Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   1453

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;

Ruby/RoR News Digest 8 - 14.02

Guide on Ruby concurrency, understanding Rails secrets\credentails, system tests in Rails with Minitest and other interesting things
14 February 2020   201

Greetings! I hope your week went great! Here's new Ruby news digest.

Learn about automatic image moderation with Amazon Rekognition, the easy way of configurating Kubernetes for Ruby, how to migrate from Rails API to Crystal and AWS Lambda and check more intesting stuff. 

Guides

  • Opening The Ruby Concurrency Toolbox

This guide covers threads, fibers, guilds with some practical comparisons

  • Automatic image moderation using Amazon Rekognition

Amazon Rekognition detects inappropriate content in images and it can be used in Ruby with ActiveStorage

  • Understanding Rails secrets/credentials

Basic guide about storing secrets and credentials that don't need to be stored in plaintext

  • Rubynetes: Kubernetes config the easy way

Learn how to use Ruby with Kubernetes without YAML

  • Getting Started With System Tests in Rails With Minitest

Beginners tutorial on testing in Rails using popular solution

  • My Experience Migrating a Rails API to Crystal and AWS Lambda – Part I

A story, which can be used as a tutorial for migrating from Rails API to Crystal and AWS Lambda

Articles

  • Rails introduces disallowed deprecations in ActiveSupport

A newspost with detailed code example on new ActiveSupport feature

Updates

  • GitHub CLI is now in beta

New GitHub command line tool is now available in beta 

  • The Twitter Ruby Gem

A Ruby interface for the Twitter API

  • httplog

This solution will help for networks working - allows to log outgoing HTTP request with Ruby