RailsConf 2013

Transcript

1. None

2. -- José Valim Zoolander

3. Keynote: Ă Dev conferences, round tables, serving spaghetti with one

   chop stick on each side of each person. Boutique hotel, the doub le tree.

4. Volatile! Michael Lopp talked about volatile outlets.

5. | James Duncan Davidson talked about the world being pipes

6. DHH dropped some F-bombs

7. F- DHH dropped some F-bombs

8. Sprinkle of JS! I’m last so I have the last

   word, I can troll all the rest of the keynote speakers and there is nothing they can do. Told DHH it was good that he spoke first so I could troll him with no rebuttal. Yehuda sprinkled us with JavaScript

9. Node.JS

10. Aaron Patterson

11. @tenderlove

12. /(Ruby|Rails) Core Team/

13. enterprise gem https://github.com/tenderlove/enterprise

14. AT&T, AT&T logo and all AT&T related marks are trademarks

    of AT&T Intellectual Property and/or AT&T affiliated companies.

15. [email protected]

16. None
17. None
18. None

19. LOL NO

20. Inverse Spam Protection™

21. None

22. Job Title: Corey Haines

23. None

24. Job Title: Senior Facebook Integration Engineer Elect

25. I build bridges with software.

26. Job Title: Senior Software Architect I build bridges with software.

27. None
28. None

29. Blue Ink

30. Expense Reports

31. Concur

32. Concur PDF

33. Concur Email PDF

34. Concur Fax Email PDF

35. PDF Concur Fax Email PDF

36. PDF Concur Fax Email PDF

37. I don’t work weekends, buddy. Fax machine doesn’t work on

    weekends.

38. Concur

39. Concur PDF

40. Concur PDF Email

41. Concur PDF Email

42. Concur Email PDF Email

43. Concur Fax Email PDF Email

44. PDF Concur Fax Email PDF Email

45. PDF Concur Fax Email PDF Email

46. When I previewed the fax in the expense reporting system,

    there were tons of these at the bottom.

47. When I previewed the fax in the expense reporting system,

    there were tons of these at the bottom.

48. Rube Goldberg Expense Reporting System We actually hired Rube Goldberg

    to design the system back in the day.

49. Interfaces & Adapters It’s kind of genius because there was

    a legacy system, the fax machine, they needed to support. People want Email, so we give them the email interface, but it actually just adapts to the existing code Imagine being in the meeting where they decided to do this.

50. I <3 my job!

51. Talk about some of our services.

52. ☑Adequate Everything. Adequately. Talk about some of our services.

53. “You get what we think you paid for”

54. Disrupt Space

55. Disrupt the Space of Space Disruption

56. Disrupt the Space of Space Disruption

57. SEO Optimization To understand SEO, we must understand the search

    engine. It says Search Engine Optimization Optimization, but that is what we do.

58. First Search Engine First search engines were invented in 1547

    and were steam powered.

59. Invented in holland and came to the united states along

    with Lief Erikson (who later went on to invent cell phones). In the US they were improved to be gasoline powered with pistons. You can tell this bit of history from the names.

60. Invented in holland and came to the united states along

    with Lief Erikson (who later went on to invent cell phones). In the US they were improved to be gasoline powered with pistons. You can tell this bit of history from the names.

61. Invented in holland and came to the united states along

    with Lief Erikson (who later went on to invent cell phones). In the US they were improved to be gasoline powered with pistons. You can tell this bit of history from the names.

62. Leif Erikson

63. Leif Erikson (Later invented Cell Phones)

64. Google The number of pistons their search engine has.

65. Yahoo! The sound the exhaust system for the engine makes.

66. Bing The sound of a broken engine.

67. By shouting, we can actually improve the performance of the

    search engine. Back when shouting at machines actually did something.

68. By shouting, we can actually improve the performance of the

    search engine. Back when shouting at machines actually did something.

