Rails core - Nov 2013 - Remove :js responder

https://github.com/rails/rails/issues/12374#issuecomment-29446761

Here in discussion I proposed to deprecate JS responder because this 
technique is insecure and not pragmatic way to transfer data.
It can be exploited in this 
way http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html

i find this bug very often so i know what i''m talking about. With it 
attacker can steal user data and authenticity_token if templates with form 
were leaked too.



-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov
wrote:
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
> 
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this 
> way http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
> 
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
Removing it seems fine to me, but I suppose we should deprecate it
first.  Don''t people need to specifically say "render js:
whatever"?

I think 100% of "render js:" cases can be implemented using JSON.  But
maybe I am wrong.

-- 
Aaron Patterson
http://tenderlovemaking.com/

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

A lot of people use the js responder with ujs, but there are often bugs
with how jQuery handles the automatic code execution of js ajax responses,
so I agree, it''s something I wouldn''t mind deprecating.

One reason people tend to use js responders is to use js.erb to embed
values from ruby into the returned js, but I think a better way to do this
is to use json and HTML data attributes to embed values when necessary.
On Nov 28, 2013 3:49 PM, "Aaron Patterson"
<tenderlove@ruby-lang.org> wrote:
> On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote:
> > https://github.com/rails/rails/issues/12374#issuecomment-29446761
> >
> > Here in discussion I proposed to deprecate JS responder because this
> > technique is insecure and not pragmatic way to transfer data.
> > It can be exploited in this
> > way
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
> >
> > i find this bug very often so i know what i''m talking about.
With it
> > attacker can steal user data and authenticity_token if templates with
> form
> > were leaked too.
>
> Removing it seems fine to me, but I suppose we should deprecate it
> first.  Don''t people need to specifically say "render js:
whatever"?
>
> I think 100% of "render js:" cases can be implemented using JSON.
But
> maybe I am wrong.
>
> --
> Aaron Patterson
> http://tenderlovemaking.com/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I am not against removing this (I personally don''t have use for this
anymore), but the reason behind the removal this seems unclear to me.

If it''s just "let''s remove this because no one uses this
anymore" (and if
that''s true), or "Rails want to discourage this type of
architecture in
favour of moving these type of processing to the client", then fine. But I
am not sure if I fully understand the security angle here.

Specifically, in Egor''s blog post:


1. *"Broken concept & architecture. This feels as weird as the
client-side
sending code that is going to be evaled on the server-side... wait... Rails
programmers had similar thing for a while :/"*

But in the context of a web application, by definition you are
always sending JavaScript code from your server to be eval()-ed in the
client (browser) :) Whether the code is in /assets/javascript or in your
controller, there''s really no difference here.

So I''ll have to assume you are talking about eval()-ing code that
contains
user-supplied data that''s bad. Which is fair enough, considering
there''s
usually a safer way to do this (encoding the user-supplied data as JSON
first).

But as Andrew pointed out on the Github issue, there might be legitimate
use cases for using this to return code that does NOT contain user-supplied
data. I think those use cases needs to be understood properly (and we need
to investigate/suggest alternatives for those cases) to ensure we are not
removing a useful feature just because it''s subject to abuse.


2. *"**Escaping user content and putting it into Javascript can be more
painful and having more pitfalls then normal HTML escaping. ... **There can
be more special characters and XSS you should care about.**"*

Is this not already adequately addressed by the escaping helpers Rails
provide? If so, regardless of whether we remove the js responder, those
issues should be reported and fixed in Rails itself. I just opened
https://github.com/rails/rails/pull/13073 yesterday to patch json_escape to
make it useful again (please provide feedback), and I plan to submit
another PR to improve the docs on escape_javascript to make the intended
use cases more clear.

If it is already possible to correctly escape input for use in the JS
responder, just that it''s difficult to do it correctly, the problem
might
not lie in the JS responder pre-se and we should take this opportunity to
address them.

3. *"JSONP-like data leaking. If app accepts GET request and responds with
Javascript containing private data in it attacker can use fake JS functions
to leak data from the response."*

I assume you are talking about CSRF attacks where a page on a third-party
domain can make requests to your site on your user''s behalf. But like
you
said, this problem also exists in JSONP. In fact, it''s probably much
easier
to exploit this in JSONP (because you can control the name of the callback)
than a JS response that updates a certain part of the page. So I''m not
sure
if this is really JS responder''s fault. And like Andrew said, in his
use
case there''s nothing to leak.

Maybe I am not understanding this point correctly. If you can provide some
examples based on the apps you see in the field it will be very helpful.

4. *"UPD as pointed out on HN evaling response will mess with your global
namespace and there is no way to jump into closure you created request
in.."*

(I suppose this is not related to security.)

If you are doing a lot you should definitely architect your client-side
JavaScript properly, that I agree 100% (I mainly write full-blown single
page apps these day for my day job, so believe me when I say we are in
agreement :). But in cases where you are delivering a small, simple payload
to update a small part of the page, I don''t know if that''s
super evil and
should be strongly discouraged.

I don''t do this, so I''m not really in a good position to
defend it. Again,
maybe it''s just a case of "no one uses this anymore so
it''s not worth
supporting", and that''s fine by me. But you brought up security,
so I want
to make sure we address your concerns properly.

Godfrey



On Thu, Nov 28, 2013 at 1:02 PM, Steve Schwartz <steve@alfajango.com>
wrote:
> A lot of people use the js responder with ujs, but there are often bugs
> with how jQuery handles the automatic code execution of js ajax responses,
> so I agree, it''s something I wouldn''t mind deprecating.
>
> One reason people tend to use js responders is to use js.erb to embed
> values from ruby into the returned js, but I think a better way to do this
> is to use json and HTML data attributes to embed values when necessary.
>  On Nov 28, 2013 3:49 PM, "Aaron Patterson"
<tenderlove@ruby-lang.org>
> wrote:
>
>> On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote:
>> > https://github.com/rails/rails/issues/12374#issuecomment-29446761
>> >
>> > Here in discussion I proposed to deprecate JS responder because
this
>> > technique is insecure and not pragmatic way to transfer data.
>> > It can be exploited in this
>> > way
>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>> >
>> > i find this bug very often so i know what i''m talking
about. With it
>> > attacker can steal user data and authenticity_token if templates
with
>> form
>> > were leaked too.
>>
>> Removing it seems fine to me, but I suppose we should deprecate it
>> first.  Don''t people need to specifically say "render js:
whatever"?
>>
>> I think 100% of "render js:" cases can be implemented using
JSON.  But
>> maybe I am wrong.
>>
>> --
>> Aaron Patterson
>> http://tenderlovemaking.com/
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-core+unsubscribe@googlegroups.com.
>> To post to this group, send email to rubyonrails-core@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I believe the primary use case for js responder is remote forms, where you 
are not doing the request yourself, so a js response is the simplest and 
most natural approach there.  This is not inherently insecure so should not 
be deprecated just because it does not feel good to some.

On Thursday, November 28, 2013 3:49:40 PM UTC-5, Aaron Patterson
wrote:
>
> On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote: 
> > https://github.com/rails/rails/issues/12374#issuecomment-29446761 
> > 
> > Here in discussion I proposed to deprecate JS responder because this 
> > technique is insecure and not pragmatic way to transfer data. 
> > It can be exploited in this 
> > way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html 
> > 
> > i find this bug very often so i know what i''m talking about.
With it
> > attacker can steal user data and authenticity_token if templates with 
> form 
> > were leaked too. 
>
> Removing it seems fine to me, but I suppose we should deprecate it 
> first.  Don''t people need to specifically say "render js:
whatever"?
>
> I think 100% of "render js:" cases can be implemented using JSON.
But
> maybe I am wrong. 
>
> -- 
> Aaron Patterson 
> http://tenderlovemaking.com/ 
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

A lot of the proposed issues aren''t really too bad IMO,
they''re mainly just related to one developer''s preferences and
taste over another. I personally don''t think returning JS from an ajax
call is much (if any) worse than returning HTML. It''s all just your
server rendering some markup/code for the browser to interpret.

