Rails and security

Recently, DHH posted announcement about mandatory upgrade needed for Rails users. I’m ‘with Rails’ only few months, but I have impression Rails have a very few security issues in its history. Which is Good Thing.

Core team have provided info (http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits), but have not provided details about vulnerability. There was fierce discussion in comments, as usual by such event :)) Many readers have urged core team to give details about vulnerability. As an argument was given fact that for hackers it can be easy to find what a problem is, doing svn diff and focus on changed areas. Does it?

First David was writing about vulnerable versions starting from 0.13 up to 1.1.4. I’m pretty sure it is a lot changes ;)) so nailing down problematic area wouldn’t be so easy. And I think David intentionally was misinforming, because finally vulnerable were versions 1.1.0/1/2/4.

However I agree with opinion, that vulnerabilities should be published with much more description how severe and why they are, not only:

For the third time: This is not like “sure, I should be flossing my teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour”. It’s not a suggestion, it’s a prescription. So get to it!

As Rails user I would like to know what is the reason, and whether are there some mitigation factors. I don’t have any Rails application in production (not yet) but this will change someday ;-) When such announcement is made I would like to know what I’m risking (if I am, since maybe in my case are some mitigation factors present?) not doing instant upgrade. And maybe doing upgrade for me is relates with some additional work, which I can do right now only with some significant cost?

This is most important in risk assessment process – to know what and when could happen and how much it will be me cost. Then I can make rational decision – stop doing anything other and upgrade (knowing that probably I will have spend some extra time to fix my app), or wait day or two in order to have some time to do tests before upgrade.

Doing upgrade without preparation is not my favorite game ;-) And if misinformation about version 1.0 being vulnerable was intentional… Well it also is part of equation, to force users to upgrade without need (it have costs, since at least for me upgrade from 1.0 to 1.1.2 was not painless).

But in core team are clever people and I hope they will made right conclusions from this what have happened. First sign is positive – there is now mailing list for security related announcements, and I hope it won’t be high traffic ;-))

I would expect that after this issue will be clearly said what is disclosure policy for any future issues. Just to know what we are standing on.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.