Category Archives: ruby

Got a Ruby on Rails application running? Patch it NOW

A security issue has been discovered in Ruby on Rails, a popular web application framework. It is a serious one:

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

and also worth noting:

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I’ve written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn’t work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new rails application without any controllers.

You can grab patched versions here.

How quickly can an organisation patch its applications? As Sourcefire security architect Adam J. O Donnell observes, this is where strong DevOps pays dividends:

Modern web development practices have made major leaps when it comes to shortening the time from concept to deployment.  After a programmer makes a change, they run a bunch of automated tests, push the change to a code repository, where it is picked up by another framework that assures the changes play nice with every other part of the system, and is finally pushed out to the customer-facing servers.  The entire discipline of building out all of this infrastructure to support the automated testing and deployment of software is known as DevOps.

In a perfect world, everyone practices devops, and everyone’s devops workflow is working at all times.  We don’t live in a perfect world.

For many organizations changing a library or a programming framework is no small task from a testing and deployment perspective.  It needs to go through several steps between development and testing and finally deployment.  During this window the only thing that will stop an attacker is either some form of network-layer technology that understands how the vulnerability is exploited or, well, luck.

This site runs WordPress, and if I look at the logs I see constant attack attempts. In fact, I see the same attacks on sites which do not run WordPress. The bots that do this are not very smart; they try some exploit against every site they can crawl and do not care how many 404s (error showing page not found) they get. One in a while, they hit. Sometimes it is the little-used applications, the tests and prototypes, that are more of a concern than the busy sites, since they are less likely to be patched, and might provide a gateway to other sites or data that matter more, depending on how the web server is configured.

Book Review: The Book of Ruby by Huw Collingbourne

“The plain fact of the matter is that Ruby has a number of pitfalls just waiting for unwary programmers to fall into,” says author Huw Collingbourne in his introduction to this guide to the Ruby language. He should know; he is co-founder and Technology Directory of SapphireSteel Software, which makes Ruby in Steel, an add-in for Visual Studio that enables Ruby development. He is also a technology journalist and writer of long standing, and specialist in explaining software development to a wide readership, and as you would expect this is a book with a clear and easy going style.

The Book of Ruby is a language guide. It takes you blow by blow through Ruby, starting at the beginning with strings, numbers, classes and objects. Despite Collingbourne’s background, there is little or nothing on tools, user interfaces, databases, or other development essentials; the focus is firmly on the language. There are plenty of short code examples but these are snippets to illustrate a point. There is a single chapter on Rails, the popular Ruby web development framework, but you have the sense that it is included because the author felt it had to be covered; it is the briefest of introductions and you will need another book if you want to know about Rails development.

A sharp focus on the language is a good thing, but it does make this a dry read, or possibly something you are more likely to dip into than to read end to end. You may find yourself thinking, “Remind me how Ruby does threading,” and read through chapter 17 on Threads to get a quick guide to threads, mutexes and fibers.

There are 20 chapters in all, with subjects including Arrays and Hashes, Loops and Iterators, Exception Handling, Blocks Procs and Lambdas, Modules and Mixins, YAML, Debugging and Testing, and Dynamic Programming.

Collingbourne knows his subject and if you are a software developer wanting to learn more about Ruby there is plenty of valuable material here.

That said, I have a couple of reservations.

First, I would have liked the author to tell us more about the why rather than the how of Ruby. Describing how a language works is all very well, but what are the things Ruby is particularly good for, and within Ruby, what are the techniques and features that make it a fantastic choice for certain kinds of development? What is the philosophy behind Ruby? I was expecting the author’s enthusiasm for Ruby to shine through, but it does not.

Second, the book is not long enough to be a comprehensive programming guide in the manner of David Flanagan and Yukihiro Matsumoto’s book The Ruby Programming Language (Matsumoto, or Matz, is the creator of Ruby). Nor is it suitable for a programming beginner, who is going to need more help with basic concepts than can be found here. In other words, it is not an advanced book, and it is only an introductory book in the context of someone who is already a seasoned developer, but not with Ruby. That is a narrow target.