However, from the UJS side, the main issue with using JS as the response, is
that the user has no control over the exact context of the automatic eval being
done by jQuery, or exactly when during the callback sequence the code is
eval''d. This actually caused code to break at one point due to a jQuery
update, which would cause issues if your returned JS replaced the element that
triggered the UJS remote (ajax) call. See:

https://github.com/rails/jquery-ujs/issues/223#issuecomment-2791098

That being said, I''m not necessarily in the "we should deprecate
this" camp. I''m somewhat indifferent. Deprecation means one less
thing to maintain (and would allow me to delete all of one line in UJS).

-- Steve Schwartz


On Thursday, November 28, 2013 at 4:45 PM, Alex wrote:
> I believe the primary use case for js responder is remote forms, where you
are not doing the request yourself, so a js response is the simplest and most
natural approach there.  This is not inherently insecure so should not be
deprecated just because it does not feel good to some.
> 
> On Thursday, November 28, 2013 3:49:40 PM UTC-5, Aaron Patterson wrote:
> > On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote: 
> > > https://github.com/rails/rails/issues/12374#issuecomment-29446761
> > > 
> > > Here in discussion I proposed to deprecate JS responder because
this
> > > technique is insecure and not pragmatic way to transfer data. 
> > > It can be exploited in this 
> > > way
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
> > > 
> > > i find this bug very often so i know what i''m talking
about. With it
> > > attacker can steal user data and authenticity_token if templates
with form
> > > were leaked too. 
> > 
> > Removing it seems fine to me, but I suppose we should deprecate it 
> > first.  Don''t people need to specifically say "render
js: whatever"?
> > 
> > I think 100% of "render js:" cases can be implemented using
JSON.  But
> > maybe I am wrong. 
> > 
> > -- 
> > Aaron Patterson 
> > http://tenderlovemaking.com/ 
> -- 
> You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to rubyonrails-core+unsubscribe@googlegroups.com
(mailto:rubyonrails-core+unsubscribe@googlegroups.com).
> To post to this group, send email to rubyonrails-core@googlegroups.com
(mailto:rubyonrails-core@googlegroups.com).
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

About the HTML rendering use case, I would point out that it could be 
adequately solved using render_to_string, and IMHO more elegantly, since 
the related JS could be included in the assets, and so organized toghether 
with the other JS source. 

I can''t think about use cases where RJS is preferable over render
:json,
does anyone do?

Il giorno giovedì 28 novembre 2013 22:42:26 UTC+1, Godfrey Chan ha
scritto:
>
> I am not against removing this (I personally don''t have use for
this
> anymore), but the reason behind the removal this seems unclear to me.
>
> If it''s just "let''s remove this because no one uses
this anymore" (and if
> that''s true), or "Rails want to discourage this type of
architecture in
> favour of moving these type of processing to the client", then fine.
But I
> am not sure if I fully understand the security angle here.
>
> Specifically, in Egor''s blog post:
>
>
> 1. *"Broken concept & architecture. This feels as weird as the 
> client-side sending code that is going to be evaled on the server-side... 
> wait... Rails programmers had similar thing for a while :/"*
>
> But in the context of a web application, by definition you are 
> always sending JavaScript code from your server to be eval()-ed in the 
> client (browser) :) Whether the code is in /assets/javascript or in your 
> controller, there''s really no difference here.
>
> So I''ll have to assume you are talking about eval()-ing code that
contains
> user-supplied data that''s bad. Which is fair enough, considering
there''s
> usually a safer way to do this (encoding the user-supplied data as JSON 
> first).
>
> But as Andrew pointed out on the Github issue, there might be legitimate 
> use cases for using this to return code that does NOT contain user-supplied
> data. I think those use cases needs to be understood properly (and we need 
> to investigate/suggest alternatives for those cases) to ensure we are not 
> removing a useful feature just because it''s subject to abuse.
>
>
> 2. *"**Escaping user content and putting it into Javascript can be
more
> painful and having more pitfalls then normal HTML escaping. ... **There 
> can be more special characters and XSS you should care about.**"*
>
> Is this not already adequately addressed by the escaping helpers Rails 
> provide? If so, regardless of whether we remove the js responder, those 
> issues should be reported and fixed in Rails itself. I just opened 
> https://github.com/rails/rails/pull/13073 yesterday to patch json_escape 
> to make it useful again (please provide feedback), and I plan to submit 
> another PR to improve the docs on escape_javascript to make the intended 
> use cases more clear.
>
> If it is already possible to correctly escape input for use in the JS 
> responder, just that it''s difficult to do it correctly, the
problem might
> not lie in the JS responder pre-se and we should take this opportunity to 
> address them.
>
> 3. *"JSONP-like data leaking. If app accepts GET request and responds 
> with Javascript containing private data in it attacker can use fake JS 
> functions to leak data from the response."*
>
> I assume you are talking about CSRF attacks where a page on a third-party 
> domain can make requests to your site on your user''s behalf. But
like you
> said, this problem also exists in JSONP. In fact, it''s probably
much easier
> to exploit this in JSONP (because you can control the name of the callback)
> than a JS response that updates a certain part of the page. So I''m
not sure
> if this is really JS responder''s fault. And like Andrew said, in
his use
> case there''s nothing to leak.
>
> Maybe I am not understanding this point correctly. If you can provide some 
> examples based on the apps you see in the field it will be very helpful.
>
> 4. *"UPD as pointed out on HN evaling response will mess with your
global
> namespace and there is no way to jump into closure you created request 
> in.."*
>
> (I suppose this is not related to security.)
>
> If you are doing a lot you should definitely architect your client-side 
> JavaScript properly, that I agree 100% (I mainly write full-blown single 
> page apps these day for my day job, so believe me when I say we are in 
> agreement :). But in cases where you are delivering a small, simple payload
> to update a small part of the page, I don''t know if
that''s super evil and
> should be strongly discouraged.
>
> I don''t do this, so I''m not really in a good position to
defend it. Again,
> maybe it''s just a case of "no one uses this anymore so
it''s not worth
> supporting", and that''s fine by me. But you brought up
security, so I want
> to make sure we address your concerns properly.
>
> Godfrey
>
>
>
> On Thu, Nov 28, 2013 at 1:02 PM, Steve Schwartz
<st...@alfajango.com<javascript:>
> > wrote:
>
>> A lot of people use the js responder with ujs, but there are often bugs
>> with how jQuery handles the automatic code execution of js ajax
responses,
>> so I agree, it''s something I wouldn''t mind
deprecating.
>>
>> One reason people tend to use js responders is to use js.erb to embed 
>> values from ruby into the returned js, but I think a better way to do
this
>> is to use json and HTML data attributes to embed values when necessary.
>>  On Nov 28, 2013 3:49 PM, "Aaron Patterson"
<tende...@ruby-lang.org<javascript:>>
>> wrote:
>>
>>> On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote:
>>> >
https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>> >
>>> > Here in discussion I proposed to deprecate JS responder
because this
>>> > technique is insecure and not pragmatic way to transfer data.
>>> > It can be exploited in this
>>> > way 
>>>
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>> >
>>> > i find this bug very often so i know what i''m talking
about. With it
>>> > attacker can steal user data and authenticity_token if
templates with
>>> form
>>> > were leaked too.
>>>
>>> Removing it seems fine to me, but I suppose we should deprecate it
>>> first.  Don''t people need to specifically say "render
js: whatever"?
>>>
>>> I think 100% of "render js:" cases can be implemented
using JSON.  But
>>> maybe I am wrong.
>>>
>>> --
>>> Aaron Patterson
>>> http://tenderlovemaking.com/
>>>
>>> --
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ruby on Rails: Core" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to rubyonrails-co...@googlegroups.com <javascript:>.
>>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
>>> .
>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>  -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-co...@googlegroups.com <javascript:>.
>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I am -1 for deprecating the js responders

Personally I find using the js.erb templates much easier, more DRY and more
expressive then returning a HTML string as a JSON element.  Any JavaScript
in the js.erb should be specific to initializing the rendered HTML and
would exist in the event handler of the AJAX call anyways, so having it in
the assets seems of little benefit.  All the reusable code should live in
the assets either way.

