Pinned post

I'm a ruby developer that typically works with data, queues, schemas, csv and json.

Recently I got involved on projects related to SAML/SSO, encryption, security, certificates and all that jazz, that was a big leap on my career.

Been rubyist the last 4 years. Same time I've been also an US immigrant, so if you ever need it, then se habla español.

Currently based on San Francisco Bay Area, USA.

P.S.A: A new vulnerability has been disclosed: CVE-2022-30123: Possible shell escape sequence injection vulnerability in Rack

discuss.rubyonrails.org/t/cve-

Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack’s Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim’s terminal.

Our relationship with Rails | Shopify Engineering

piped.mha.fi/watch?v=FUy64bt54

A video where some of the Shopify engineers are talking about how their relationship with ruby and with Rails is.

@Kyloma Hi Casey!

Somehow my client (or instance?) didn't notify me of your follow. that's the reason I'm saying hi until today.

Closing Keynote by Vaidehi Joshi talking about the socio-technical aspect of software development with their personal

Crystal Tia Martin is giving the greatest non-techinical Keynote I've seen luve. About people, about drama - and how to fix it or at least have a better outcome.
You can find Crystal on the bird site: nitter.it/codermeow

It's public knowledge you can't leave this conference without taking a selfie with Evan Phoenix and publishing it on your preferred social network.
So here we are.

Show thread

The T-shirt I'm wearing today at the conference. I've been told it portrays Pacific Northwest culture - Oregon in particular?

"Just because you can, doesn't mean you should"

-- every single sane person in any context. And Aaron Patterson on the closing Keynote for today

If you see me in the conference, let's talk.
- the only guy with a T-shirt with no logos.

... Xavier Noria continued for almost the whole Keynote thanking everyone who was open to helping him with Zeitwerk because at the end it was a big support for the whole ruby community - not only Rails. Here Sam Saffron, Martin Schurig & Jean Boussier

Show thread

Why is Xavier's keynote better?
Simple: He insists on featuring the community effort instead of making a D*H#H show.
As s proof, a few slides I was able to take where he features the work of Mattewd, Rafael França, Dylan Thacker-Smith & Richard Schneeman work.

Show thread

Having Xavier Noria as the Opening Keynote Speaker instead of that other guy is way, way better!

Show thread

It's time for here where I'm currently with all these wonderful people.

We were still learning about the security issue for rubygems when yet another vulnerability was discovered: CVE-2022-29218

github.com/rubygems/rubygems.o

This time Maciel also got another excellent piece of Impact Analysis:

whitesourcesoftware.com/resour

But big Mensfeld didn't stop there, he actually created a tool (a gem in the whole extent of the word) to help you figure out if your bundle was compromised:

rubygems.org/gems/bundler-inte

Please boost this toot for visibility.

Show thread

I've seen this kind of code more times I'd want to take:

rescue => e
Rails.logger.error(e)
render json: { errors: e.message },
status: :internal_server_error
end

Capture all the possible exceptions. Why? Is it really needed or convenient?

Do not report the error back to the client, it open a big door to exploits.

Log everything? Looks like a good idea, but it might leak things like tokens, secrets(?) or PII.

If you see on the wild, ask questions, might had a reason.

Please take a moment to review this excellent analysis related to the recent vulnerability found on rubygems.org: CVE-2022-29176

The document written by Maciej Mensfeld will give you a better understanding on what happen and a very accurate conclusion about the impact to the whole Ruby's libraries ecosystem.

Maciej has been working for years securing the full supply chain related to rubygems and now has the support of White Source to have even better infrastructure

whitesourcesoftware.com/resour

P.S.A: Rails have released a new version fixing some issues added on the last security release.

rubyonrails.org/2022/5/9/Rails

The new stable versions have been pushed to these

- 7.0.3
- 6.1.6
- 6.0.5
- 5.2.8

These are some of the problems I note in my review:

ruby.social/@esparta/108211719

As usual, it's recommended to test thoughtfully on your staging environments before proceeding to deploy to production.

Esparta :ruby: boosted

JShelter 0.10 was released today! Several new protections and bug fixes can be found in this release that will help protect your privacy while browsing. u.fsf.org/3lb #JShelter #SoftwareFreedom #FreeJS

Show older
Ruby.social

A Mastodon instance for Rubyists & friends