23 April 2014

The Ruby Reflector

Topic

XSS

  Source Favicon
By Rafael França of Plataformatec Blog 5 months ago.
Email

There is a XSS vulnerability on Simple Form's label, hint and error options.

Versions affected: >= 1.1.1

Not affected: < 1.1.1

Fixed versions: 3.0.1, 2.1.1

Impact

When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.

Releases

The 3.0.1 and 2.1.1 releases are available at the normal locations.

blog.plataformatec.com.br Read
  Source Favicon
By Tom of Heroku 5 months ago.
Email

…property's session cookie expires, the victim is still logged in. Without the presence of an XSS or similar vuln, however, the attacker is unable to leverage this further. In the shared-browser threat model (e.g., internet cafes in developing regions), this becomes slightly more interesting. However, a plethora of more serious attacks come into play in that case, such as keystroke logging. Given that, and the lack of a useful attack, we are again OK with this risk.

We realize this …

blog.heroku.com Read
  Source Favicon
By Patrick of Kalzumeus Software 10 months ago.
Email

Rails 3 made a really good decision to enable HTML escaping by default, for preventing XSS attacks. If you're coming to this from an old application, you are likely going to have to dig in and either root out or mark harmless every time your views/helpers/model objects/etc return HTML when you expect them to. That can be an involved project .

Most Rails projects of non-trivial size will play with the Rails internals, via calling private methods or monkeypatching core …

kalzumeus.com Read
  Source Favicon
By Seth Falcon of Chef Blog 12 months ago.
Email

[ CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack

[ CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users

[ CVE-2013-1857] XSS Vulnerability in the sanitize helper of Rails

This fixes the following issues:

CHEF-4059 update Rails version to 3.2.13 for security issues

PostgreSQL 9.2.4

This version fixes the following vulnerabilities:

[ CVE-2013-1899] - makes it possible for a connection request containing a database name that begins …

opscode.com Read
  Source Favicon
By Mike Gunderloy of A Fresh Cup 1 year ago.
Email

Flawless - Trap exceptions and send an email to the responsible developer by using git-blame to find the right person. Python, but I'm sure someone will be along with a Ruby version soon enough.

Ruby 2.0.0-rc2 is released - The final release candidate.

2.0.0.rc.2 Released - Of rubygems, with breaking changes. Probably worth testing if you're hammering on ruby 2.0.

Postcards from the post-XSS world - A run down on what an attacker can do once they get hold of an XSS vulnerability in your code.

afreshcup.com Read
  Source Favicon
By drbrain of Segment7 1 year ago.
Email

Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc for full details including a patch you can apply to generated RDoc documentation.

Ensured that rd parser files are generated before checking the manifest.

RDoc 4.0.0.rc.2

Minor enhancements

Added current heading and page-top links to HTML headings.

Bug fixes

Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc…

blog.segment7.net Read
  Source Favicon
On Ruby News 1 year ago.
Email

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc.

Impact

RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable …

ruby-lang.org Read
  Source Favicon
By Bryan McLellan of Chef Blog 1 year ago.
Email

CHEF-2792 - XSS vulnerability in messages field on login page

CHEF-2903 - Attribute files not loaded in deterministic order

CHEF-2923 - Cookbook Upload Fails due to Syntax Error in unrelated cookbook's metadata file

CHEF-3068 - Chef resources display incorrectly in log files on windows due to splitting on :

CHEF-3376 - Chef Should Load Cookbooks In Dependency Order

CHEF-3393 - Chef Encrypted Data Bag Error due …

opscode.com Read
  Source Favicon
By Mike Perham of almost 2 years ago.
Email

Yikes, it's ugly and can easily lead to XSS security holes! content_tag is your friend.

content_tag :li , :class => 'vehicle_list' do link_to ( "#{vehicle.title.upcase} Sale" , show_all_styles_path ( vehicle. id , vehicle. url_title ) ) end

Bonus points : start introducing helper methods that take blocks. Nested blocks are a natural fit when generating nested HTML.

4. Giant queries loading everything into memory

You need to fix some data so you'll …

mikeperham.com Read
  Source Favicon
By Mike Gunderloy of A Fresh Cup almost 2 years ago.
Email

OOP to Rails Controllers - An experiment from one of the Rails core contributors that fills me with trepidation.

How to Securely Bootstrap JSON in a Rails View - Escaping, user-supplied content, and XSS concerns when you're consuming JSON directly.

Amon - Server monitoring, logging, and error tracking all in one package.

afreshcup.com Read