It does not seem like removing it provides any benefit to the people who
would prefer to use all JSON.  So, other than forcing a preference on the
community, why deprecate it?




On Thu, Nov 28, 2013 at 7:34 PM, Maurizio De Santis <
desantis.maurizio@gmail.com> wrote:
> About the HTML rendering use case, I would point out that it could be
> adequately solved using render_to_string, and IMHO more elegantly, since
> the related JS could be included in the assets, and so organized toghether
> with the other JS source.
>
> I can''t think about use cases where RJS is preferable over render
:json,
> does anyone do?
>
> Il giorno giovedì 28 novembre 2013 22:42:26 UTC+1, Godfrey Chan ha scritto:
>>
>> I am not against removing this (I personally don''t have use
for this
>> anymore), but the reason behind the removal this seems unclear to me.
>>
>> If it''s just "let''s remove this because no one
uses this anymore" (and if
>> that''s true), or "Rails want to discourage this type of
architecture in
>> favour of moving these type of processing to the client", then
fine. But I
>> am not sure if I fully understand the security angle here.
>>
>> Specifically, in Egor''s blog post:
>>
>>
>> 1. *"Broken concept & architecture. This feels as weird as the
>> client-side sending code that is going to be evaled on the
server-side...
>> wait... Rails programmers had similar thing for a while :/"*
>>
>> But in the context of a web application, by definition you are
>> always sending JavaScript code from your server to be eval()-ed in the
>> client (browser) :) Whether the code is in /assets/javascript or in
your
>> controller, there''s really no difference here.
>>
>> So I''ll have to assume you are talking about eval()-ing code
that
>> contains user-supplied data that''s bad. Which is fair enough,
considering
>> there''s usually a safer way to do this (encoding the
user-supplied data as
>> JSON first).
>>
>> But as Andrew pointed out on the Github issue, there might be
legitimate
>> use cases for using this to return code that does NOT contain
user-supplied
>> data. I think those use cases needs to be understood properly (and we
need
>> to investigate/suggest alternatives for those cases) to ensure we are
not
>> removing a useful feature just because it''s subject to abuse.
>>
>>
>> 2. *"**Escaping user content and putting it into Javascript can be
more
>> painful and having more pitfalls then normal HTML escaping. ... **There
>> can be more special characters and XSS you should care about.**"*
>>
>> Is this not already adequately addressed by the escaping helpers Rails
>> provide? If so, regardless of whether we remove the js responder, those
>> issues should be reported and fixed in Rails itself. I just opened
>> https://github.com/rails/rails/pull/13073 yesterday to patch
json_escape
>> to make it useful again (please provide feedback), and I plan to submit
>> another PR to improve the docs on escape_javascript to make the
intended
>> use cases more clear.
>>
>> If it is already possible to correctly escape input for use in the JS
>> responder, just that it''s difficult to do it correctly, the
problem might
>> not lie in the JS responder pre-se and we should take this opportunity
to
>> address them.
>>
>> 3. *"JSONP-like data leaking. If app accepts GET request and
responds
>> with Javascript containing private data in it attacker can use fake JS
>> functions to leak data from the response."*
>>
>> I assume you are talking about CSRF attacks where a page on a
third-party
>> domain can make requests to your site on your user''s behalf.
But like you
>> said, this problem also exists in JSONP. In fact, it''s
probably much easier
>> to exploit this in JSONP (because you can control the name of the
callback)
>> than a JS response that updates a certain part of the page. So
I''m not sure
>> if this is really JS responder''s fault. And like Andrew said,
in his use
>> case there''s nothing to leak.
>>
>> Maybe I am not understanding this point correctly. If you can provide
>> some examples based on the apps you see in the field it will be very
>> helpful.
>>
>> 4. *"UPD as pointed out on HN evaling response will mess with your
>> global namespace and there is no way to jump into closure you created
>> request in.."*
>>
>> (I suppose this is not related to security.)
>>
>> If you are doing a lot you should definitely architect your client-side
>> JavaScript properly, that I agree 100% (I mainly write full-blown
single
>> page apps these day for my day job, so believe me when I say we are in
>> agreement :). But in cases where you are delivering a small, simple
payload
>> to update a small part of the page, I don''t know if
that''s super evil and
>> should be strongly discouraged.
>>
>> I don''t do this, so I''m not really in a good position
to defend it.
>> Again, maybe it''s just a case of "no one uses this
anymore so it''s not
>> worth supporting", and that''s fine by me. But you brought
up security, so I
>> want to make sure we address your concerns properly.
>>
>> Godfrey
>>
>>
>>
>> On Thu, Nov 28, 2013 at 1:02 PM, Steve Schwartz
<st...@alfajango.com>wrote:
>>
>>> A lot of people use the js responder with ujs, but there are often
bugs
>>> with how jQuery handles the automatic code execution of js ajax
responses,
>>> so I agree, it''s something I wouldn''t mind
deprecating.
>>>
>>> One reason people tend to use js responders is to use js.erb to
embed
>>> values from ruby into the returned js, but I think a better way to
do this
>>> is to use json and HTML data attributes to embed values when
necessary.
>>>  On Nov 28, 2013 3:49 PM, "Aaron Patterson"
<tende...@ruby-lang.org>
>>> wrote:
>>>
>>>> On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote:
>>>> >
https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>>> >
>>>> > Here in discussion I proposed to deprecate JS responder
because this
>>>> > technique is insecure and not pragmatic way to transfer
data.
>>>> > It can be exploited in this
>>>> > way
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-
>>>> techniques.html
>>>> >
>>>> > i find this bug very often so i know what i''m
talking about. With it
>>>> > attacker can steal user data and authenticity_token if
templates with
>>>> form
>>>> > were leaked too.
>>>>
>>>> Removing it seems fine to me, but I suppose we should deprecate
it
>>>> first.  Don''t people need to specifically say
"render js: whatever"?
>>>>
>>>> I think 100% of "render js:" cases can be implemented
using JSON.  But
>>>> maybe I am wrong.
>>>>
>>>> --
>>>> Aaron Patterson
>>>> http://tenderlovemaking.com/
>>>>
>>>> --
>>>> You received this message because you are subscribed to the
Google
>>>> Groups "Ruby on Rails: Core" group.
>>>> To unsubscribe from this group and stop receiving emails from
it, send
>>>> an email to rubyonrails-co...@googlegroups.com.
>>>> To post to this group, send email to
rubyonra...@googlegroups.com.
>>>>
>>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>>> For more options, visit
https://groups.google.com/groups/opt_out.
>>>>
>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ruby on Rails: Core" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to rubyonrails-co...@googlegroups.com.
>>> To post to this group, send email to rubyonra...@googlegroups.com.
>>>
>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>


-- 
Scott Johnson

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

>Maybe I am not understanding this point correctly. If you can provide some 
examples based on the apps you see in the field it will be very helpful.