69. Alexander Searchkeyword This lead to search engine dowsers. They would

    use dowsing rods to find the right keywords from dictionaries and shout them at the search engine.

70. Alexander Searchkeyword This lead to search engine dowsers. They would

    use dowsing rods to find the right keywords from dictionaries and shout them at the search engine.

71. Doing Client Work. For a small fee, I will come

    to your house, read your web page, and dowse the right keywords for the search engine

72. New Stuff in Rails Security Open Source Software

73. New Stuff

74. I wanted to head West.

75. None

76. Me: 2003

77. Me: 2003

78. Caching: SOLVED

79. def halts?(code) # ... end ActiveSupport.halts?(‘your code’) AS.halts? Rails core

    is pushing the boundaries of computer science.

80. def halts?(code) # ... end ActiveSupport.halts?(‘your code’) AS.halts? SOLVED! Rails

    core is pushing the boundaries of computer science.

81. Rails.queue

82. Using the Queue job = MyJob.new Rails.queue << job

83. Consumer Thread.new { while job = Rails.queue.pop job.run end }

84. Problems.

85. None

86. “What about exceptions?”

87. “What about exceptions?” “It’s queue specific.”

88. None

89. “What about serialization?”

90. “What about serialization?” “It’s queue specific.”

91. None

92. “What about job construction?”

93. “What about job construction?” “It must be marshallable.”

94. Job Construction user = User.find 1 job = Job.new user

    Rails.queue << job

95. Job Construction user = User.find 1 job = Job.new user

    Rails.queue << job NOPE

96. Job Construction user = User.find 1 job = Job.new user.id

    Rails.queue << job

97. Job Definition class Job def initialize(user_id) @user_id = user_id end

    def run user = User.find @user_id # .... end end

98. Too Many Open Questions.

99. Rails.queue

100. None
101. None

102. F-

103. minitest/spec

104. describe "whatever" do setup do # ... end it "does

     some stuff" do 1.must_equal 1 end describe "some other stuff" do it "does some other stuff" do 'foo'.must_match /foo/ end end end This is what a minitest/ spec looks like. It looks very similar to RSpec, but it isn’t.

105. class SomeTest < ActiveSupport::TestCase setup { # ... } test

     "some thing" do # ... end end Rails Tests Here is a Rails test with some of the DSL features that Rails adds on.

106. MiniTest::Spec class SomeTest < MiniTest::Spec setup { # ... }

     it "some thing" do # ... end end If we compare this to a minitest/spec test, it looks very similar.

107. Refactor class SomeTest < MiniTest::Spec class << self alias :test

     :it end setup { # ... } test "some thing" do # ... end end We can make the appropriate change to minitest/spec and now it looks exactly the same.

108. AS::TestCase class ActiveSupport::TestCase < MiniTest::Spec class << self alias :test

     :it end end class SomeTest < ActiveSupport::TestCase setup { # ... } test "some thing" do # ... end end The cool thing is that it’s 100% backwards compatible. Works exactly the same as minitest/unit.

109. mt/spec superclass > MiniTest::Spec.ancestors => [MiniTest::Spec, MiniTest::Unit::TestCase, ... ]

110. Free goodies! describe "whatever" do it "does some stuff" do

     1.must_equal 1 end describe "some other stuff" do it "does some other stuff" do 'foo'.must_match /foo/ end end end

111. “I don’t like the aesthetic”

112. “I don’t like the aesthetic”

113. minitest/spec

114. None
115. None

116. F-

117. Someone Talked!

118. TurboLinks

119. TurboLinks I kid, I kid!

120. New Stuff Stuff that hasn’t been deleted (yet)

121. Streaming Responses

122. Example class BrowserController < ApplicationController include ActionController::Live def index 100.times

     do response.stream.write "hello!\n" end response.stream.close end end

123. Example class BrowserController < ApplicationController include ActionController::Live def index 100.times

     do response.stream.write "hello!\n" end response.stream.close end end Mix in Stream
124. None

125. Server Sent Events

126. Puma Browser FS-Events FS Events When the FS changes, it

     tells the webserver, webserver tells the browser All in the same process.

