XSS #2: Cross-site scripting resources, from an internal mailing list:
“I’ve gained a new appreciation for the importance of carefully thinking through security and escaping in RoR there’s more than just h()’ing all your user entered data.”
XSS vulnerabilities – http://ha.ckers.org/xss.html.
Very useful catalog of different XSS vectors. Includes some utilities to base64-, URL- and hex- encode attacks so you can test out your apps.
General OWASP wiki – http://www.owasp.org/index.php/Main_Page. Lots of useful data information here. OWASP is a nonprofit group charted to improve the security of webapps in general.
Security Guide for RoR -
http://www.lulu.com/product/download/owasp-ruby-on-rails-security-guide/4489819 general guidelines/things to think about for securing RoR apps.
Loofah – http://github.com/flavorjones/loofah is supported by a fellow Pivot and provides fast and good sanitization built on Nokogiri, albeit slightly slower on short strings than brittle regular expressions. It’s in production at several companies.
“Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it most likely won’t make your codes less secure.”
Happy New Year
It’s been great building the National Lab Day website, and it’s also wonderful to have the site recognized on whitehouse.gov. This makes two sites we’ve worked on that have gotten attention in the Innovations Gallery, since Peer to Patent was similarly recognized.
The video from whitehouse.gov (below) does a better job explaining the project than I can:
And yes, the voice on the video clip is our own Mike Grafton.
pre|central.net has posted their picks for Best Apps of 2009, and they’ve picked both of the apps we developed internally as must-have apps in their categories, with Tweed at the top of the list in the Social Networking category, and Scoop being edged out by The New York Times in the News category. (We will concede that they have a little more experience in the News world than we do. ;-) The AP Mobile app also gets a shout out in the News Category, which some of you know is another app we developed, in this case on behalf of a client.
Thanks to the pre|central folks for picking our apps, and to all our users for installing those apps, and for all your feedback.
Ask for Help
“Anyone have good strategies for using S3 as a content delivery network for static files?”
Using S3 as a CDN is pretty common. S3 is certainly cheap, and fairly easy to set up. However, latency can be large – S3 isn’t built to act as a CDN, so the performance can be lacking. In addition, you need to work out your pathing in your CSS files to find background images correctly. Relative paths are a common technique here.
The performance of files in your public directory is much better. Amazon’s Cloudfront is another (expensive) option.
Note observation #4 in this blog article: link
“I can’t get ImageMagick to work on Snow Leopard. What gives?”
A brief look online shows several step-by-step instructions. It’s unclear what this particular problem is about.
“After upgrading to the latest version of Mocha, any_instance doesn’t clean up after itself. Why?”
Mocha‘s any_instance stubbing is one of the few features that distinguish Mocha from other mock frameworks.
One suggestion was to update rspec as well.
“Heroku 1.5.3 isn’t letting me use heroku rake commands. What can I do?”
Upgrade to Heroku 1.5.6.
EY Cloud’s slave database functionality is broken right now. It’s supposed to be fixed this afternoon.
Amazon restricts you to 20 EBS volumes/EC2 instances per account by default. The trick here is that deleting volumes does not immediately free up space. Volumes stay in a ‘Deleting volume’ state for an indefinite amount of time before they are truly free, making it hard to allot space for them. Finding these deleting instances can be a real challenge – the AWS API can find them, but not the EY cloud GUI.
If you need to manipulate AWS credentials for EY Cloud, it’s fairly easy to go to the machine and find the appropriate file – /etc/.mysql.backups.yml
We’re starting work on Tracker badges and widgets. Our goal is to allow you to share information about your project or backlog on your website, or to promote Tracker and Agile Software in general.
Our current thinking is a few widgets that expose project summary data and stories, as well as something along the lines of “I <3 Tracker”/”I <3 Agile Development” badges for those who just want to spread the love without sharing their private project data. We imagine these being used on open source project pages, personal websites, and blogs.
