP Basic auth and just shows a dashboard with customer LTV broken down by plan. The churn app is really easy to forget: no customer ever sees it, the intern is back in college, and your team might not care about it. But e.g. the January Rails bugs were Pre-auth so you could give up code execution on churn.example.com with them. And churn.example.com sits in your datacenter and talks directly to the main database... uh oh.
If I ask you how many instances of Rails apps you have running in your company, and you can't immediately get that number from somewhere (say, an up-to-date list on an internal wiki), you should be terrified.
As you said above, "Rails Winter of Security Madness, it is be ready to patch at all times" -- sounds a lot less fun than the five minute blog or scaffolded apps that drew a lot of the Rails developers into the fold in the first place, not realizing that a short while down the road they would be spending all their time patching, monkey patching and crossing-fingers each time someone lifts the hood on the framework and discovers yet another parser-in-a-parser ready to exploit.
I don't know what the heck one has to do with the other. Reliably, scalably, securely deploying production applications is never going to be part of the intro screencast for a platform.
Frankly, all your comments on this thread have shared a kind of language-war tone; I'm talking about what people should be doing to secure production Rails deployments, and you tack on a dig about a screencast from 2008. In other parts of this thread, you leave wisdom like "Rails is for posers, Python for pros". On the presumption that you are a good faith commenter writing this stuff to evangelize for what you believe to be better platforms: the tactics you're using are backfiring. Your comments are going light grey, and they're discrediting the idea of evaluating platforms based on security by giving Rails partisans an easy straw man to beat down.
Do you know how many Rails developers I've heard pissing on Flash or Java and its security vulnerabilities? Many - until recently. Now suddeningly these faults are an accepted aspect of Rails development. Really. I guess this more of a rant about how unfairly the Rails community (ie. dhh) has been on others, but now expects critics to look away while it happens in the Rails community on a weekly basis.
I'm guessing this schadenfreude must be delicious, since everyone keeps coming back for additional helpings.
Look, gloating over other people's security issues is shitty behavior, and frankly responsible developers don't do it. Am I calling DHH an irresponsible developer? Yeah. But the Rails core team has thankfully incorporated a number of smart and responsible developers over the past 4 years, and you see a whole lot less shit like that.
Even better, security issues that have languished silently since 2006 are being identified and quickly addressed.
So, no, nobody is asking anybody to look the other way. There are developers who have been in the Ruby and Rails community for a long time, who make no aspirations to being "rockstars" and are out spending their nights and weekends patching rails, and are not slagging other people off for using Java.
Think of them when you feel the inclination to rant.
(also, incidentally, most of the ranting about Flash and Java development have not focused on security issues, they've mainly focused on how awful it is to use those platforms to do development. Which is why things like JRuby are so wonderful. You get to develop in Ruby, and access the JVM's system of libraries.)
I agree with most of what you said, but you accuse me of not thinking of the RoR developer community, which is false. My issue lies with extremely critical community leaders suddenly disappearing into the shadows. If you beat others up, expect the same, is all. I don't relish the idea of picking apart the community's hard work, but I do expect some fairness in the dialog.
The security problems of Flash and Java are not comparable to those of Rails. They're different in magnitude, different in number, and different in circumstance and origin.
I strongly agree with 'knowtheory that gloating about security vulnerabilities is a bad habit. But this Rails/Java comparison is even worse. Nobody personalizes Java insecurity. The Java applet plugin is a mess, responsible for a huge number of compromised desktops, but nobody I know would assume that a developer who worked in Java or on the JVM would be security-illiterate. That's not true of the Rails drama, which is really an opportunity for people to piss on DHH and his personality cult, as you can see in this subthread with 'static_typed's comment.
Rails became worse than the frameworks and ecosystems it laughed at in it's younger days.
Remember - Rails is Omakase - meaning literally 'leave it to someeone else' - food for thought indeed.
Your point (trolling really) doesn't make any sense (and really the Omakase thing never made sense to begin with).
The core value proposition for Rails has always been it incorporates enough of all of the things you need to get a web app up and running quickly, easily, and with sufficient power that your app can continue to grow into the future.