On the other hand, I enjoyed the author’s pragmatism and direct, readable style. If you do fit the target readership, take a look; the Amazon links below include a complete list of contents and some sample pages.

 

No more Ruby support in NetBeans – the feature was little used, says Oracle

Oracle has announced the discontinuation of Ruby support in the NetBeans IDE. The reason? First, to free resources for JDK 7 support; but second (and more significant) – hardly anyone was using it.

There is hardly a shortage of Ruby IDEs. Ones that come to mind are the Eclipse-based Aptana, JetBrains RubyMine, the Visual Studio based Ruby in Steel, and Embarcardero’s 3rd Rail. Further, some Ruby developers prefer to work without an IDE.

I also suspect that Ruby has not quite hit the mainstream in the way it seemed that it might a few years back. Its influence has been huge, but in practice many developers still fall back to PHP, Java and C#.

Salesforce.com acquires Heroku, wants your Enterprise apps

The big news today is that Salesforce.com has agreed to acquire Heroku, a company which hosts Ruby applications using an architecture that enables seamless scalability. Heroku apps run on “dynos”, each of which is a single process running Ruby code on the Heroku “grid” – an abstraction which runs on instances of Amazon EC2 virtual machines. To scale your app, you simply add more dynos.

image

Why is Salesforce.com acquiring Heroku? Well, for some years an interesting question about Salesforce.com has been how it can escape its cloud CRM niche. The obvious approach is to add further applications, which it has done to some extent with FinancialForce, but it seems the strategy now is to become a platform for custom business applications. We already knew about VMForce, a partnership with VMWare currently in beta that lets you host Java applications that are integrated with Force.com, but it is with the announcements here at Dreamforce that the pieces are falling into place. Database.com for data access and storage; now Heroku for Ruby applications.

These services join several others which Salesforce.com is branding at Force.com 2:

Appforce – in effect the old Force.com, build departmental apps with visual tools and declarative code.

Siteforce – again an existing capability, build web sites on Force.com.

ISVForce – build your own multi-tenant application and sign up customers.

Salesforce.com is thoroughly corporate in its approach and its obvious competition is not so much Google AppEngine or Amazon EC2, but Microsoft Azure: too expensive for casual developers, but with strong Enterprise features.

Identity management is key to this battle. Microsoft’s identity system is Active Directory, with federation between local and cloud directories enabling single sign-on. Salesforce.com has its own user directory and developing on its platform will push you towards using it.

Today’s announcement makes sense of something that puzzled me: why we got a session on node.js at Monday’s Cloudstock event. It was a great session and I wrote it up here. Heroku has been experimenting with node.js support, with considerable success, and says it will introduce a new version next year.

Finally, the Heroku acquisition is great news for Enterprise use of Ruby. Today many potential new developers will be looking at it with interest.

Dynamic language slowdown at Microsoft?

Jimmy Schementi, until recently a Program Manager at Microsoft working on IronRuby, has posted about why he is leaving the company; and in doing so answers a question I posed a few months back, Why F# rather than IronPython in Visual Studio 2010?

When my manager asked me, “what else would you want to work on other than Ruby,” I started looking for a new job outside Microsoft …. a year ago the team shrunk by half and our agility was severely limited. I’m omitting the internal reasons for this, as they are the typical big-company middle-management issues every software developer has. In short, the team is now very limited to do anything new, which is why the Visual Studio support for IronPython took so long. IronRuby’s IDE support in Visual Studio hasn’t been released yet for the same reasons. While this is just one example, many other roadblocks have cropped up that made my job not enjoyable anymore. Overall, I see a serious lack of commitment to IronRuby, and dynamic language on .NET in general … I invite the Ruby and .NET communities to come help us figure out how to continue the IronRuby project, assuming that Microsoft will eventually stop funding it.

The dynamic language work at Microsoft is very interesting and has done a lot to persuade the world that .NET is not just a C# and Visual Basic story. Personally I’d add my voice to those encouraging the company to re-invigorate its investment in IronRuby and IronPython.

