Page 1 of 4 | Next »
[23:11:26] greenride: Is there any way to prevent rdoc, maruku, or RedCloth from transforming a Unicode+0022 quotation mark into a Unicode+201 quotation mark?
[03:30:35] greenride: I'm using the carrierwave gem and have an Uploader mounted on a column. For every upload, Carrierwave always writes 'file.jpeg' to the database. And, the url for all rows points to the last upload. What should carrierwave write in each row?
[03:43:55] greenride: Radar: The spec works and single file upload works. However, all subsequent collections point to the same image, and the value in the mounted column is always 'file.jpeg'.
[03:56:18] greenride: sevenseacat: Thanks. Do you know how filenames are translated into urls when using fog?
[04:01:57] greenride: When using header tokens with Devise in a Rails api, what gems are useful for managing these tokens? Users need multiple active tokens, and support for token expiration/invalidation would be helpful.
[09:25:26] greenride: What's the best way to implement push notifications & synchronization without using a 3rd party service?
[09:35:06] greenride: I'm planning to use RabbitMQ, rabbitmq_web_stomp plugin, rabbitmq-auth-backend-http plugin, and hutch. Does anyone have experience using this stack for push notifications?
[00:27:31] greenride: Can the following command be modified to skip the generation of the edit and new methods in the generated controller? 'rails g scaffold user User first_name:string'
[23:42:10] greenride: Is there a line I can add to config.application.rb to skip generation of all files with the .erb extension?
[06:50:00] greenride: Are there any Ruby frameworks that use a persistent connection to push data to a web browser from a server? Ideally, the framework would be compatible with a Postgres database.
[06:53:39] greenride: Has anyone done load tests on the maximum number of open connections this can support?
[01:39:50] greenride: I'm getting the error undefined method `protect_from_forgery' for ApplicationController:Class when using rails-api. Has that functionality been completely stripped out?
[01:12:14] greenride: Out of curiosity, are more recent versions of Ruby significantly faster than previous versions?
[01:45:02] greenride: shevy: He does. I understand that's an issue. I was interested in steady state though.
[08:34:34] greenride: hmm... yes... now that I see the answer... I realize I asked the wrong question. ... meant to ask... Are there any open source production quality CI servers written in Ruby?
[23:12:59] greenride: tubbo: Thanks for your comments on bamboo and capistrano yesterday. That helped me understand how to setup bamboo with the bamboozled-ruby-plugin and capistrano.
[19:40:36] greenride: When using the bamboozled-ruby-plugin, are capistrano and its plugins typically included in a Rail's applications Gemfile? Or, can bamboo be setup to generate a tarball and then deploy this tarball to various servers?
[19:55:17] greenride: tubbo: My understanding of build servers is that they create a tarball that is then deployed to every server.
[19:55:55] greenride: tubbo: So, I was thinking that capistrano would no longer be required since it isn't being used for the deployment.
[19:56:42] greenride: What I don't know is whether Bamboo with that plugin can handle everything that capistrano does.
[20:03:21] greenride: tubbo: Ideally, I'd like bamboo to generate a tarball with all the dependencies. Then, I'd like to push the tarball to all servers. Can Bamboo use this deployment pattern?
[00:38:44] greenride: simkessy: I was bugging people here about api security and csrf tokens a little while ago. That said, Code School has a tutorial on Rails apis. The last part number 6, has a tutorial on authentication that is pretty good. I also recommend this book http://apionrails.icalialabs.com/book
[10:25:11] greenride: http://www.amazon.com/reader/1593275277?_encoding=UTF8&query=After%20disabling%20garbage%20collection%20to%20avoid
[10:34:09] greenride: workmad3: Ruby rebalances in the case that provided values hash to the same modulo value. As a result, hash lookups are faster, but insertions could be slower.
[10:35:33] greenride: workmad3: It's surprisingly well written... not as hard to read as one might think.
[10:52:01] greenride: workmad3: I take that back about your example. It depends on the context in which it is used.
[10:52:37] greenride: workmad3: If it's used in a dynamic method definition, it's possible that it won't be garbage collected.
[01:14:54] greenride: I'm looking at Rails source. In particular, request_forgery_protection.rb. If I understand correctly, it's verification mechanism is to check whether the csrf token in the form submission matches the one in the session, which is often stored in a cookie. How does that offer any protection?
[01:15:40] greenride: The file path is gems/actionpack-4.1.1/lib/action_controller/metal/request_forgery_protection.rb
[01:18:03] greenride: Couldn't a malicious site just forge both the cookie and the authenticity_token in the form?
[01:21:27] greenride: pwnd_nsfw: If the session is stored in the cookie, can't the attacker just forge the cookie too?
[01:23:13] greenride: They don't need to obtain the cookie from the victim site. The attacker can just forge a brand new cookie and ensure it matches the authenticity_token that is also forged. Right?
[01:28:13] greenride: pwnd_nsfw: I read through that guide, but it doesn't answer my question (or, I don't understand that it's answering my question).
