New Bug to be Discovered in Ruby

Deserialization issue in Ruby was discovered by Elttam from Australia
12 November 2018   1671

The problem of serialization and deserialization of objects has reached Ruby. Bug found by the experts from the company Elttam, Australia.

Serialization in programming is the translation of a data structure into any other format more convenient for storage. The inverse operation is the operation of deserialization - the restoration of the initial state of the data structure from the bit sequence. The possibility of this is built into Ruby and, as it turned out, it allows attackers to use the native language mechanisms to carry out their attacks.

Elttam researchers have added a proof-of-concept exploit to the report that implements it. The problem is that these mechanisms are built into the language itself, namely in versions from 2.0 to 2.5. It is also assumed that it is possible to refine the attack methods for older versions. In addition, alternative implementations of Ruby called JRuby and Rubinius can potentially have similar problems.

Vulnerabilities of serialization and deserialization of objects exist in other languages. In 2015, they were found in the FoxGlove Security for Java library. In 2017, a similar problem was discovered in .NET libraries, and in 2018, in PHP. In the latter case, it affects the WordPress engine. Often problems are solved by the release of patches, although bugs are often difficult to detect. At the same time, it should be understood that the serialization and deserialization of data in itself weakens their protection.

Ruby/RoR News Digest 21 - 27.03

Learn why and how to host Rails app with ElasticBeanstalnk, how to do multi-step forms in Rails, listed to Sorbet podcast and more
27 March 2020   1005

Greetings! I hope your week went great! Here's new Ruby news digest.

Learn about RuboCoping with legacy, how to secure SSH keys in use, listed to podcast about Sidekiq and check other interesting things in this podcast.

Guides

  • Why and How to Host your Rails 6 App with AWS ElasticBeanstalk and RDS

Tutorial of using one of AWS’s most mature services to deploy a Rails app onto AWS

  • RuboCoping with legacy:Bring your Ruby code up to Standard

This guide is providing you with a "standard" approach of using RuboCop

  • How to do multi-step forms in Rails

This tutorial will teach you how to create multi-step forsm gem-free

  • Securing SSH keys in use

Ruby-powered digging around in SSH keys here. Learn about SSH securing, Ruby-powered

Podcast

  • Sorbet: Typed Ruby with Dmitry Petrashko

Dmitry from Stripe talks about Sorbet, type checker for Ruby

  • Rails with Jason - 037 - Server Infrastructure, systemd, and the Business Side of Sidekiq with Mike Perham

Long talk by Mike Perham of Sidekiq about the business side of Sidekiq, systemd, and server infrastructure in general

Updates

  • Webpacker 5.0 released

Major version of super popular Rails solution that makes it easy to use the webpack to manage application-like JavaScript in Rails brings a lot of changes and updates, like multply files per entry

  • pgsync

Allows to sync data from one Postgres database to another

  • render_async

This gem allows to speed up rendering Rails pages

  • Authlogic

Ruby authentification solution