I found this leaking on Redmine, Gitlab and Spree + tons of client apps i 
audit. 


On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Focus on security concern. I repeat  - any GET accessible .js.erb IS a 
vulnerability because leaks all data it has inside. 
All "i use it because it''s fast/convenient" means nothing if
it''s a
vulnerable technique. IMO  

On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Normally can be exploited this way:

function $(){ return {html: function(){
console.log(''LEAKED'',arguments);}}};
document.write(''<script
src="http://SITE/objects.js"></script>'')


On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Not only are js.erb templates not deprecated, they are a great way to 
develop an application with Ajax responses where you can reuse your 
server-side templates. It''s fine to explore ways to make this more
secure
by default, but the fundamental development style of returning JS as a 
response is both architecturally sound and an integral part of Rails. So 
that''s not going anywhere.

So let''s instead explore ways of having better escaping tools,
warnings, or
defaults that''ll work with the wonders of RJS.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

@dhh as i mentioned above for GET request this will always be a security 
breach. So leaving it for POST only? Doesn''t make sense.
Also https://twitter.com/homakov/status/406426491937759232

On Friday, November 29, 2013 10:11:06 PM UTC+7, DHH
wrote:
>
> Not only are js.erb templates not deprecated, they are a great way to 
> develop an application with Ajax responses where you can reuse your 
> server-side templates. It''s fine to explore ways to make this more
secure
> by default, but the fundamental development style of returning JS as a 
> response is both architecturally sound and an integral part of Rails. So 
> that''s not going anywhere.
>
> So let''s instead explore ways of having better escaping tools,
warnings,
> or defaults that''ll work with the wonders of RJS.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On Friday, November 29, 2013 10:27:15 PM UTC+7, Egor Homakov
wrote:
>
> @dhh as i mentioned above for GET request this will always be a security 
> breach. So leaving it for POST only? Doesn''t make sense.
> Also https://twitter.com/homakov/status/406426491937759232
>
> On Friday, November 29, 2013 10:11:06 PM UTC+7, DHH wrote:
>>
>> Not only are js.erb templates not deprecated, they are a great way to 
>> develop an application with Ajax responses where you can reuse your 
>> server-side templates. It''s fine to explore ways to make this
more secure
>> by default, but the fundamental development style of returning JS as a 
>> response is both architecturally sound and an integral part of Rails.
So
>> that''s not going anywhere.
>>
>> So let''s instead explore ways of having better escaping tools,
warnings,
>> or defaults that''ll work with the wonders of RJS.
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Right, I agree that if used incorrectly this be a vector for CSRF attacks. But
like you said, this is also a problem for JSONP, which is by far way more
popular. So unless we also remove JSONP there problem you are complaining
is still there, no?

Maybe we should improve the documentation to point out that you should not
be using cookies to authenticate "private" JSONP/JS endpoints? Perhaps
we
can make it easier to do token-based authentication for API requests?

Because personally I don''t see JSONP going away.

Godfrey


On Fri, Nov 29, 2013 at 2:55 AM, Egor Homakov <homakov@gmail.com> wrote:
> Focus on security concern. I repeat  - any GET accessible .js.erb IS a
> vulnerability because leaks all data it has inside.
> All "i use it because it''s fast/convenient" means
nothing if it''s a
> vulnerable technique. IMO
>
>
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>
>> Here in discussion I proposed to deprecate JS responder because this
>> technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way http://homakov.blogspot.
>> com/2013/05/do-not-use-rjs-like-techniques.html
>>
>> i find this bug very often so i know what i''m talking about.
With it
>> attacker can steal user data and authenticity_token if templates with
form
>> were leaked too.
>>
>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On Fri, Nov 29, 2013 at 7:27 AM, Egor Homakov <homakov@gmail.com> wrote:
> @dhh as i mentioned above for GET request this will always be a security
> breach.
>
GET requests using Cookies for authentication. That returns non-public data.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

It''s not very proper comparison. Nobody uses JSOPN w/o *a reason*. 
Autocomplete, as maximum. And security concern of jSONP is way more known 
than RJS bug (did you see articles on this topic but mine?)
>Maybe we should improve the documentation to point out that you should not 
be using cookies to authenticate "private" JSONP/JS endpoints
IMO, it should be fixed somewhere in code, not in documentation. People 
don''t read it periodically. 
Not using cookies for JS responses breaks the idea of templating. For API 
people should use JSON(P). Why JS?


On Saturday, November 30, 2013 7:43:51 AM UTC+7, Godfrey Chan
wrote:
>
> Right, I agree that if used incorrectly this be a vector for CSRF attacks. 
> But like you said, this is also a problem for JSONP, which is by far way 
> more popular. So unless we also remove JSONP there problem you are 
> complaining is still there, no?
>
> Maybe we should improve the documentation to point out that you should not 
> be using cookies to authenticate "private" JSONP/JS endpoints?
Perhaps we
> can make it easier to do token-based authentication for API requests?
>
> Because personally I don''t see JSONP going away.
>
> Godfrey
>
>
> On Fri, Nov 29, 2013 at 2:55 AM, Egor Homakov
<hom...@gmail.com<javascript:>
> > wrote:
>
>> Focus on security concern. I repeat  - any GET accessible .js.erb IS a 
>> vulnerability because leaks all data it has inside. 
>> All "i use it because it''s fast/convenient" means
nothing if it''s a
>> vulnerable technique. IMO  
>>
>>
>> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>
>>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>>
>>> Here in discussion I proposed to deprecate JS responder because
this
>>> technique is insecure and not pragmatic way to transfer data.
>>> It can be exploited in this way http://homakov.blogspot.
>>> com/2013/05/do-not-use-rjs-like-techniques.html
>>>
>>> i find this bug very often so i know what i''m talking
about. With it
>>> attacker can steal user data and authenticity_token if templates
with form
>>> were leaked too.
>>>
>>>
>>>
>>>  -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-co...@googlegroups.com <javascript:>.
>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

>GET requests using Cookies for authentication. That returns non-public 
data.
most of the time this is the case. JS templates return whole forms with 
authenticity_token in it!

On Saturday, November 30, 2013 7:45:08 AM UTC+7, Godfrey Chan
wrote:
>
>
> On Fri, Nov 29, 2013 at 7:27 AM, Egor Homakov
<hom...@gmail.com<javascript:>
> > wrote:
>
>> @dhh as i mentioned above for GET request this will always be a
security
>> breach.
>>
>
> GET requests using Cookies for authentication. That returns non-public 
> data.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Thanks for the explanation. I now better understand the point you made in
your original argument and the security concern you raised.
> >GET requests using Cookies for authentication. That returns non-public
data.
> most of the time this is the case. JS templates return whole forms with
authenticity_token in it!

My point here is not that "JS endpoints that uses cookie + return private
data" isn''t a common misuse, that I''m sure you are more
qualified to give
an opinion than I do, based on the apps you work on. My point is I
don''t
think that this is inherently flawed and fundamentally impossible to fix
(and hence we *must* remove it). Not using cookies for auth is one possible
way to fix, but as you pointed out...
> Not using cookies for JS responses breaks the idea of templating. For API
people should use JSON(P). Why JS?