127. Puma Browser FS-Events FS Events When the FS changes, it

     tells the webserver, webserver tells the browser All in the same process.

128. Puma Browser FS-Events FS Events When the FS changes, it

     tells the webserver, webserver tells the browser All in the same process.

129. Puma Browser Console DRB DB Events When a model changes,

     a message is sent via DRB running in the Puma process. That also notifies the browser.

130. Puma Browser Console DRB DB Events Socket When a model

     changes, a message is sent via DRB running in the Puma process. That also notifies the browser.

131. PG UUID PK

132. create_table(:foos, id: :uuid) do |t| # ... end Generates a

     unique ID rather than sequential. We can easily partition based on this ID.

133. create_table(:foos, id: :uuid) do |t| t.hstore “my_stuff” end HStore too!

134. Faster Tests* *they’re not actually faster (well, they might be)

     Look at the speed improvement, then talk about how it works.

135. 3.2.x $ time rake test [snip] real 0m4.756s user 0m4.147s

     sys 0m0.582s

136. 4.0.0.beta $ time rake test [snip] real 0m1.934s user 0m1.701s

     sys 0m0.224s

137. Speed 0 1.25 2.5 3.75 5 Time 3.2 4.0

138. Where is the bottleneck?

139. Rails 3.2 (1 test) $ time ruby -I lib:test test/functional/

     line_items_controller_test.rb real 0m1.733s user 0m1.518s sys 0m0.203s

140. Rails 4.0 (1 test) $ time ruby -I lib:test test/controllers/

     line_items_controller_test.rb real 0m1.753s user 0m1.535s sys 0m0.208s

141. Environment $ time ruby -Ilib:test:. -rconfig/ environment -e ' '

     real 0m1.442s user 0m1.255s sys 0m0.179s Require the environment, and do nothing. Loads the application.

142. Sample Test Task # Rakefile Rake::TestTask.new do |t| t.libs <<

     "test" t.verbose = true t.warning = true end

143. Test Run /Users/aaron/.rbenv/versions/2.1.0-dev/bin/ruby -w -I"lib:test" -I"/Users/aaron/.rbenv/versions/2.1.0-dev/lib/ruby/ gems/2.1.0/gems/rake-10.0.4/lib" \ "/Users/aaron/.rbenv/versions/2.1.0-dev/lib/ruby/ gems/2.1.0/gems/rake-10.0.4/lib/rake/

     rake_test_loader.rb" \ "test/test*.rb"

144. Test Run /Users/aaron/.rbenv/versions/2.1.0-dev/bin/ruby -w -I"lib:test" -I"/Users/aaron/.rbenv/versions/2.1.0-dev/lib/ruby/ gems/2.1.0/gems/rake-10.0.4/lib" \ "/Users/aaron/.rbenv/versions/2.1.0-dev/lib/ruby/ gems/2.1.0/gems/rake-10.0.4/lib/rake/

     rake_test_loader.rb" \ "test/test*.rb"

145. `rake test` runs Ruby twice. How does this relate to

     Rails?

146. Rake + Rails

147. `rake test:units` Rakefile shells out ruby test/**/*_test

148. `rake test:units` Rakefile shells out ruby test/**/*_test

149. `rake test:units` Rakefile shells out ruby test/**/*_test App Load

150. `rake test:units` Rakefile shells out ruby test/**/*_test App Load

151. `rake test:units` = 2 * app load time

152. `rake test` = 4 * app load time

153. Multiple Loads

154. None

155. Just Require task :test do Dir['test/**/*_test'].each do |file| require file

     end end

156. Challenges

157. Switching Environments

158. Your app is a singleton

159. What env is `rake`?

160. Change the env before app load If it loosk like

     you’re running a test task, then change the env to the test env.

