Secure coding with Ruby on Rails 6: TLS
The transmission of sensitive information in cleartext is the number six of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Sending data without encryption becomes a security issue when nobody but the receiver is supposed to be able to read the included information and the data is send over an open network like the [...]
How to troubleshoot Problems in Server Setups, Rails Apps or any other Config or Code Problem
This post might be interesting for all people who are faced with strange problems like this: “Yesterday it worked. Now it’s broken” or “It works on my machine (and it does not in production)”.
I’m sure that all Programmers and sysadmins have had an incident like this in their lives. I’ve had a lot of these [...]
Matching elements on complex web pages with Webrat
Writing feature, integration, or acceptance tests with Webrat is a lot easier with simple web pages than it is with huge pages which provide much content. It can get really annoying to find the correct links or buttons to click. The same applies for matching content elements on complex pages in order to evaluate whether [...]
Writing good stories
One of the biggest problems in software development has nothing to do with coding. It is about communication, the “code monkey versus software artist problem”.
Business people tend to specify as much as possible, but often lack the necessary knowledge of the technical details. From their point of view software developers are code monkeys who are [...]
Secure coding with Ruby on Rails 5: OS command injection
OS command injection is ranked number five on the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors listing. It means to extend input, which is meant to be used as parameter for a shell command, with malicious shell commands. This is possible since operating systems like UNIX support the execution of several commands in one [...]
Continuous releasing with git
Agile software development can be seen as heavily influenced by the open-source world. In 1996 Eric S. Raymond described two different models of open-source-software (OSS) development in his essay The Cathedral and the Bazaar. Back then OSS has been crafted like a cathedral, i.e. an exclusive group of developers was releasing source code when a [...]
Secure coding with Ruby on Rails 4: Cross-site scripting (XSS)
A Failure to Preserve Web Page Structure, which is number four of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, is a programming error which makes an application vulnerable to cross-site scripting (XSS). For XSS an attacker injects malicious content into the output of a web application loading code from an external resource which [...]
Secure coding with Ruby on Rails 3: SQL injection
Number three of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is Improper Sanitization of Special Elements used in an SQL Command which could lead to the possibility of SQL injection.
If an application is vulnerable to SQL injection an attacker can add SQL commands to input values in order to manipulate the behavior of [...]
Secure coding with Ruby on Rails 2: Output escaping
While input validation prevents the malicious manipulation of an application by users, proper output data escaping prevents failures in other applications which receive the generated data, but lack input validation.
Improper encoding or escaping of output is therefor the number two of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. A popular example for this [...]
File uploads with webrat in Ruby on Rails 2.0.2
Webrat supports file upload in web forms with the method attach_file. Due to a lack of multipart form support for integration tests in Action Pack 2.0.2, this does not work with Rails 2.0.2.
It has been added in version 2.1., but for those who are still using 2.0.2, with the following code you can upgrade the [...]
