Category Archives: ruby

automated patching against SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

Suppose you have a server with multiple rubies, rvms, gemsets, etc…

Manually finding and patching all affected activerecord-gems would be pretty cumbersome.

The following script does the job for you:

#!/usr/bin/env ruby

SEARCH_DIR = "/" # by default search the entire filesystem
ACTIVERECORD_GEM_VERSIONS = ['2.3','3.0','3.1','3.2']
'2.3' => '',
'3.0' => '',
'3.1' => '',
'3.2' => '',

#1. Find all activerecord 2.3.x, 3.0.x, 3.1.x, 3.2.x gems on this machine
gem_paths = {}
puts "Searching for activerecord gems inside #{SEARCH_DIR} ... "
gem_paths[version] = `find #{SEARCH_DIR} -path '*/gems/activerecord*' -name 'activerecord-#{version}.*' -type d`.split("\n")
puts "Found the following activerecord gems for version #{version}:"
puts gem_paths[version]

#2. Download the 4 patches here
puts "Downloading the patches ... "
`wget -O patch-#{version}.patch --no-check-certificate #{PATCHES[version]}`
puts " ... done"

#3. Apply the patches
gem_paths[version].each do |gem|
puts "--------------------------\nApplying patch for gem #{gem}"
puts `cd '#{gem}'; patch -tN -p2 < '#{File.expand_path(File.dirname(__FILE__))+"/patch-"+version+".patch"}'` end end

This script searches for affected activerecord gems, downloads the required patches and applies them individually.

You might need to run it as root, and it could take a while searching your entire filesystem...
If you know where all your gems are located change the
SEARCH_DIR = "/yougemrepository"

Tested on linux, freebsd

romanian translation for spree_i18n

Are you using spreecommerce?

We too ๐Ÿ™‚

We just completed a romanian translation for spree, it’s available in the “official” spree_i18n-gem.
Take a look at our translation we just commited:

To use it in your rails app, simply:
1. Add the following to your Gemfile
gem 'spree_i18n', :git => 'git://'

2. Insert the following line in you config/application.rb

module Spreee
class Application < Rails::Application ... config.i18n.default_locale = :ro end end

3. bundle install - ศ™i gata ๐Ÿ™‚

simple but effective usecase – attr_accessible in rails 3.1

We have the following situation:

A rails 3.1 – project we are working on

We have a model called recipe, we want to allow access for mass assignment for a limited set of attributes for “normal users”, and for all attributes for the users with the “admin” role.

This can be done as follows:

class Recipe < ActiveRecord::Base attr_accessible :attr1, :attr2, :attr3 attr_accessible :attr1, :attr2, :attr3, :attr4, :attr5, :as => :admin

This way attr4 and attr 5 will be accessible using mass-assignment only by the admin role….

But in our case we want ALL attributes to be accessible to the admin role, we do not want to write a long and complete list of all attributes. This would save us a lot of work in case we decide to create new attributes using migrations for example.

So we found out we can use the method attribute_names and the splat operator(*) to dynamically create a list of all attribute of that class which can be passed as parameters to the attr_accessible call.

class Recipe < ActiveRecord::Base attr_accessible :attr1, :attr2, :attr3 attr_accessible *attribute_names, :as => :admin

And it works just fine ๐Ÿ™‚

Note: if you want to include also all has_many, has_one, has_and_belongs_to_many relations/associations you can use something like this

attr_accessible *(attribute_names + reflect_on_all_associations.collect(&:name)), :as => :admin

ruby Date, DateTime to Time conversion

Sometimes I needed to convert a Date or a DateTime object to it’s Time-class equivalent.

Note that Date can be converted to Time without loosing “a lot of information”.

However, in a lot of cases we do not care about these details – we just need a method that conversion.

You can paste the following snippet in your ruby-code – tested with ruby 1.8.7 (2010-08-16 patchlevel 302)

class Date
  def to_time    
    usec = self.respond_to?("sec_fraction")? (self.sec_fraction * 60 * 60 * 24 * (10**6)).to_i : nil    
    h = self.respond_to?("hour")? self.hour : nil
    m = self.respond_to?("min")? self.min : nil
    s = self.respond_to?("sec")? self.sec : nil
    Time.local(self.year, self.month,, h, m, s, usec)

This enables you to write: