Tags

webcam vindaloo version vegan unix unicef trojan todo textmate testing tagging syntax svn subversion sphinx spaces solaris sitemap sinatra sheet security search schema_info SchemaInfo ruby rinari relationships refresh rdiff-backup ramaze railsconf08 railsconf07 rails protools production power placeboeffect PIC perl outbreak osx os x NYHS NYC netbeans nanophotonics mysql MPEG-4 model migration microvolunteer macbook mac log linux less leopard keynote JAX javascript java imunizator highlighting Handbrake haml hacks google geocoding genghistron gem gaming gabrielle's funny functional fun friends food fixes FF3 ferret fantasy' emacs DV donate datarecovery database D&D converter conference computing cheat capistrano business bribes blog backup apple airport air' activerecord

The Hacker said on Mon Apr 07 17:52:10 +0000 2008 | permalink
Tagged: rails security relationships activerecord

ActiveRecord.update_attributes has_many :security_holes, :through => :unkown_features

Among you railites who have successfully learned rails, watched tutorials, and generally feel comfortable about your abilities: Probably didn’t know there is a little security hole in your app.

It has to deal with update_attributes, has_many relationships, and a method made available on the parent in the relation.

Example:

class User < ActiveRecord::Base
  has_many :groups
end

In your view you have your pretty form with user’s name and other demographics they can enter in their profile. and a ‘save’ button that leads to a call to ‘update_attributes’.

The problem lies in the fact that has_many creates a method off your object called

 user.group_ids=

Which allows you to pass in an array of ids and create associations en-mass. the problem is that I can come in with firebug and add my own fields.

<!-- im in your html source adding my inputs -->
<input type="text" name="user[group_ids][]"/>
<input type="text" name="user[group_ids][]"/>
<input type="text" name="user[group_ids][]"/>

After filling those fields and submiting, if you inspect the params hash you will notice: - “parent” => {.... “association_ids” => [“1”,”2”,”4”]}

And if you check your script/console and check the associations, they will be there assuming you have groups with id’s of 1,2, and 4.

The implications? If you use these groups for any kind of role based access, a user could assume a group with root/super/power user access!

The lesson?

Protect your attributes!

 attr_protected :group_ids

But! a better idea would be to use:

 attr_accessible :name, :bio, :etc

I hope this has helped you as much as it did me!

-TheHacker

The Hacker said on Mon Apr 07 17:16:36 +0000 2008 | permalink
Tagged: ruby rails functional testing

A Window Into Functional Tests

So like any ruby blooded human, I create functional tests for my rails applications. However, things don’t always go as planned; a redirect instead of a success, but where to?, the assigns is right, but the flash was wrong, etc.

Sometimes you just need a way to peek at what you get back. If you enjoy gouging your eyes out you can do a puts @response or @response.body

A slightly better alternative is to spit the body to a file and preview it in firefox.

    tmpfile = File.new(tmpname = 'tmp/test_page.html', "w")
    tmpfile.puts @response.body
    tmpfile.close
    `firefox #{tmpname}`

Put this after any get, post, etc, and you will get a decent html output of your view (sans stylesheets and valid links) Although nothing is stopping you from outputting to public, running script/server, and viewing it from there.

  • If your dealing with redirects, don’t forget about follow_redirect!
  • If your crossing controllers, use integration tests =)

It’s not the be all end all of solutions, but it helps for a quick glimpse while fixing tests. Hope it helps!

The Hacker said on Fri Dec 14 13:41:22 +0000 2007 | permalink
Tagged: syntax highlighting javascript ruby perl rails

Syntax Highlighting for Everyone!

I recently integrated a javascript based syntax highlighter into this blog. Its very easy to do and quiet useful. Here is a quick rundown. I also go over some alternative methods afterwards.

The software I ended up using was SyntaxHighlighter

Instructions can be found here just include some files, run the javascript and your gold.

Once thats in place all you have todo is invoke:

<pre name="code" class="yourlanguage">
   awesome code snippit here
</pre>

Where ‘yourlanguage’ is one of ruby,perl,etc

There is a very useful option which allows you to match line numbers to the file you may be refering to (for example your code may begin on line 10).

<pre name="code" class="yourlanguage:firstline[10]">
   awesome code snippit here
</pre>

Here is an example from line 35 from a rails controller (Note the line numbers on the left)

def show
  @owner = User.find(params[:user]) || User.find(1)
  @blogs = Blog.paginate :conditions => ["(user_id = ?) AND NOT disabled", @owner.id], 
    :order => 'updated_at DESC', :per_page => 5, :page => params[:page]
end

SyntaxHighlighter supports out of the box:

  • Csharp
  • C++
  • CSS
  • Delphi
  • JavaScript
  • Java
  • Php
  • Python
  • Ruby
  • SQL
  • VisualBasic
  • XML (Which works well for xhtml files)

In addition you can grab shBrushPerl.js which adds perl support.

And thats all there is to it! Syntax Highlighting with Client Side Javascript.

I would also like to point out some other ways to convert code into markup.

  • Coderay integrates well with ruby on rails.
  • GeSHi is a PHP based generator.
  • Highlight is a command line (and gtk gui) based app.

At the very least Highlight’s console output can be grabbed and fed into your web application no matter what language. It also has a cool 256 Color Xterm output which is great for piping code into from grep or less.

Highlight also comes with a slew of existing color schemes in CSS which is nice.

There are many more highlighters out there, google is your friend.

Enjoy the shiny colors!

The Hacker said on Fri Dec 14 11:54:02 +0000 2007 | permalink
Tagged: ruby rails gem geocoding google

Google-Geocode Gem Woe's

While using the very cool google-geocode gem for ruby, I ran into a small (read: big) problem.

Do a search for “Trinidad” by itself and you get something like:

Communication error: #<REXML::ParseException: Missing end tag for 'AdministrativeAreaName' (got "AdministrativeArea")

The problem lies not in the gem but in ruby’s REXML and how it deals with the xml google sends back. This only happens when international characters are involved.

After doing a little googling I saw a patch for rexml which I changed into a monkey patch for google-geocodes helper library rc-rest.

This monkey patch will solve all your accent mark woe’s.

class RCRest

  def get(method, params = {})
    url = make_url method, params

    url.open do |xml|
      body = xml.read

      res = REXML::Document.new Iconv.conv("UTF-8//Ignore", 'UTF-8', body)

      check_error res

      return parse_response(res)
    end
  rescue IOError, SystemCallError, SocketError, Timeout::Error,
         REXML::ParseException => e
    raise CommunicationError.new(e)
  rescue OpenURI::HTTPError => e
    begin
      xml = REXML::Document.new e.io.read
      check_error xml
    rescue REXML::ParseException => e
    end
    new_e = CommunicationError.new e
    new_e.message << "\n\nunhandled error:\n#{xml.to_s}" 
    raise new_e
  end

end

The magical change is the inclusion of Iconv to make REXML happy.