Get Hack from Github and talk about Rails Security (Mass-assignment)

The invasion of Github is currently gaining popularity in foreign development circles. It seems that there is no message in the Chinese circle. Let me report what happened. By the way, I want to introduce one of the concepts that need to be paid attention to when developing Rails code ..

 

What happened?

The Rails master is congested by a hacker. To prove that Github can be intruded.

Why will this happen (the origin of the dispute)

There is a Russian Hacker: homakov to the Github issue page of Rails, and an issue is reported.

It is claimed that many Rails developers who are "below moderate" have not provided attr_accessible protection in the model for any website development, which may cause many security problems.

Rails officials should design a mechanism to force everyone to "use" attr_accessible.

Because the write code fortress attr_accessible is considered by most developers as a "common sense 」. So this issue was quickly disabled by Rails core team. His opinion is that this is not a Rails issue, but a developer issue. (Normal people will make such a reaction)

The Hacker was angry when he thought that he was good at reporting but was ignored.

So! He Hack Github to prove this is true.

He not only used this vulnerability to plug in commit in rails/rails, but also opened the previously disabled issue in the same way.

So now we are shocked by the world !... XDDDDD

Why does this happen (profiling Rails) from the Rails Form Mechanism

Rails adheres to the spirit of Don't Repeat Yourself and combines Form Helper directly with the Model column to save a lot of time for developers to write forms. This is a clever practice.

<%= form_for @post do |f| %> <%= f.text_field :title %> <%= f.text_area :content %>  <%= f.sumbit "Submit" %> <% end %> After the form is sent out, It is compressed into a Hash like params [: post. The controller directly maps to the Model through the massive-assignment technique.

class PostController < ApplicationController  def create  @post = current_user.posts.build(params[:post])  if @post.save  # do something  else  # do another thing  end  end end This is a mechanism that has existed since the birth of Rails.

Other developers who do not know Rails criticized it as an insecure design and therefore refused to use Rails. The bar is exposed and known, making them very uncomfortable.

If the user permission is guessed to use user. is_admin as the boolean value, isn't it dangerous? When I modify the Personal Information Page, can I upgrade myself to admin by using the fake DOM?

Rails built-in security defense measures

Rails does not have to design defense measures against this issue. There are two groups of model APIs: attr_accessible and attr_protected. This is actually the design of whitelist and blacklist.

Adding attr_accessible to the model can block all the values passed in by massive assignement and only open the field you want to fill in.

class Post < ActiveRecord::Base  attr_accessible :title, :content end

The attr_protected mechanism is totally opposite. Built-in attr_accessible for well-known authentication plugins

This is also because user. is_admin is the code written by almost all lazy developers. As a result, many well-known authentication plug-ins, such as devise and restful-authentication, have evolved for a long time ..., Attr_accessible will be added to the User model (You may not be aware of it, because it may be a feature that is inserted through the include Module ).

Because it is a hidden built-in defense, many developers who are not experienced enough will be fully protected by this automatic defense. When designing and modifying the user information function, the form is usually okay, however, XDDD cannot be changed except for the password and email.

The User model automatically defends against attacks. What about other models?

Good question! This is the issue with Github. Strictly speaking, it is not a rails/rails error at all,It is the error of a developer in Github who is scolded for mid/junior level.. Hacker has no protection against other models.

Hacker also wants to prove that even Github will make such a mistake to make such an event happen.

What should I do when I see the Github event?

Please go home and read these two sets of model APIs: attr_accessible and attr_protected.

And check whether there is a similar problem in your project: Generally, the points that are easy to be attacked are related to relation. That is, check the xxxxx_id part.

Scoped Mass Assignment

This is the new feature added to Rails 3.1: scoped mass assignment, feature.

I also recommend that you read.

Current solution of Rails core team

Master Yahuda Katz (wycats) has drafted a new proposal and left it in Hacker News for discussion. It should probably be near Rails core in the near future or released in the form of plugin.

My personal feelings

In fact, I saw a bunch of people say that Github was Hacked last night, and I thought it was okay after chasing several discussion strings, because for me, it should indeed be the hacker who thinks it is necessary to remind everyone, but this is a trivial matter for most Rails developers, and it is not worth making such a fuss.

As a result, the angry Hacker attacked Github, and Github was still motivated by a developer who made a low-level mistake. But I still think there is nothing...

Xss v. S. Massive Assignment

After waking up, I found out that it was not correct. In fact, this should be used in comparison with auto escape: XSS is the most common attack to design Web applications.

The reason for XSS is that developers are allowed to open their own content and then read it out without protection. Hacker will exploit this vulnerability and write it into harmful JavaScript to attract users. The correct method should be: After the content is read, it must be filtered out using html_escape.

The problem is that html_escape cannot be filtered, and developers are not so powerful. writing any piece of code will add h (content) in self-discipline ). Finally, Rails core is hard to think about. After Rails 3.0, follow Django's design and escape is used to read content. The escape is not required unless necessary.

I think this massive assignment issue should be handled in comparison...

Additional reading:

Overseas lazy package: GitHub and Rails: You have let us all down.

The 37 Signals practice given by DHH: https://gist.github.com/1975644

Posted by xditeMar 5th, 2012