So I ask you: What information would you like to share (story summaries, upcoming stories, members, etc?). If your project is private do you want to be able to expose some of this information anyway? If you are interested in sharing your love of Tracker and Agile Software but not your project data what kind of badge(s) would you want?
As always, thanks for your feedback!
Happy Holidays from NYC!
- Someone noticed that rspec’s
returns false when the spec passes, whereas
when it passes. This has unexpected results when a
used within a Webrat
wait_forloop (code here)
– wait_for loops until its body returns true. Fail!
- John Resig has implemented a
jQuery.requiremethod that should be
in the next release. Check out the commit and the lengthy
discussion here. Everyone’s a critic.
- One Pivotal project that recently switched from MySQL to Postgres
noticed that PG sorts NULL values differently than MySQL. The
default in PG is NULLS FIRST when ordering DESC, and NULLS LAST
otherwise. You can override this behavior by using a NULLS FIRST or
NULLS LAST clause in your ORDER BY.
- Someone was reminded the hard way that Ruby’s
rescue, by default,
only catches exceptions inherited from StandardError.
- Does anyone know of a service or library that will convert an email
into a tracker story? The use case is stake holders who send
UI/UX requirements within emails with attachments, etc.
No matter what point scale you use to estimate stories, and if you call them “points”, “gummi bears”, or “t-shirts”, people always want to know what they mean. The problem is that the keepers of the points don’t know how to relate to the users of the points.
Joe: “Oh look a new story in the icebox!”
Sam: “Let’s estimate it!”
Joe: “Sure, what’s a ‘one’ work out to be in terms of effort/complexity?”
Sam: “That’s like… half a day”
I’ve been in Joe’s shoes, and I’ve been Sam too many times. Do you see the disjoint? Hint: check the bold. Joe asked about effort/complexity because those are things he can estimate with some degree of accuracy. Sam jumped to the lowest common denominator, and converted his concept of a one point story into a unit of time.
Problem: Velocity is the conversion factor from points to time. Velocity is useful, Sam is not (no offense if your name is Sam).
A “one” is what then? It varies from team to team. How do I get Joe up to speed on point values then? Common ground, relate to Joe. We’ve all done some programming before. Maybe a one is “a batch of CSS changes”, and two points works out to “administrators should be able to edit all product fields”. Then you work your way up to “make a web-based zoo” which is wherever your point system tops out because it has a lot of unknowns and/or complexity.
Relation Points, use them to relate to your fellow developers. Use them to relate to your product owners and managers. Start speaking in terms that show you’ve got more knowledge about the development cycle than a random guy off the street. Anyone can give you the time, but what you really want… is to get to the points.
- The combination of Rspec and rack assume everything is a single domain, so you can’t check cookies for xyz.foo.com and foo.com separately. Should you encounter this, be prepared to check the header manually. You also won’t be able to delete more than one cookie at a time.
Ask for Help
- “Does anyone know why directory globbing order differs by system architecture?”
This problem bit this stand up blogger yesterday. An entire directory was required, and on a mac the order is alphabetical. On linux it’s apparently random, most likely based on inode order. Ruby doesn’t gaurantee an order, so something that may “just work” on a mac purely by luck might not work on linux/bsd/windows.
- “Is anyone using unicorn on EngineYard?”
*Keep files continued – The keep file will cause the original file to be retained, so just touching the keep file is fine. No need to mess with sym links or anything of the sort
Ask for Help
“How do I get Rubymine to run Selenium tests?”
“sh: java command not found” – Tried setting environment variables in bash.rc. Rubymine doesn’t use bash so it doesn’t get the bash environment. You can set the variables in launchd.conf (be careful of the syntax), start Rubymine from the shell, or set the path in Rubymine.
It was brought up that Chef could be used to maintain these changes, and make it easy to spin up new developer workstations. It’s agreed that it would be better than shell scripts, but unclear if it would be worth the effort.
- EngineYard, Chef, keep.appname.conf – appending keep will prevent chef from overwriting the file.