That's what DHH's original blog post screen cast was about certainly. wycats and carllerche's contributions to Rails after the Rails/Merb merge have focused both on better code discipline and ease/simplicity of use for everyone, from beginners to advanced devs.
On top of that the Rails security team has been totally on top of these disclosures and releasing patches that address them. Prominent members of the Rails community have been extraordinarily vocal in advocating that EVERYONE needs to upgrade their apps.
So, please, tell me again how Rails leaves things to others.
P.S. if you really want á la carte, use Sinatra, or Padrino.
P.P.S. Ah, if you look at the actual meaning of omakase (http://en.wikipedia.org/wiki/Omakase ), it basically means, devs entrust the defaults to the Rails team, which is basically how things actually work w/ Rails.
I don't think I would take things so far as to say that the Rails project has been a model for how to handle security problems.
Yep, sorry if I gave that impression.
All I mean to say is that the implication that the Rails community has been particularly lax over security issues is simply false.
Is there room for improvement? Yeah, probably so.
Rails _needs_ to produce security-patch-only patch releases.
This won't be foolproof; there is no such thing as foolproof in software development. There can still be unintentional regressions in security-patch-only releases (and even new security vulnerabilities), as well as new security vulnerabilities in other releases.
Yes, nothing is foolproof. But you can work at improving your quality. Yes, there are other things Rails could do to improve quality, including trying to actually do some variation of semver.
But the most obvious thing with the highest benefit/cost that Rails team could do is always release security patches in security patch only releases, so developers can apply security patch only releases and minimize their exposure to new regressions when doing so. Git should not make this hard to do, just cherry pick the security-patch commits into a branch created off the last release, and release it as a patch release seperately from any other changes.
Am I missing something?
Well, the release policy published by the Rails team states releases like this are supposed to only have security patches, but for some reason it wasn't followed here. I'm not sure why other than the frantic "zomg there's a security hole must fix it!" fray that may have clouded their judgement.
Another option is to fork Rails and use the patch files (included with the CVE) that target only the vulnerabilities addressed in the CVE.
The problem with upgrading to mitigate security issues is that the Rails team does not release security patches. They bump the minor-minor and do a release. That release almost always includes commits that are unrelated to the security issue. This is especially true when a lot of time passes between CVEs.
Maintaining your own branch really isn't that difficult, because you can simply merge in from upstream. In most cases, you're really only interested in patching from Rails team issued security fixes, so you won't have conflicts. If you do have conflicts, you can safely overwrite anything in your fork, because you're not developing Rails, you're simply maintaining tighter control over the release that you use.
Well - that's enough work to maintain your own app. Maintainging a fork of Rails and drilling through all of the vulnerabilities - that's an extra overhead. It's simpler to regression test your own app, I suppose.
I disagree that it's simpler to regression test your own app. The recent minor-minor version upgrade passed Rails core tests, as well as test suites at high profile Rails users, yet it contained a regression that caused the disclosure of some sensitive issues at those same high profile shops.
It's easier, from my viewpoint, to stick it out at a release that you know works for you, applying patches from the files contained in the CVEs. There's still a chance that the security patch will cause a regression, but at least you're not pulling in all the interim commits.
Or don't use Rails.
No matter your stack, you are occasionally going to have to deal with security vulnerabilities. Thankfully, rails at least is quick to issue releases which address security vulnerabilities. Back when I was working on java applets, I remember security issues in Java plugins which would persist for weeks, months, or even years.
Or Linux, or MySQL.
Or Postgres.
My subtext isn't very clear: there are other projects that haven't totally mastered handling vulnerabilities, but few people will fault you for using them. Rails is different because it has a personality cult, which makes it easy to personalize an issue that is a dry inconvenience for other popular packages.
I'm not sure I'd put Postgres alongside Linux and Rails in terms of handling security issues.
^^ This is good advice. Maybe they should question their choice of platform - there are other options, some of which seem to have had a bit more forethought in their architecture and engineering.
Remember: Ruby/Rails to pose, Python for pros.