A couple of other observations though. Schementi is talking about efforts to continue work on IronRuby irrespective of Microsoft’s funding, and if that succeeds it could bring the project to a better place rather than a worse one.

Second, one thing I learned in talking to Don Syme, the F# man at Microsoft, is that functional programming is in high demand in financial institutions, one of Microsoft’s most important markets. IronRuby and IronPython win Microsoft plenty of kudos, but the benefits in terms of revenue are presumably harder to identify.

Whatever happens to these languages, the impact of dynamic languages on the .NET platform has been significant, and C# now also has dynamic capability.

Future of Web Apps cheers the independent Web

The Future of Web Applications conference in London is always a thought-provoking event, thanks to its diversity, independence and character. That said, it is a frustrating creature at times. The frustration on day 1 was the barely functional wi-fi, which ruined a promising interactive application called HelloApp, built with ASP.NET MVC. HelloApp would have told us who we were sitting next to, what their interests were, their twitter ID and so on. Microsoft must be disappointed since the developers, some of them more used to technologies like PHP and Ruby, said how impressed they were with the framework and Visual Studio. The poor connectivity was a shame, and a bad slip-up for a web application conference. Even the speakers had to work mostly offline – cloud devotees beware.

Ryan Carson at the Future of Web Apps London, 2009

FOWA has been at London Excel recently, but this event was back to its earlier venue of Kensington Town Hall, more crowded but a better atmosphere and easier to get to. I suspect a little downsizing, but much prefer it. Organizer Ryan Carson has his heart set on enabling start-ups, proffering business advice and uniting developers, designers and money folk, though many attendees are not in the start-up category at all. When revealing the results of a survey showing that many web app hopefuls had less then 1000 site visitors a month he shook his head despairingly “you’re never gonna build a business on that kind of traffic”.

Carson has excellent contacts and the day kicked off with Digg’s Kevin Rose on how to get those visitor numbers up – he should know if anyone does. Rose exceeded my expectations with tips on massaging your visitor egos, avoiding analysis paralysis, hanging round event parties to meet influencers even when you can’t afford to attend the event, and even how to hack the press.

After that the day was disappointingly low-key, at least until midday. Then we got Francisco Tolmasky from 280 North and it all changed. Tolmasky’s line is that we should use pure web technology but with the richness of desktop applications, and to enable this he’s put forward cappuccino, a JavaScript framework inspired by Apple’s Objective C and Cocoa – Cappuccino uses Objective-J. This now has a visual development tool (web-based of course) called Atlas, and in Tolmasky’s demo it looked superb. See here for more details.

The surprising twist is that after developers told Tolmasky that they (or their companies) were not willing to trust code to the web, 280 North came up with a desktop version of Atlas with the added ability to create desktop applications as well. I am not clear about all the runtime details, though it no doubt involves webkit, but Tolmasky’s differentiator versus alternatives like Java or Adobe AIR is that Atlas uses only web APIs.

We heard a lot at FOWA about social media, how to use it for marketing, and how to integrate it into applications. Cat Lee from Facebook gave us a breathless presentation on how simple it is to hook into Facebook Connect. It was OK but it was a sales pitch, and that never goes down well at FOWA. 

The later afternoon sessions were excellent. Bruce Lawson of Opera gave us an entertaining overview of how HTML 5 would make life easier for developers. There was nothing new here, but nevertheless a revealing moment. He showed some rich media working in HTML 5 and made the comment, jabbing at Adobe Flash and Microsoft Silverlight, that the web was too important to place control in the hands of any one vendor. A loud and spontaneous cheer went up.

This was echoed later when Aza Raskin of Mozilla gave us a browser-centric view of social media, suggesting that the browser could broker our “social graph” by integrating with multiple identity providers. Raskin’s line: social media is too important to be in the hands of any one vendor.

The Guardian’s Chris Thorpe gave a bold presentation about how the Guardian wants to embed itself in the web through its open platform. Like most print media, the Guardian has many challenges around its future business model (disclaimer: I write for the Guardian from time to time); but Thorpe’s presentation shows that his newspaper is coming up with an intelligent response, promoting interaction and building out into the wider web rather than erecting paywalls. Having said that, maybe the Guardian will try other business models too; it is a journey into the unknown.