And I think you are quite right. Having to deal with alternative
authentication scheme that does not rely (only) on cookies, on both the
client and the server side, probably cancels out a lot of the benefits of
using JS responses (simplicity etc).

However, I think there are probably something else that Rails can do to fix
the security concerns you have. For example, we can automatically wrap all
JS responses with something like...

if(<%= an_array_of_whitelisted_hosts %>.indexOf(window.location.host) >
0){
  // ... the actual response goes here ...
}

What do you think about this? It seems like this would be quite easy for
Rails to implement. We can turn this on by default with the list defaults
to request.host and provide a way to opt out. Would that address your
concerns?

Again, I personally don''t use this feature, so I don''t have a
strong
opinion on whether it should be kept in core. I''m just focusing on the
security concerns you raised and see what we can do to make Rails better.
And I suspect there are ways to make this feature more secure by default
without removing it.

Godfrey



On Fri, Nov 29, 2013 at 6:05 PM, Egor Homakov <homakov@gmail.com> wrote:
> It''s not very proper comparison. Nobody uses JSOPN w/o *a reason*.
> Autocomplete, as maximum. And security concern of jSONP is way more known
> than RJS bug (did you see articles on this topic but mine?)
>
> >Maybe we should improve the documentation to point out that you should
> not be using cookies to authenticate "private" JSONP/JS endpoints
> IMO, it should be fixed somewhere in code, not in documentation. People
> don''t read it periodically.
> Not using cookies for JS responses breaks the idea of templating. For API
> people should use JSON(P). Why JS?
>
>
> On Saturday, November 30, 2013 7:43:51 AM UTC+7, Godfrey Chan wrote:
>
>> Right, I agree that if used incorrectly this be a vector for CSRF
attacks.
>> But like you said, this is also a problem for JSONP, which is by far
way
>> more popular. So unless we also remove JSONP there problem you are
>> complaining is still there, no?
>>
>> Maybe we should improve the documentation to point out that you should
>> not be using cookies to authenticate "private" JSONP/JS
endpoints? Perhaps
>> we can make it easier to do token-based authentication for API
requests?
>>
>> Because personally I don''t see JSONP going away.
>>
>> Godfrey
>>
>>
>> On Fri, Nov 29, 2013 at 2:55 AM, Egor Homakov <hom...@gmail.com>
wrote:
>>
>>> Focus on security concern. I repeat  - any GET accessible .js.erb
IS a
>>> vulnerability because leaks all data it has inside.
>>> All "i use it because it''s fast/convenient"
means nothing if it''s a
>>> vulnerable technique. IMO
>>>
>>>
>>> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>>>
>>>>
https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>>>
>>>> Here in discussion I proposed to deprecate JS responder because
this
>>>> technique is insecure and not pragmatic way to transfer data.
>>>> It can be exploited in this way http://homakov.blogspot.co
>>>> m/2013/05/do-not-use-rjs-like-techniques.html
>>>>
>>>> i find this bug very often so i know what i''m talking
about. With it
>>>> attacker can steal user data and authenticity_token if
templates with form
>>>> were leaked too.
>>>>
>>>>
>>>>
>>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ruby on Rails: Core" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to rubyonrails-co...@googlegroups.com.
>>> To post to this group, send email to rubyonra...@googlegroups.com.
>>>
>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

location.__defineGetter__(''host'',function(){return
''google.com''})
undefined
location.host
"google.com"


On Saturday, November 30, 2013 9:45:38 AM UTC+7, Godfrey Chan
wrote:
>
>
> Thanks for the explanation. I now better understand the point you made in 
> your original argument and the security concern you raised.
>
> > >GET requests using Cookies for authentication. That returns
non-public
> data.
> > most of the time this is the case. JS templates return whole forms
with
> authenticity_token in it!
>
> My point here is not that "JS endpoints that uses cookie + return
private
> data" isn''t a common misuse, that I''m sure you are
more qualified to give
> an opinion than I do, based on the apps you work on. My point is I
don''t
> think that this is inherently flawed and fundamentally impossible to fix 
> (and hence we *must* remove it). Not using cookies for auth is one possible
> way to fix, but as you pointed out...
>
> > Not using cookies for JS responses breaks the idea of templating. For 
> API people should use JSON(P). Why JS?
>
> And I think you are quite right. Having to deal with alternative 
> authentication scheme that does not rely (only) on cookies, on both the 
> client and the server side, probably cancels out a lot of the benefits of 
> using JS responses (simplicity etc).
>
> However, I think there are probably something else that Rails can do to 
> fix the security concerns you have. For example, we can automatically wrap 
> all JS responses with something like... 
>
> if(<%= an_array_of_whitelisted_hosts %>.indexOf(window.location.host)
> 0){
>   // ... the actual response goes here ...
> }
>
> What do you think about this? It seems like this would be quite easy for 
> Rails to implement. We can turn this on by default with the list defaults 
> to request.host and provide a way to opt out. Would that address your 
> concerns?
>
> Again, I personally don''t use this feature, so I don''t
have a strong
> opinion on whether it should be kept in core. I''m just focusing on
the
> security concerns you raised and see what we can do to make Rails better. 
> And I suspect there are ways to make this feature more secure by default 
> without removing it.
>
> Godfrey
>
>
>
> On Fri, Nov 29, 2013 at 6:05 PM, Egor Homakov
<hom...@gmail.com<javascript:>
> > wrote:
>
>> It''s not very proper comparison. Nobody uses JSOPN w/o *a
reason*.
>> Autocomplete, as maximum. And security concern of jSONP is way more
known
>> than RJS bug (did you see articles on this topic but mine?)
>>
>> >Maybe we should improve the documentation to point out that you
should
>> not be using cookies to authenticate "private" JSONP/JS
endpoints
>> IMO, it should be fixed somewhere in code, not in documentation. People
>> don''t read it periodically. 
>> Not using cookies for JS responses breaks the idea of templating. For
API
>> people should use JSON(P). Why JS?
>>
>>
>> On Saturday, November 30, 2013 7:43:51 AM UTC+7, Godfrey Chan wrote:
>>
>>> Right, I agree that if used incorrectly this be a vector for CSRF
attacks.
>>> But like you said, this is also a problem for JSONP, which is by
far
>>> way more popular. So unless we also remove JSONP there problem you
are
>>> complaining is still there, no?
>>>
>>> Maybe we should improve the documentation to point out that you
should
>>> not be using cookies to authenticate "private" JSONP/JS
endpoints? Perhaps
>>> we can make it easier to do token-based authentication for API
requests?
>>>
>>> Because personally I don''t see JSONP going away.
>>>
>>> Godfrey
>>>
>>>
>>> On Fri, Nov 29, 2013 at 2:55 AM, Egor Homakov
<hom...@gmail.com> wrote:
>>>
>>>> Focus on security concern. I repeat  - any GET accessible
.js.erb IS a
>>>> vulnerability because leaks all data it has inside. 
>>>> All "i use it because it''s fast/convenient"
means nothing if it''s a
>>>> vulnerable technique. IMO  
>>>>
>>>>
>>>> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>>>>
>>>>>
https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>>>>
>>>>> Here in discussion I proposed to deprecate JS responder
because this
>>>>> technique is insecure and not pragmatic way to transfer
data.
>>>>> It can be exploited in this way http://homakov.blogspot.co
>>>>> m/2013/05/do-not-use-rjs-like-techniques.html
>>>>>
>>>>> i find this bug very often so i know what i''m
talking about. With it
>>>>> attacker can steal user data and authenticity_token if
templates with form
>>>>> were leaked too.
>>>>>
>>>>>
>>>>>
>>>>>  -- 
>>>> You received this message because you are subscribed to the
Google
>>>> Groups "Ruby on Rails: Core" group.
>>>> To unsubscribe from this group and stop receiving emails from
it, send
>>>> an email to rubyonrails-co...@googlegroups.com.
>>>> To post to this group, send email to
rubyonra...@googlegroups.com.
>>>>
>>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>>> For more options, visit
https://groups.google.com/groups/opt_out.
>>>>
>>>
>>>  -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-co...@googlegroups.com <javascript:>.
>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Since POSTs already require a csrf token, the rjs calls should do the same
thing. Make them require the auth token in the url, or even better, have
rails generate a hash of the auth token and the url and compare on the
server. Thus you can''t call any rjs without using rails helpers to
generate
the correct url and matching token, and the new token would not be leaking
the original csrf token via url or referer. It''s effectively using
methods
similar to how we build APIs with hmac signing of the request, but in a
lightweight form and only in the background for RJS (or whatever else you
want to protect, I suppose). This seems a little out of the scope of the
core rails project, though?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Homakov,

