Mass vulnerability in Ruby projects
Published a message about mass vulnerabilities in Ruby projects. We are talking about using
The fact is that
Although the official security guide for Ruby on Rails warns of this danger, this kind of negligence is still found in 90% of Ruby projects, as evidenced by examples on Github, Scribd, Tumblr and other services.
')
Like last time with Rails , here you can argue, a bug is or the "expected behavior" of the system. But if most developers make a mistake because of such a “feature”, why not fix the rules for handling strings in Ruby?
^ at the beginning of a line and $ at the end of a line of regular expressions instead of \A and \z .The fact is that
^ and $ in such cases is perceived by Ruby as new lines ( \n ), which opens the door for injections.Although the official security guide for Ruby on Rails warns of this danger, this kind of negligence is still found in 90% of Ruby projects, as evidenced by examples on Github, Scribd, Tumblr and other services.
')
Like last time with Rails , here you can argue, a bug is or the "expected behavior" of the system. But if most developers make a mistake because of such a “feature”, why not fix the rules for handling strings in Ruby?
Source: https://habr.com/ru/post/144139/
All Articles