Notes from RailsConf Europe 2008

Debugging & Testing the Web Tier

• Description; by Neal Ford, Slides

• Browser-related

  • You can run multiple instances of IE for testing: tredosoft
  • It’s handy to use separate Firefox profiles for testing (run with -profilemanager)

• Firefox extensions

  • Firebug
  • Web Developer
  • Venkman JS Debugger

• Firebug

  • Instead of using alert(): Log to firebug console: console.log("test")
  • Inspect elements / css
  • Change css on the fly
  • On-the-fly interpretation of JavaScript in Firebug console: Consider using JSUnit instead

• JavaScript is real code which should be tested, especially because js is hard to get right and has many pitfalls.

• jsunit:

  • JavaScript library
  • Runs in the browser, tests are written in html files: Examples
  • Test runner is html, runs in the browser
  • Cross-browser / distributed testing: JsUnit Server is a Java server program for running tests locally or remotely (even with different OS and browsers installed)

• Nice quote: “One test is worth a 1000 words.”

• Approaches to running tests faster / mocking

  • crosscheck -> mocks user, server, dom; implemented in java, js runs in rhino => test without a browser, js is emulated via profiles.
  • JSSpec modeled after RSpec, currently work in progress, incomplete

• Selenium: Browser based user acceptance tests

  • Originally created by Thoughtworks, browser robot implemented in JavaScript

  • Running modes:

    • test runner mode: selenium core (test runner) is deployed with the application, simulates user interactions with the dom
    • remote control: proxy server which adds selenium core to the site
    • Selenium IDE selenium core is added via browser plug-in, also supports recording test cases

  • test suite / test cases are saved in html format but can be exported to other languages

  • contain actions navigating through sites using locators (find elements by id, name, xpath, …), assertions

Security on Rails

• Description; Jonathan Weiss (Peritor GmbH)

• Deactivate server informationen headers

• Make sure you don’t serve .svn / .git metadata

• Cookies: Make sure the key for session cookie storage is secret - especially dangerous for open source projects, once the key is in the repository, everybody can fake sessions

• Cross-Site Scripting

  • Escape with Rails h-method <%=h @test %>, auto-escaping using safeERB or XSS shield
  • Formatting allowed: Markup languages (RedCloth, Markdown) are not secure -> filter output with Rails (since 2.0!) sanitize() helper (filters html and removes everything dangerous/hacks)
  • Tidy strictly filters (options output_xhtml, escape_cdata, hide_comments) anything not XHTML (possible hacks)

• Session Fixation: External link with given session id to spy on the then known session id -> reset_session on login/logout (user gets new session whenever authenticated)

• Cross-Site Request Forgery (<img src="http://my.bank/transfer?to=bob&amount=1000"/> in malicious site)

  • Only using POST? -> doesn’t help, can be called via js / flash
  • Since Rails 2.0: protect_from_forgergy -> hidden token field is added to forms automatically (Use GET only for safe things, forms will have an expiration date when this is used)

• SQL injection

  • Always use escaped form for SQL (:conditions => ["username = ?", params[:username]])
  • Escape other strings

• JavaScript Hijacking

  • Data loaded via JSON can be hijacked (script-Tag + by redefining Array)
  • Make JSON responses invalid javascript
  • Use unguessable URLs

• Mass Assignment

  • update_attributes on ActiveRecord objects => all attributes can be updated theoretically (think ?admin=true)
  • Use attr_protected (=attribute is not set via mass assignment) or attr_accessible (_only_ attr_accessible attributes are set via mass assignment) - more info

• Plugins might have problems

  • Monitor security-relevant changes in used plugins via blogs, changelogs
  • Review plugins for maturity, stability, security
  • Use Vendor Branch Management, like Piston or Braid

• DoS

  • Because of limited Rails instances it’s quite easy, especially when Rails is handling up-/downloads
  • Serve static files through the web server
  • Contaminate slow requests (separate clusters), redirect depending on url (apache or separate proxy), so not the whole site is affected on DoS attacks

• Common Rails Security Problems

Rails stuff

• AASM - State machines for Ruby classes
• Subdomains on Rails: SubdomainFu
• Hosting whole applications (slices) in a rails application: Rails Engines, Desert, tiny_apps
• Overwriting base class methods from mixed-in Modules in Rails: alias_method_chain

JS stuff

• tooltip.js
• Libraries for compressing web files: JSMIN, cssmin, PackR

Ruby stuff

• Library to test Java code with JRuby: Mocha
• Slides for Meta-programming Ruby for Fun & Profit: Many examples for meta-programming capabilities of Ruby
• Record / replay of methods can be done using meta programming, helps to use BlankSlate instead of Object for this (which only has send, id methods)

Schulungen

• git (07.10.2010 - 08.10.2010, Essen)
• Eclipse RCP (28.03.2011 - 01.04.2011, Dortmund)

Ruby

• Ruby Regular Expression API cheat sheet
• Testing hoe gem projects with rspec
• Ruby String helpers: indent, to_javadoc, markdown, pygmentize
• Notes from RailsConf Europe 2008