- BufferedLogger flushes every 1,000 lines – It’s buffered, after all. However, rails uses BufferedLogger by default in production, so when you switch to troubleshooting a a production issue, be aware. “Just poke it 1k times” was offered as a solution, but setting sync equal to true is probably easier.
- Phusion Passenger/Facebooker/Threads Locals – All requests in passenger run in the same thread, which means the thread locals are shared. Facebooker is storing the facebook session in thread locals, which causes bad things to happen. This was difficult to debug as the team wasn’t using passenger in development.
Tweet this has some peculiarities which took some Pivots a while to figure out. The URL you want is http://twitter.com/home?status=this+is+my+tweet – Using www causes a redirect, and leaving off home appears to work, but will lose the message if the user is not currently logged in to twitter and has to go through the log in dialog.
A pivot asks if anyone uses the “tweet/share/digg/blog/sharethis/email/overshare” links. Two pivots do, one thinks they’re “rarely used but requisite” and one has added them to a project recently and promises to report back in a few weeks with some log data.
Ask for Help
“Does anyone use Delayed Job with more than one worker process?”
One project is trying to use four workers, and can’t find a way to monitor their individual status. The current solution is to spin them all down and then up, which not optimal. One suggestion is to wrap the entire thing in a rescue block, though this is probably not optimal.
The rules for how to make parts of your HTML page translucent are kind of hard to understand — in other words, the opacity rules are pretty opaque. (Anyone who can make that into a good pun, let me know and I’ll change the title of this article accordingly.) The following represents the results of a couple of days of empirical research and as such may be incomplete or inadequate, but here goes.
In the brave new HTML5 world, with all the CSS gizmos supported by Safari and Chrome and Firefox, there are now three ways to make things translucent. And none of them works quite the way I naïvely expected.
One. Use the “opacity” CSS attribute. This attribute works pretty well… at first. It applies to an element and all its children, but according to the spec it’s meant to act as an upper bound on the opacity of all its children, and while it can technically be overridden, the overridden value is applied as a multiplier to the previous value, not as a whole separate value. So if you want some fully opaque children inside a translucent container, you can’t get there from here. The children are always going to be at least as transparent as the parent — in other words, they can’t transcend their parent’s transparency.
This is spelled out in detail in https://developer.mozilla.org/En/Useful_CSS_tips/Color_and_Background and as a solution they propose either pulling the child out of the normal hierarchy (ugh — that means you lose all the other CSS inherited styles and positioning), or …
Two. Make an alpha channel PNG and use it as the parent’s background, probably with
background-repeat:repeat. This is adequate, except that there’s now another, cleaner way…
Three. For the parent, use
background-color: rgba(255, 255, 255, 0.5) (where ’0.5′ is the opacity and ’255,255,255′ is the decimal RGB value) — that will work the same as an alpha PNG but without needing to go round-trip to Photoshop every time you want to change the color or level. Much better.
I have no idea what the level of support for rgba background colors is, but it seems to work in the latest Safari and Firefox so I’m happy.
annotate_models rake task? Dave Thomas wrote it many years ago and it corrects one of the flaws in ActiveRecord: it describes the schema for a table as a comment inside the Ruby model file that it maps to. Unfortunately Dave hasn’t had time to maintain it, so a couple of years ago I cleaned up some bugs and re-published it as a pastie. Then Cuong Tran made it a gem and put it on Github, and since then, there’s been a whole lotta forkin’ goin’ on!
I recently pulled in a bunch of the forks into ctran’s master branch, and just pushed it to Gemcutter as version 2.4.0. Just run
gem sources and make sure http://gemcutter.org is in your list — otherwise do
gem source -a http://gemcutter.org — and
sudo gem install annotate and it’ll install a binary called
/usr/bin. See the README on github for more info and have fun!
One caveat: ImageMagick installs a tool called
annotate too (if you’re using MacPorts it’s in
/opt/local/bin/annotate). So if you see
Usage: annotate imagein.jpg imageout.jpg
/usr/bin ahead on the path and you’ll get ours instead.