P.S.A: A new vulnerability has been disclosed: CVE-2022-30123: Possible shell escape sequence injection vulnerability in Rack

discuss.rubyonrails.org/t/cve-

Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack’s Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim’s terminal.

Closing Keynote by Vaidehi Joshi talking about the socio-technical aspect of software development with their personal

Crystal Tia Martin is giving the greatest non-techinical Keynote I've seen luve. About people, about drama - and how to fix it or at least have a better outcome.
You can find Crystal on the bird site: nitter.it/codermeow

It's public knowledge you can't leave this conference without taking a selfie with Evan Phoenix and publishing it on your preferred social network.
So here we are.

Show thread

The T-shirt I'm wearing today at the conference. I've been told it portrays Pacific Northwest culture - Oregon in particular?

"Just because you can, doesn't mean you should"

-- every single sane person in any context. And Aaron Patterson on the closing Keynote for today

If you see me in the conference, let's talk.
- the only guy with a T-shirt with no logos.

... Xavier Noria continued for almost the whole Keynote thanking everyone who was open to helping him with Zeitwerk because at the end it was a big support for the whole ruby community - not only Rails. Here Sam Saffron, Martin Schurig & Jean Boussier

Show thread

Why is Xavier's keynote better?
Simple: He insists on featuring the community effort instead of making a D*H#H show.
As s proof, a few slides I was able to take where he features the work of Mattewd, Rafael França, Dylan Thacker-Smith & Richard Schneeman work.

Show thread

I've seen this kind of code more times I'd want to take:

rescue => e
Rails.logger.error(e)
render json: { errors: e.message },
status: :internal_server_error
end

Capture all the possible exceptions. Why? Is it really needed or convenient?

Do not report the error back to the client, it open a big door to exploits.

Log everything? Looks like a good idea, but it might leak things like tokens, secrets(?) or PII.

If you see on the wild, ask questions, might had a reason.

P.S.A: Rails have released a new version fixing some issues added on the last security release.

rubyonrails.org/2022/5/9/Rails

The new stable versions have been pushed to these

- 7.0.3
- 6.1.6
- 6.0.5
- 5.2.8

These are some of the problems I note in my review:

ruby.social/@esparta/108211719

As usual, it's recommended to test thoughtfully on your staging environments before proceeding to deploy to production.

Ruby on Rails has released v. 7.0!!

This time I had the honor & privilege to contribute with 8 commits.

I'm so grateful for maintainers and contributors who

rubyonrails.org/2021/12/15/Rai

New live coding of exercism.io with track: Matrix

This was particularly nice to do with & memoization

twitch.tv/videos/7272912

Not sure how I got into this, if you can help will be highly appreciated.

I'm trying to Boost of a toot I did in other mastodon instance, but through the clients (web and @Fedilab) , but I'm not seeing this toot on that profile:

fosstodon.org/@esparta/1044343

Is it related to this instance or the Fostodon instance?

What I see is an outdated list of toots shown in the image.

Thanks!

cc @james

From time to time developers create error messages that are curious and scary.

This is from Octopi, a GUI front-end to pacman, the package manager:

[aborted]: Suspicious execution method

the explanation is buried on their website:

tintaescura.com/projects/octop

>That’s because you need to run Octopi, Octopi-Notifier and Octopi-CacheCleaner using their full path commands: “/usr/bin/octopi”, “/usr/bin/octopi-notifier” and “/usr/bin/octopi-cachecleaner”.

👻🔥💻

Show older
Ruby.social

A Mastodon instance for Rubyists & friends