What Godfrey suggest may be implemented on the server side instead of 
client side without being hacked so easily?

We may raise an exception by default when the host is not allowed, assuming 
that request.host is trustable.

On Saturday, November 30, 2013 7:49:42 AM UTC-2, Courtenay Gasking
wrote:
>
> Since POSTs already require a csrf token, the rjs calls should do the same 
> thing. Make them require the auth token in the url, or even better, have 
> rails generate a hash of the auth token and the url and compare on the 
> server. Thus you can''t call any rjs without using rails helpers to
generate
> the correct url and matching token, and the new token would not be leaking 
> the original csrf token via url or referer. It''s effectively using
methods
> similar to how we build APIs with hmac signing of the request, but in a 
> lightweight form and only in the background for RJS (or whatever else you 
> want to protect, I suppose). This seems a little out of the scope of the 
> core rails project, though?
>  
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Not that would require to configure the application host manually like:

Rails.application.config.host = ''example.com''

Rails.application.config.hosts = %w(example.com example.com.br)


On Saturday, November 30, 2013 12:32:30 PM UTC-2, Gabriel Sobrinho
wrote:
>
> Homakov,
>
> What Godfrey suggest may be implemented on the server side instead of 
> client side without being hacked so easily?
>
> We may raise an exception by default when the host is not allowed, 
> assuming that request.host is trustable.
>
> On Saturday, November 30, 2013 7:49:42 AM UTC-2, Courtenay Gasking wrote:
>>
>> Since POSTs already require a csrf token, the rjs calls should do the 
>> same thing. Make them require the auth token in the url, or even
better,
>> have rails generate a hash of the auth token and the url and compare on
the
>> server. Thus you can''t call any rjs without using rails
helpers to generate
>> the correct url and matching token, and the new token would not be
leaking
>> the original csrf token via url or referer. It''s effectively
using methods
>> similar to how we build APIs with hmac signing of the request, but in a
>> lightweight form and only in the background for RJS (or whatever else
you
>> want to protect, I suppose). This seems a little out of the scope of
the
>> core rails project, though?
>>  
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Nevermind, it is not safe since the information about who is requesting is 
a header that can be changed.

On Saturday, November 30, 2013 12:33:26 PM UTC-2, Gabriel Sobrinho
wrote:
>
> Not that would require to configure the application host manually like:
>
> Rails.application.config.host = ''example.com''
>
> Rails.application.config.hosts = %w(example.com example.com.br)
>
>
> On Saturday, November 30, 2013 12:32:30 PM UTC-2, Gabriel Sobrinho wrote:
>>
>> Homakov,
>>
>> What Godfrey suggest may be implemented on the server side instead of 
>> client side without being hacked so easily?
>>
>> We may raise an exception by default when the host is not allowed, 
>> assuming that request.host is trustable.
>>
>> On Saturday, November 30, 2013 7:49:42 AM UTC-2, Courtenay Gasking
wrote:
>>>
>>> Since POSTs already require a csrf token, the rjs calls should do
the
>>> same thing. Make them require the auth token in the url, or even
better,
>>> have rails generate a hash of the auth token and the url and
compare on the
>>> server. Thus you can''t call any rjs without using rails
helpers to generate
>>> the correct url and matching token, and the new token would not be
leaking
>>> the original csrf token via url or referer. It''s
effectively using methods
>>> similar to how we build APIs with hmac signing of the request, but
in a
>>> lightweight form and only in the background for RJS (or whatever
else you
>>> want to protect, I suppose). This seems a little out of the scope
of the
>>> core rails project, though?
>>>  
>>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

What about prefixing while(1) on the beginning of js responses with rack
middleware, and then stripping them out client side?

http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses

This is the solution used by Facebook and Google.

http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

This might work out, but damnit, isn''t everyone agreed here that
"returning
JS" is 2008 style?

 Rails should move on, to API-like servers and single page apps, not 
necessarily breaking old school tools, but such a dinosaur should be 
considered as a bad & insecure practise. Why patch it then at all?
 

On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong
wrote:
>
> What about prefixing while(1) on the beginning of js responses with rack 
> middleware, and then stripping them out client side? 
>
>
>
http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
>
> This is the solution used by Facebook and Google.
>
> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html

Related post

On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

>
> Rails should move on, to API-like servers and single page apps, not 
> necessarily breaking old school tools, but such a dinosaur should be 
> considered as a bad & insecure practise. Why patch it then at all?
Single page apps are not everyone''s cup of tea. Maybe I am old school
but I
like to keep on the server side everything I can because I have more 
control there. 

On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov
wrote:
>
> This might work out, but damnit, isn''t everyone agreed here that 
> "returning JS" is 2008 style?
>
>  Rails should move on, to API-like servers and single page apps, not 
> necessarily breaking old school tools, but such a dinosaur should be 
> considered as a bad & insecure practise. Why patch it then at all?
>  
>
> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote:
>>
>> What about prefixing while(1) on the beginning of js responses with
rack
>> middleware, and then stripping them out client side? 
>>
>>
>>
http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
>>
>> This is the solution used by Facebook and Google.
>>
>> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Would a solution be to prevent rails apps from serving "non static" JS
from
GET requests. Assets served from the asset pipeline would be allowed. JS
returned via controllers/views would need explicitly defined permission to
be served via a GET request.


On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar <molnargerg@gmail.com> wrote:
> Rails should move on, to API-like servers and single page apps, not
>> necessarily breaking old school tools, but such a dinosaur should be
>> considered as a bad & insecure practise. Why patch it then at all?
>
> Single page apps are not everyone''s cup of tea. Maybe I am old
school but
> I like to keep on the server side everything I can because I have more
> control there.
>
> On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote:
>>
>> This might work out, but damnit, isn''t everyone agreed here
that
>> "returning JS" is 2008 style?
>>
>>  Rails should move on, to API-like servers and single page apps, not
>> necessarily breaking old school tools, but such a dinosaur should be
>> considered as a bad & insecure practise. Why patch it then at all?
>>
>>
>> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote:
>>>
>>> What about prefixing while(1) on the beginning of js responses with
rack
>>> middleware, and then stripping them out client side?
>>>
>>> http://stackoverflow.com/questions/2669690/why-does-
>>> google-prepend-while1-to-their-json-responses
>>>
>>> This is the solution used by Facebook and Google.
>>>
>>> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
>>>
>>>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

That''s still OK if it''s public data.  (Obviously anything with
a CSRF token in it isn''t.)