> Remember: Ruby/Rails to pose, Python for pros.
How mature.
...and whitespacephiles. :)
There is no such thing as an insurmountable security configuration. No matter what you use or how you use it, there will always be new methods to compromise your data. Hackers are creative and enjoy a challenge and will continually attack systems until the end. Whether it be Rails or another framework, you will have to upgrade and address security issues forever. Developers need be realistic and understand that any system can be compromised if one tries hard enough. I don't necessarily think that you should go from rails 2 to 3 or 3 to 4 just to address security features. Better off staying in the branch you started the project in and applying the applicable patches for said security concerns. With that said, RAILS RULES!!
I've shared my sentiment here before on why I'm not going to use Rails anymore. Imagine having your code working fine, and you update a MINOR version 3.2.x - and your ORM starts returning results that it didn't used to.
Heh.
Not worth the heartburn. I've switched to a saner, more tought out framework. Rails is gorgeous, but not safe to use for any serious systems where you're in a small team.
What did you switch to?
Probably ASP.Net MVC -> https://news.ycombinator.com/item?id=5410169
ASP.Net MVC4.
If you're willing to trade off stability for features, the Rails 2.3 line still receives security patches to this day. You can upgrade to Rails 3 when Rails 4 comes out.
If you're willing to make a slightly different trade-off, just apply the security patches as they come out and don't upgrade minor versions without integration testing.
I have heard, but can't find an official reference to it now, that Rails 2.3 will stop receiving security updates once Rails 4 is released. (I suspect that patches will still become available for serious issues even once official support is dropped.)
Rails Core will not support 2.3.X, in any fashion, after 4.X is released. It is not relevant to their interests. It is very relevant to my interests, so watch for a coming announcement on my blog, or (an alternative) switch to Gthub's fork of 2.3.X.
Maintenance policy: https://groups.google.com/forum/m/?fromgroups#!topic/rubyonr...
Right - that's what I've heard, but that email doesn't explicitly say that.
Right, so you have your migration to Rails 3 ready to go as soon as Rails 4 ships. When Rails N has shipped, consider Rails N-1 to have become the "stable" release and Rails N-2 to be deprecated.
So what was the issue from Rails, specifically?
Specifically that the security releases included changes to the way that ActiveRecord works (which were unrelated to the security issues).
As a consequence, their search queries were scoped differently than what they had intended. So their choice was roll back the security release, or modify their app to accommodate ActiveRecord's altered behavior.
Actually, ironically, the _particular_ bug that changed how ActiveRecord works... which caused security problems... was actually an unintentional regression in a _security patch_.
There were ALSO unrelated changes (quite many) in the patch release that included the latest security fixes. Which is a mess.
But, the _particular_ problem here, the OP suggests it was the same problem as github reported [here](https://github.com/blog/1440-today-s-email-incident), where they suggest they isolated the introduction of the regression to [this commit](https://github.com/rails/rails/commit/f980289fd2c1b9073a94b5...), which in fact has a commit message as the fix to CVE-2013-1854.
So, yes, a security fix unintentionally introduced a regression with _other_ security implications. Yeah, this is kind of ironic, and yeah, it means it's not so simple to say what could have been done to avoid it. (In this case, I'm surprised there wasn't an automated test already that caught the particular regression. It seems like something that should have been tested. But I haven't looked at the test source to see if it was an odd edge case or what have you.)
(But it's STILL bad practice to release security patches only in releases bundled with a bunch of other changes).
I see. Thanks for the clarification.
Give a developer a Ruby-based web framework, and they can run for a day without patching, but give them anything else - even Prolog on Punchcards - and they run for so much longer!
Stop today, and help recovering Ruby developers onto a better path!
Your attempt to drive developers to Ruby and Rails by playing the role of a typical ignorant anti-rails fundamentalist crusader will fail.
I'm not really sure I understand this sentiment. I understand that the Rails community has had a reputation in the past of being arrogant but why take joy in the growing pains of a development community? Why foster an "us vs them" sentiment in the general development community? My understanding is that we are all doing the same things, we just have chosen different ways to get there.
Enjoying your crusade?