Overall a day for social media and the open web, and a good antidote to the more vendor-centric conferences at which I often find myself. Next week, for example, it is the Flash-centric Adobe MAX; and having heard very little about Flash at FOWA that will make an interesting contrast.

Programming language trends: Flash up, AJAX down?

I’m fascinated by the O’Reilly reports on the state of the computer book market in 2008, particularly the one relating to programming languages.

Notable facts and speculations:

C# is the number one language, overtaking Java (which is down 12%), and was consistently so throughout 2008. Although the .NET platform is no longer new and exciting, I’m guessing this reflects Microsoft’s success in corporate development, plus the fact that the language is changing fast enough to stimulate book purchases. Absolute growth is small though: just 1%.

Objective-C is growing massively (965%). That’s probably stimulated by iPhone app development more than anything else. It’s a perfect topic for a programming book, since the platform is important and popular, and attracting developers who were previously ignorant of Objective-C.

ActionScript is growing (33%). That’s Adobe’s success in establishing Flex and the Flash platform.

PHP is up 3%. I’m not surprised; it’s usually the P in LAMP, everyone’s favourite free and open source web platform. That said, the online documentation and community support for PHP is so good that a book is less necessary than for some other languages.

JavaScript is down 24%. I’m a little surprised, as JavaScript is still a language everyone has to grapple with to some degree. It may be a stretch; but I wonder if this is a symptom of AJAX losing developer mindshare to Flash/Flex (ActionScript) and maybe Silverlight (C#)? Another factor is that JavaScript is not changing much; last year’s JavaScript book is still good enough.

Visual Basic is down 15%. Exactly what I would expect; slow-ish decline but still popular.

Ruby is down 51%. This is a surprise; though it was well up in 2007 so you could be kind and describe this as settling. The problem with Ruby though is lack of a major sponsor; plus the migration from PHP to Ruby that seemed possible a couple of years ago just has not happened. It may be intimidating to casual developers who find PHP more approachable; plus of course, Ruby probably is not installed on your low-cost shared web hosting package.

Python is down 14%. Google sponsors Python, in that it is the language of App Engine, but apparently this has not been enough to stimulate grown in book sales. I guess App Engine is still not mainstream; or maybe there just aren’t enough good Python books out there.*

It will be interesting to see the 2009 report in a year or so. Meanwhile, I’m off to write an Objective C tutorial (joke!).

*Update: I was reading the charts too quickly; it looks as if the percentages above are only for the last quarter; the annual figures are similar except that Python actually grew over the year as a whole.

Salesforce.com linking with Facebook, Amazon

I’m at the Dreamforce conference in San Francisco, where Marc Benioff, CEO of Salesforce.com, and co-founder Parker Harris, are presenting new features in the force.com platform.

The first is a built-in ability to publish your Force.com data as a public web site. The service is currently in “developer preview” and set for full release in 2009. Even in preview, it’s priced per page view on your site. For example, if you have the low-end Group Edition, you get 50,000 page views free; but if you exceed that limit, you pay $1000 per month for up to 1,000,000 further page views. It would be unfortunate if you had 50,001 page views one month.

The second announcement relates to Facebook integration. This is a set of tools and services that lets you use Facebook APIs within a Force.com application, and create Facebook applications that use force.com data. Sheryl Sandberg, Facebook COO, says this is “Enterprise meets social”. The problem: Facebook is consumer-focused, more play than work. Sandberg says this deal will launch Facebook into the Enterprise. This will be an interesting one to watch.

Third, there are new tools linking Force.com with Amazon’s S3 and EC2. Tools for S3 wrap Amazon’s API with Apex code (Apex is the language of Force.com) so you can easily add unlimited storage to your Force.com application. Tools for EC2 delivers pre-built Amazon Virtual Machines (AMIs) that have libraries for accessing Force.com data and applications. The first AMI is for PHP, and simplifies the business of building a PHP application that extends a Force.com solution.