It''d be nice if it was more explicit though, as the vulnerable cases
are not obvious.


On 2/12/2013, at 13:59 , Anthony Richardson <richo990@gmail.com> wrote:
> Would a solution be to prevent rails apps from serving "non
static" JS from GET requests. Assets served from the asset pipeline would
be allowed. JS returned via controllers/views would need explicitly defined
permission to be served via a GET request.
> 
> 
> On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar <molnargerg@gmail.com>
wrote:
> Rails should move on, to API-like servers and single page apps, not
necessarily breaking old school tools, but such a dinosaur should be considered
as a bad & insecure practise. Why patch it then at all?
> Single page apps are not everyone''s cup of tea. Maybe I am old
school but I like to keep on the server side everything I can because I have
more control there.
> 
> On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote:
> This might work out, but damnit, isn''t everyone agreed here that
"returning JS" is 2008 style?
> 
>  Rails should move on, to API-like servers and single page apps, not
necessarily breaking old school tools, but such a dinosaur should be considered
as a bad & insecure practise. Why patch it then at all?
>  
> 
> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote:
> What about prefixing while(1) on the beginning of js responses with rack
middleware, and then stripping them out client side?
>
http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
> 
> This is the solution used by Facebook and Google.
> 
> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
> 
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On one hand if you explain/reach people with security concern of JS 
templates they will most likely rewrite it to JSON-style.
On the other hand if they blindly update their rails/don''t read news -
the
only way to reach them is Deprecation warning. Or maybe just WARNING? 

What I actually want is to make people understand and check if they have 
this problem. Deprecation is on of the means to do it.

On Monday, December 2, 2013 8:40:52 AM UTC+7, will.bryant
wrote:
>
> That''s still OK if it''s public data.  (Obviously anything
with a CSRF
> token in it isn''t.)
>
> It''d be nice if it was more explicit though, as the vulnerable
cases are
> not obvious.
>
>
> On 2/12/2013, at 13:59 , Anthony Richardson
<rich...@gmail.com<javascript:>>
> wrote:
>
> Would a solution be to prevent rails apps from serving "non
static" JS
> from GET requests. Assets served from the asset pipeline would be allowed. 
> JS returned via controllers/views would need explicitly defined permission 
> to be served via a GET request.
>
>
> On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar
<molna...@gmail.com<javascript:>
> > wrote:
>
>> Rails should move on, to API-like servers and single page apps, not 
>>> necessarily breaking old school tools, but such a dinosaur should
be
>>> considered as a bad & insecure practise. Why patch it then at
all?
>>
>> Single page apps are not everyone''s cup of tea. Maybe I am old
school but
>> I like to keep on the server side everything I can because I have more 
>> control there. 
>>
>> On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote:
>>>
>>> This might work out, but damnit, isn''t everyone agreed
here that
>>> "returning JS" is 2008 style?
>>>
>>>  Rails should move on, to API-like servers and single page apps,
not
>>> necessarily breaking old school tools, but such a dinosaur should
be
>>> considered as a bad & insecure practise. Why patch it then at
all?
>>>  
>>>
>>> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong
wrote:
>>>>
>>>> What about prefixing while(1) on the beginning of js responses
with
>>>> rack middleware, and then stripping them out client side? 
>>>>
>>>> http://stackoverflow.com/questions/2669690/why-does-
>>>> google-prepend-while1-to-their-json-responses
>>>>
>>>> This is the solution used by Facebook and Google.
>>>>
>>>> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
>>>>
>>>>
>>>>
>> -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-co...@googlegroups.com <javascript:>.
>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to rubyonrails-co...@googlegroups.com <javascript:>.
> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On 2 Dec 2013, at 03:42, Egor Homakov <homakov@gmail.com> wrote:
> What I actually want is to make people understand and check if they have
this problem. Deprecation is on of the means to do it.
No, it isn''t. Deprecation means we intend to remove that feature in the
next major release, which we don''t want to do. Single-page apps maybe
the latest hotness but that doesn''t invalidate the previous two decades
of web development. We didn''t remove forms when CSRF attacks were
developed, we developed protections against them. This is exactly the same
scenario - we need to develop useful, easy to use protections that we can enable
by default.

Egor, can you clarify one point for me - you mention that JS templates allow
stealing of the CRSF token if they return a form, but surely that would true
even for HTML templates?


Andrew

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

The mechanics of the vulnerability, which Egor''s blog does not really 
communicate effectively, are, as I understand them:

an evil site includes a <script> tag referencing a GETable .js.erb url
from
a good site.  If the user is logged into the good site via cookies and has 
3rd party cookies enabled, the request will succeed and return js possibly 
containing html with data indented to be private between the user and the 
good site.  This js will execute in the js environment under the control of 
the evil site (it can override any function, method), handing the evil site 
the intended to be private html.

This attack is not possible with non js content loaded by XHR or iframes, 
as the browser enforces cross-domain restrictions for both, and evil site 
will not be able to get at good site''s content. 

On Monday, December 2, 2013 3:41:07 AM UTC-5, Andy White
wrote:
>
>
> On 2 Dec 2013, at 03:42, Egor Homakov <hom...@gmail.com
<javascript:>>
> wrote: 
>
> > What I actually want is to make people understand and check if they
have
> this problem. Deprecation is on of the means to do it. 
>
> No, it isn''t. Deprecation means we intend to remove that feature
in the
> next major release, which we don''t want to do. Single-page apps
maybe the
> latest hotness but that doesn''t invalidate the previous two
decades of web
> development. We didn''t remove forms when CSRF attacks were
developed, we
> developed protections against them. This is exactly the same scenario - we 
> need to develop useful, easy to use protections that we can enable by 
> default. 
>
> Egor, can you clarify one point for me - you mention that JS templates 
> allow stealing of the CRSF token if they return a form, but surely that 
> would true even for HTML templates? 
>
>
> Andrew 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On 2 December 2013 09:09, Alex <alxtskrnk@gmail.com> wrote:
> This attack is not possible with non js content loaded by XHR or iframes,
> as the browser enforces cross-domain restrictions for both, and evil site
> will not be able to get at good site''s content.
>
If the operators of EvilSite have gone to such lengths to contrive forms
and overridden JS methods to potentially steal a tiny bit of possibly
private HTML and data, could they not take the next small step and use a
browser that *does not* enforce cross-domain restrictions on XHR? (or
frankly, write their hacks with wget or curl)

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

> On 2 Dec 2013, at 09:32, Michael Pavling <pavling@gmail.com> wrote:
> 
>> On 2 December 2013 09:09, Alex <alxtskrnk@gmail.com> wrote:
>> This attack is not possible with non js content loaded by XHR or
iframes, as the browser enforces cross-domain restrictions for both, and evil
site will not be able to get at good site''s content.
> 
> If the operators of EvilSite have gone to such lengths to contrive forms
and overridden JS methods to potentially steal a tiny bit of possibly private
HTML and data, could they not take the next small step and use a browser that
*does not* enforce cross-domain restrictions on XHR? (or frankly, write their
hacks with wget or curl)
The idea is not that the evil site operators will access their own site
themselves, but that they will get legitimate users of your site to visit their
evil site (and thereby steal the legitimate users'' private data). So,
for their ploy to be successful, it needs to work in standard browsers that
ordinary users will be using.

Chris

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

If the security concern is only about CSRF, what about not rendering CSRF token
in templates at all?

I mean, UJS may solve this problem appending the CRSF token from meta tag.


If that’s not elegant since it will require javascript, even for static forms,
we may do that only for .js.erb views.