[01:29:56] greenride: There is no server side storage of the cookie. And, the cookie's data is included in the request made to the server. Just create an arbitrary cookie with the same data format.
[01:30:54] greenride: Then, the authenticity_token (which is generated by the malicious site) can be placed inside the cookie (that is forged) for the request.
[01:47:06] greenride: pwnd_nsfw: I sort of see what's going on. Because the malicious site doesn't have the secret, it can't create the cookie's digest signature. What confuses me now is why the request even needs to provide the authenticity_token. Why not just stop at checking the session_id and digest signature of the cookie?
[06:41:59] greenride: When creating rails JSON apis, protect_from_forgery with: null_session is typically used, and CSRF protection is provided through the Authorization header containing a token. However, CSRF protection isn't present prior to user login. What's the standard way to provide CSRF protection for the /users/sign_in POST?
[06:46:24] greenride: cleopatra: Yes. After the sign_in, the CSRF protection is provided by the `Authorization: Token token=<32 digit hex number>` header.
[06:49:19] greenride: cleopatra: Abstractly, it would be for any post, put, patch, or delete action where a user is not signed in. My main use case is the sign_in, sign_up, password reset, etc. None of these requests would have an Authorization header with a token.
[06:51:25] greenride: cleopatra: That just skips the check. Right? In theory, that would allow for a cross site attack signing in a user as someone else. Or, signing up that user for some other email address. Right?
[06:54:44] greenride: If you're using an Authorization token, you won't be leaking data. So, it would probably pass a security audit. However, this seems to be a step backwards from the level of protection provided by the authentication token in form_for.
[06:57:45] greenride: cleopatra: I saw that stackoverflow post. So far, I've just been turning off CSRF protection for json APIs, but I'm wondering if there's a better way.
[07:01:53] greenride: I've used backbone, angular, ember, and react... same issue with all frameworks... it's an api issue unrelated to the frontend framework.
[07:08:47] greenride: the method recommended there avoids the csrf problem everywhere except the sign_in, sign_up, and password_reset.
[07:12:10] greenride: Essentially, they use an Authorization header with a user token that is stored in the user model (or its own table). That header provides csrf protection even though Rail's csrf protection is turned off. That method will pass security audits.
[07:12:42] greenride: However, a rogue site can sign in a user as someone else (for whom they have the username and password).
[07:18:13] greenride: cleopatra: Here's the security problem that your site and mine currently face. http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks
[21:20:27] greenride: What is the standard way to protect against Login CSRF attacks for a Rails JSON api?
[22:01:27] greenride: rhizome: I Googled 'rails api csrf' and read several posts. There's a variety of answers but none seem good. They suggest the following. 1. Turn off csrf for json apis. 2. Use Authentication header (with token) only after login. 3. Set CSRF token with GET before login.
[22:01:30] greenride: #1 is subject to CSRF. #2 is subject to Login CSRF. #3 was claimed to be bad practice.
[22:06:20] greenride: Radar: Are you suggesting that JSON apis should turn off csrf protection. Or, that turning of csrf tokens subjects them to csrf attacks on browsers?
[22:11:35] greenride: Radar: Code school suggests `protect_from_forgery with: :null_session` for JSON apis and then using an Authorization header with `Token token=<32 digit hex>`. This protects against most CSRF attacks but not a login CSRF attack.
[22:13:21] greenride: Code school suggests turning off as well. With the `Authorization: Token token=<32 digit hex>` this protects against all CSRF attacks except login CSRF. What can be used to protect against Login CSRF attacks?
[22:22:33] greenride: Aeyrix: It doesn't matter from Mobile apps, but it is an issue in web browsers. Right?
[22:24:20] greenride: Aeyrix: With CSRF turned off, what header is being set with the initial /users/sign_in POST request?
[22:28:27] greenride: Aeyrix: That's my whole question. With login forms, there's a CSRF token that one obtains from the GET request, which is then a posted parameter in the POST /users/sign_in. This CSRF token doesn't exist in a JSON api's /users/sign_in POST when using 'protect_from_forgery with: :null_session'.
[22:29:35] greenride: Aeyrix: On the /users/sign_in POST, there is no auth_token to set for the user.
[22:32:21] greenride: If the user doesn't notice the credentials are not his or hers, the user might use the site with the attacker's credentials and enter information such as credit cards, etc. Then, the attacker can login at a later time and obtain the information the user entered.
[22:33:31] greenride: Aeyrix: CSRF... a roguesite.com submits Post/Put/patch/delete etc. when user clicks on a link in roguesite.com. The http requests are to the victimsite.com.
[22:34:32] greenride: Aeyrix: Right. That's what CSRF is doing. And, login CSRF is forging the sign_in process without the user's consent.
[22:38:53] greenride: Radar: Attacker creates their own account on let's say amazon.com using Amazon's ordinary web interface. Then, the user exploits Login CSRF on Amazon to log the victim into amazon.com using the attacker's credentials. Then, the user (not noticing) enters PII data into amazon.com. Now, the attacker can login to their own account and retrieve that data.