Interesting that Salesforce.com is providing two new ways to build public web sites that link to Force.com – one on its own platform, the other using PHP and in future Ruby, Java (I presume) etc.

It’s worth noting that you could already do this by using the SOAP API for Force.com, and there are already wrappers for languages including PHP. This is mainly about simplifying what you could already do.

More information is at developer.force.com.

Future of Web Apps 2008 Day One: Web is DVD, desktop VHS

I’m at London’s dreary Excel centre for Carson’s Future of Web Apps conference, just before the opening of day two. Yesterday was a mixed bag; good when speakers talk technical; bad when they descend into marketing. The origins of the conference are as a start-up incubator; developers and entrepreneurs getting together to see what’s new and make contacts. It still has some of that flavour, but it has grown beyond that because web apps are a mainstream topic and Carson attracts generally excellent speakers. There is a good crowd here; I’m not sure if every last ticket sold, but it is pretty much packed out, though the dark economic mood is dampening spirits.

Digg’s Kevin Rose spoke briefly about his site’s new recommendation engine, which has been active since July or so. The idea is that Digg learns a user’s profile by examining clicks and votes, using it to customize what the user sees. He spoke about a forthcoming feature, where third-party sites will be able to call the Digg recommendation engine to get profile information that it can then use to customize its own site.

An interesting idea; though it raises several questions. How does it work – would logging out of Digg be sufficient to disable it? Will users opt-out or opt-in? How much of this kind of customization do we want anyway?

This whole theme of contextualization is a big one here; it ties in closely with social networking, and Google’s OpenSocial API is getting quite a bit of attention.

Blaine Cook (ex Twitter now Yahoo, Ruby guy and inventor of OAuth) gave a though-provoking session on scalability along with Joe Stump from Digg (and a PHP guy). They took the line that languages don’t matter – partly a reflection on Twitter’s scaling problems and whether it was Ruby’s fault. Other factors make language efficiency unimportant, they said, such as disk I/O and network speed; and the secret of scaling is multiple and redundant cheap boxes and apps which are segmented so that no one box  is a bottleneck. The case was overstated but the main points strike me as sound.

I’m wondering how many of the developers here are actually having to deal with these kinds of scalability problems. Many web apps get only light use; the problems for everyday developers are different.

I attended a session entitled "The future of Enterprise Web Apps" by Googler Kevin Marks. It turned out to be a plug for the OpenSocial API; not what I was expecting.

Francisco Tolmasky of 280slides.com evangelised his Objective-J and Cappucino JavaScript framework, based loosely on Apple’s Cocoa framework. Hmm, bit like SproutCore.

I give Tolmasky credit for the most striking analogy of the day. The Web is DVD is says, and the desktop VHS. Adobe’s AIR is a combo player. He is talking about transition and leaving us in no doubt about what he sees is the future of the desktop.

Best sessions of the day (that I attended) were Blaine Cook on Jabber and its XMPP protocol, and David Recordon from SixApart on the evolving Internet "open stack". In this he includes:

  • OpenID + hCard for identity
  • XRDS-Simple for discovery (http://is.gd/3M53)
  • OAuth for authentication
  • ATOM and POCO  ( or PorC) – Portable contacts)
  • OpenSocial

I put these two sessions together because they both addressed the "Web as platform" topic that is really the heart of why we are here. Spotting which APIs and protocols will win is tricky; but if consensus is reached on some or all of these, they will impact all web developers and bring new coherence to what we are doing.

I’ll be covering today on Twitter again – see here if you want to follow.

Ruby interpreter flaws make the case for JRuby?

The official Ruby blog reports:

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

More discussion here and here. The community is fixing the problems energetically; but they do appear serious, and some are struggling with compatibility issues.

Since these seem to be bugs in the interpreter, it strikes me that this makes a good case for JRuby or in due course IronRuby, on the grounds that the Java and .NET runtimes are more mature. When I spoke to ThoughtWorks about its extensive Ruby work, I was told that JRuby is almost always used for deployment, partly because enterprises are more comfortable with it.

Technorati tags: , , ,