161. Migrations $ rake test You have 1 pending migrations: 20130401175825

     CreateUsers Run `rake db:migrate` to update your database then try again.

162. Real Solution: Remove Singleton R ails 4.1

163. Security * I am not a security expert

164. Security * I am not a security expert I just

     pretend :’(

165. I hate Security * I am not a security expert

     Wasted money, wasted effort. Tiny percentage of people are ruining it for everyone.

166. Ok, I don’t hate Security * I am not a

     security expert I don’t want people’s sites to be hacked.

167. “Security is a process” - Bruce Schneier Security is iterative,

     but we’ll talk about something much more pedestrian which is the actual process

168. Rails Security Process

169. Process 1. [email protected] 2. < 24hr response 3. Analyze and

     Patch 4. Obtain CVE 5. Release

170. Analyze and Patch Determine severity, figure out which versions are

     impacted, create backports and include version info for CVE.

171. Secrecy We keep issues secret until release because it takes

     time to find impacted versions, make fixes, information must be through official channels.

172. Symbol DoS

173. Symbols are not GC’d At a high level, there are

     strings coming in to the system, and Rails is converting them to symbols. I’ll show you two popular methods for getting strings converted to symbols.

174. Max Symbol Size irb(main):002:0> ("x" * 1024).to_sym; nil => nil

     irb(main):003:0> ("x" * 1000024).to_sym; nil => nil irb(main):004:0> ("x" * 10000000024).to_sym; nil ^C^C^C^CKilled: 9
175. None

176. 34%

177. 5.59GB 34%

178. Max Symbol Size irb(main):001:0> ("x" * 100000024).to_sym; nil => nil

     irb(main):002:0> ("x" * 1000000024).to_sym; nil => nil irb(main):003:0> Tried again, and this worked.

179. The sky is the limit with memory consumption.

180. 1.04GB The sky is the limit with memory consumption.

181. Foreign Entry Bugs that people reported to us.

182. XML params <root> <something type=”symbol”> This Becomes a Symbol </something>

     </root>

183. XML params <root> <something type=”symbol”> This Becomes a Symbol </something>

     </root>
184. None

185. F-

186. Active Record def index User.where(params[:foo]) end In the controller there

     is something like this. Someone posts JSON so the params are automatically converted to a hash, and the strings are converted to symbols
187. None

188. F-

189. Detection

190. assert_difference('Symbol.all_symbols.count', 0) do # some code end Symbol.all_symbols Helps if

     there is a specific place you know to check for symbols in your system.

191. ruby$target:::symbol-create { @_[copyinstr(arg1), arg2] = count(); } DTrace This will

     give you an aggregate of where the symbols are created.

192. rubygems/specification.rb 39 17 rubygems.rb 1073 22 enc/encdb.bundle 0 204 rubygems.rb

     1070 307

193. YAML RCE

194. Any Foreign Objects Are Bad Talk about YAML, but having

     any foreign objects injected to your system is incredibly bad.

195. User.where(params[:foo]) def where(hash_or_obj) if hash_or_obj.respond_to?(:xxx) # Do something dangerous else

     # escape the hash params end end

196. Fundamentals

197. A Hash > puts Psych.dump("foo" => "bar") --- foo: bar

198. A Hash Subclass > class Foo < Hash; end >

     x = Foo.new > x[:y] = "hello" > puts Psych.dump x --- !ruby/hash:Foo :y: hello

199. Creating a Hash hash = Hash.new hash[key] = value

200. Creating a Hash Subclass hash = Foo.new hash[key] = value

201. Exploitation

202. Troubled Code class Helpers def initialize @module = Module.new end

     def []=(key, value) @module.module_eval <<-END_EVAL def #{value}(*args) # ... other stuff end END_EVAL end end Have essentially this in rails where helpers are defined.