[22:55:32] greenride: Radar: Nothing in the Rails Security guide talks about login CSRF attacks for JSON apis. Are you claiming that login CSRF is a stupid attack vector or that Rails JSON apis with `protect_from_forgery with: :null_session` don't need to protect against login CSRF?
[23:14:42] greenride: Aeyrix: Is your position that login csrf is a stupid attack or that rails json apis are already protected even with 'protect_from_forgery with: :null_session'?
[23:19:12] greenride: Aeyrix: This stack overflow post discusses the login csrf issue. http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks
[23:19:52] greenride: Aeyrix: Google and Yahoo (along with some smaller sites) were hit by login csrf. Of course, I'm not Google, Yahoo, or anywhere near that scale.
[23:20:42] greenride: I agree with the position. Most security audits will point it out but still pass a site with login csrf issues.
[23:21:22] greenride: I was just wondering if there was a way to deal with the issue for JSON apis. Regular Rails login forms are protected.
[23:29:24] greenride: Aeyrix: using `Authorization: Token token=<32 digit hex number>`, one can pass credentials as a header. However, that token is not available for the /users/sign_in POST. Problem with creating a get and passing a token is that the attacker can just fetch the same token and use it for a post. SOP isn't available for protection in that case.
[23:38:21] greenride: Aeyrix: Ideally, I would like to serve the frontend from a different server/domain and get clean separation between angular and the Rails api.
[23:39:43] greenride: Aeyrix: I believe the Angular rails gem sets the CSRF token in the initial delivery of the frontend. Then, the json POST request has the CSRF token to use.
[23:43:18] greenride: Aeyrix: Ari Lerner's book (https://leanpub.com/angularjs-rails) goes over the use of a separate nodejs server and rails api. However, he ignores the CSRF issue and turns it off. I was wondering if there was a way to make his approach work with CSRF protection.
[23:47:33] greenride: That's what I meant... CORS issues = headers need to be set. But, point noted, I should have been more precise there.
[23:48:53] greenride: issues can be small or big. But, agreed. The size of the issue wasn't clear from my comment.
[21:39:11] greenride: I'm trying to understand csrf tokens. Why can't a Rogue site do both the get request to get the csrf token and the post request?
[22:15:01] greenride: FailBit: CSRF protection should also be required for json apis supporting web frontends. Right?
[22:19:42] greenride: If no one is doing csrf protection for their json posts (and puts and deletes), this means every Rails json api is subject to csrf attacks. Right?
[08:13:03] greenride: Is there a way to get a CSRF token with a json get request? (For use in a json post to /users/sign_in with devise)
[19:01:13] greenride: Is there a way to configure ActionMailer to send mail without an smtp server? This is for the purpose of sending one summary email daily to a known user.
[19:04:10] greenride: matthewd: I can send email using the command line with a command such as `mail -s "Hello World" email@example.com < /tmp/mail/txt` I want similar functionality using ActionMailer.
[19:04:58] greenride: matthewd: The mail sent by command line appears in the SPAM folder of my gmail account.
[19:07:37] greenride: matthewd: Right. The command line util does the dns lookup of the MX record at the specified domain, opens a tcp connection to the mail server and then delivers the mail. Not scaleable??? but great for delivering a few emails.
[19:09:03] greenride: matthewd: I'm asking if there's a way to configure ActionMailer to do the email sending without using an SMTP server.
[19:15:55] greenride: matthewd: Thanks. Didn't realize sendmail had command line email sending tools. I'll use that.
[04:00:57] greenride: When items are moved in a spree taxonomy, what would cause the url to be updated? Initially, the old url was maintained, but the url changed to reflect the new location.
[04:08:26] greenride: rhizome: The item is being moved manually. The unintended consequence is that the url changes to reflect the new location within the taxonomy.
[04:08:44] greenride: rhizome: Is there a rake task or some other piece of code that updates these urls?
[22:04:21] greenride: I'm using Mongoid, and I want something like Membership.where(created_at + expiration_time_in_secs < DateTime.now). created_at and expiration_time_in_secs are fields for the member object in the memberships collection. What is the syntax for this?
[22:26:16] greenride: rhizome: Memberships last variable amounts of time. The expiration time is a field in the Membership object. So, I need to use both the created_at and expiration_time_in_seconds. I also want to pull more than one record. So, I need a critera object.
[06:21:07] greenride: zenspider: The obvious way is to get the time before and after a line of code. Then, find the difference.
[06:41:37] greenride: zenspider: You asked me 'what about this line?'. Which line are you referring to?
[06:45:56] greenride: Ox0dea: I see. You are demonstrating that lines are a bad thing to benchmark since your example shows that lines are not necessarily a unit that translates into something meaningful at the token level or the ruby virtual machine level.
[06:47:30] greenride: zenspider: Thanks for pointing that out. I just wasn't sharp enough to get it back then.