Published January 31, 2013

The seemingly continual stream of Ruby and Rails security issues over the last year or so has been kind of entertaining in a bad way.

The Rails community didn't enamour themselves to many people early on when many of them made a lot of noise about how other languages were stupid and Ruby/Rails was the only true way forward, out of the security issues that plague(d) applications written in PHP.

The actual exploit concerned JSON parsing - the JSON parser didn't actually exist, and instead used the YAML parser. Writing a JSON parser is an afternoon's work. It's also fun, and as far as parsers go, pretty easy (the JSON spec is tiny). It seems weird to me that one wouldn't exist.

I think Ruby and Rails sort of became a victim of their own success as they allowed and encouraged people to be writing code who perhaps shouldn't have been.

This post on HN sums it up, albeit in a slightly inflammatory way:

The "everybody has bugs" response is intellectually dishonest. Yes, everybody has bugs, but most people's bugs aren't an intentional feature that a trained monkey ought to have known was a bad idea.

  • - Someone implemented a YAML parser that executed code. This should have been obviously wrong to them, but it wasn't.
  • - Thousands of ostensible developers used this parser, saw the fact that it could deserialize more than just data, and never said "Oh dear, that's a massive red flag".
  • - The bug in the YAML parser was reported and the author of the YAML library genuinely couldn't figure out why this mattered or how it could be bad.
  • - The issue was reported to RubyGems multiple times and they did nothing.
    This isn't the same thing as a complex and accidental bug that even careful engineers have difficulty avoiding, after they've already taken steps to reduce the failure surface of their code through privilege separation, high-level languages/libraries, etc.

This is systemic engineering incompetence that apparently pervades an entire language community, and this is the tipping point where other people start looking for these issues.

Filed under: programming

Talk is cheap

Leave a comment:

HTML is not valid. Use:
[url=]Google[/url] [b]bold[/b] [i]italics[/i] [u]underline[/u] [code]code[/code]