203. Exploit --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def

     oops Here is the YAML we can use to exploit this. Tell the parser to load a hash with the class Helpers

204. Exploit --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def

     oops Here is the YAML we can use to exploit this. Tell the parser to load a hash with the class Helpers

205. Exploit --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def

     oops Here is the YAML we can use to exploit this. Tell the parser to load a hash with the class Helpers

206. Parser calls []= obj['foo'] = "mname; end; puts 'hello!'; def

     oops"

207. Eval’d code def mname; end; puts 'hello!'; def oops(*args) #

     ... other stuff end

208. Eval’d code def mname end puts 'hello!' def oops(*args) #

     ... other stuff end
209. None

210. F-

211. Foreign Entry

212. XML params <root> <something type=”yaml”> --- this is parsed </something>

     </root>

213. XML params <root> <something type=”yaml”> --- this is parsed </something>

     </root>
214. None

215. F- F- F-

216. XML params <root> <something type=”xml”> &lt;yodawg&gt; I heard you like

     XML &lt;/yodawg&gt; </something> </root>
217. None

218. I hate Security * I am not a security expert

219. No Beta Releases

220. Bearer of Bad News “Hey guys, you’re gonna laugh when

     you hear this, but someone can execute arbitrary Ruby code on your system”

221. No SemVer

222. F: interesting arel behavior change that led to our email

     debacle this morning Me: huh? Me: email debacle? F: oh boy F: interesting thing is that it happened because of an arel behavior change in one of the recent 3.x security bumps

223. 3.2.12 User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id`

     = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 10 AND `users`.`id` = 100 Empty Model User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id` = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 100 Default Scope Model

224. 3.2.12 User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id`

     = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 10 AND `users`.`id` = 100 Empty Model User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id` = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 100 Default Scope Model

225. 3.2.12 User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id`

     = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 10 AND `users`.`id` = 100 Empty Model User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id` = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 100 Default Scope Model
226. None

227. User.where(:id => 10).find(100) Stored as a symbol, other is stored

     as a string.

228. User.where(:id => 10).find(100) Stored as a symbol, other is stored

     as a string.

229. User.where(:id => 10).find(100) Stored as a symbol, other is stored

     as a string.

230. 3.2.13 User.where(:id => 10) .find(100) `users`.`id` = 10 AND `users`.`id`

     = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 10 AND `users`.`id` = 100 Empty Model User.where(:id => 10) .find(100) `users`.`id` = 100 User.where(:id => 10) .find_by_id(100) `users`.`id` = 100 Default Scope Model

231. Secrecy XML symbol issue lead to the YAML issue. Can’t

     tell people to stop because I’ll give legitimacy. Painful to watch
232. None

233. F- F- F- F- F- F-

234. Open Source * I am not an open source expert

235. First Open Source Lingua NameCase, classmates namecasing registrants correctly.

236. Getting Serious Mechanize, buying tickets for Lord of the Rings.

     2005

237. Getting a Job Presentation to my boss about tools that

     I’ve written for my team mates.
238. None

239. Managing Burnout

240. ͜Μʹͪ͸ɺ Θ͕ͨࣾ͠௕Ͱ͢ɻ I think he only speaks Japanese.

241. None
242. None
243. None
244. None
245. None

246. Support Group

247. Wife

248. Rails Core Swear and curse but they put up with

     me.

249. Coworkers

250. Aggressively trim Negativity Remove negative people from social media.

251. FOCUS on the future Talking about the past only results

     in blaming, talking about the present divides people, separating in to groups (like this VM has a better GC, this VM is faster) Focusing on the future is what brings us together and pushes life forward.

252. Mamba Time

253. My Weight

254. Health Walk. Go to 7-11, find gummies, start buying them

     every week. One day the guy says “hey! Mamba Time!” I am the guy that buys gummy bears. I will be the best damn gummy candy buyer ever.

255. Find your Mamba Time Contributing impacts people whether or not

     you know it. You need to find that thing, and stick to that thing.

256. Be the Best Mamba Timer Once you find it, be

     the best at it you can be.

257. THANK YOU!

258. None

259. F-