Basically, if a form is rendered through a js view, do not render the CSRF
token.


Homakov, that would fix the security concern without removing the .js.erb views?

Cheers,

Gabriel Sobrinho
gabrielsobrinho.com

On Dec 2, 2013, at 7:37 AM, Chris Mear <chrismear@gmail.com> wrote:
>> On 2 Dec 2013, at 09:32, Michael Pavling <pavling@gmail.com>
wrote:
> 
> 
>> On 2 December 2013 09:09, Alex <alxtskrnk@gmail.com> wrote:
>> This attack is not possible with non js content loaded by XHR or
iframes, as the browser enforces cross-domain restrictions for both, and evil
site will not be able to get at good site''s content.
>> 
>> If the operators of EvilSite have gone to such lengths to contrive
forms and overridden JS methods to potentially steal a tiny bit of possibly
private HTML and data, could they not take the next small step and use a browser
that *does not* enforce cross-domain restrictions on XHR? (or frankly, write
their hacks with wget or curl)
> 
> The idea is not that the evil site operators will access their own site
themselves, but that they will get legitimate users of your site to visit their
evil site (and thereby steal the legitimate users'' private data). So,
for their ploy to be successful, it needs to work in standard browsers that
ordinary users will be using.
> 
> Chris
> 
>> 
> 
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I''m afraid the CSRF token is not the only private data that could be 
sent in the template.

I''m actually surprised so many applications seem to use RJS, including 
some applications I do use, like Redmine or GitLab.

Maybe I should create the habit of using an anonymous session for 
regular browsing to avoid getting my private data stolen from 
applications using RJS in Rails... :(

I really think RJS should be moved to a gem and not included by default 
in Rails and stop promoting its usage...

Rodrigo.

Em 02-12-2013 11:27, Gabriel Sobrinho escreveu:
> If the security concern is only about CSRF, what about not rendering 
> CSRF token in templates at all?
>
> I mean, UJS may solve this problem appending the CRSF token from meta tag.
>
>
> If that’s not elegant since it will require javascript, even for 
> static forms, we may do that only for .js.erb views.
>
> Basically, if a form is rendered through a js view, do not render the 
> CSRF token.
>
>
> Homakov, that would fix the security concern without removing the 
> .js.erb views?
>
> Cheers,
>
> Gabriel Sobrinho
> gabrielsobrinho.com <http://gabrielsobrinho.com>
>
> On Dec 2, 2013, at 7:37 AM, Chris Mear <chrismear@gmail.com 
> <mailto:chrismear@gmail.com>> wrote:
>
>>> On 2 Dec 2013, at 09:32, Michael Pavling <pavling@gmail.com 
>>> <mailto:pavling@gmail.com>> wrote:
>>
>>> On 2 December 2013 09:09, Alex <alxtskrnk@gmail.com 
>>> <mailto:alxtskrnk@gmail.com>> wrote:
>>>
>>>     This attack is not possible with non js content loaded by XHR
or
>>>     iframes, as the browser enforces cross-domain restrictions for
>>>     both, and evil site will not be able to get at good
site''s content.
>>>
>>>
>>> If the operators of EvilSite have gone to such lengths to contrive 
>>> forms and overridden JS methods to potentially steal a tiny bit of 
>>> possibly private HTML and data, could they not take the next small 
>>> step and use a browser that *does not* enforce cross-domain 
>>> restrictions on XHR? (or frankly, write their hacks with wget or
curl)
>>
>> The idea is not that the evil site operators will access their own 
>> site themselves, but that they will get legitimate users of your site 
>> to visit their evil site (and thereby steal the legitimate
users''
>> private data). So, for their ploy to be successful, it needs to work 
>> in standard browsers that ordinary users will be using.
>>
>> Chris
>>
>>>
>>
>> -- 
>> You received this message because you are subscribed to a topic in 
>> the Google Groups "Ruby on Rails: Core" group.
>> To unsubscribe from this topic, visit 
>>
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> rubyonrails-core+unsubscribe@googlegroups.com 
>> <mailto:rubyonrails-core+unsubscribe@googlegroups.com>.
>> To post to this group, send email to 
>> rubyonrails-core@googlegroups.com 
>> <mailto:rubyonrails-core@googlegroups.com>.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

> The mechanics of the vulnerability, which Egor''s blog does not
really
communicate effectively
what''s not effective in my post? As I said attack works as JSONP
hijacking.
So everything is totally obvious, isn''t it.

On Monday, December 2, 2013 4:09:02 PM UTC+7, Alex
wrote:
>
> The mechanics of the vulnerability, which Egor''s blog does not
really
> communicate effectively, are, as I understand them:
>
> an evil site includes a <script> tag referencing a GETable .js.erb
url
> from a good site.  If the user is logged into the good site via cookies and
> has 3rd party cookies enabled, the request will succeed and return js 
> possibly containing html with data indented to be private between the user 
> and the good site.  This js will execute in the js environment under the 
> control of the evil site (it can override any function, method), handing 
> the evil site the intended to be private html.
>
> This attack is not possible with non js content loaded by XHR or iframes, 
> as the browser enforces cross-domain restrictions for both, and evil site 
> will not be able to get at good site''s content. 
>
> On Monday, December 2, 2013 3:41:07 AM UTC-5, Andy White wrote:
>>
>>
>> On 2 Dec 2013, at 03:42, Egor Homakov <hom...@gmail.com> wrote: 
>>
>> > What I actually want is to make people understand and check if
they
>> have this problem. Deprecation is on of the means to do it. 
>>
>> No, it isn''t. Deprecation means we intend to remove that
feature in the
>> next major release, which we don''t want to do. Single-page
apps maybe the
>> latest hotness but that doesn''t invalidate the previous two
decades of web
>> development. We didn''t remove forms when CSRF attacks were
developed, we
>> developed protections against them. This is exactly the same scenario -
we
>> need to develop useful, easy to use protections that we can enable by 
>> default. 
>>
>> Egor, can you clarify one point for me - you mention that JS templates 
>> allow stealing of the CRSF token if they return a form, but surely that
>> would true even for HTML templates? 
>>
>>
>> Andrew 
>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Apparently many readers have no clue how this attack works, and people keep 
asking the same questions. Thanks to people who clarified it in more 
details than i did.

All we can do is to add is-.xhr? protection or Warning (not necessarily 
Deprecation). There are no other sane way to mitigate it.



On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I see, extracting it as a gem fix the problem, at least for the rails itself,
which is what we want.

The extracted gem must explicitly explain the security concerns on the top of
README, regardless of people usually don’t read it.


Rails already did that for other features, for other reasons but the same idea
applies, deprecate the usage on rails itself but allow who explicitly
wants/needs to use.

Time to pull request?

Cheers,

Gabriel Sobrinho
gabrielsobrinho.com

On Dec 2, 2013, at 12:19 PM, Egor Homakov <homakov@gmail.com> wrote:
> Apparently many readers have no clue how this attack works, and people keep
asking the same questions. Thanks to people who clarified it in more details
than i did.
> 
> All we can do is to add is-.xhr? protection or Warning (not necessarily
Deprecation). There are no other sane way to mitigate it.
> 
> 
> 
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
> 
> Here in discussion I proposed to deprecate JS responder because this
technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
> 
> i find this bug very often so i know what i''m talking about. With
it attacker can steal user data and authenticity_token if templates with form
were leaked too.
> 
> 
> 
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I think we should rather try to find a way to make this secure. What would 
be a sane default? Only respond to js format is the request is xhr? 
To be honest I read Egor''s post but still not sure how this exploit
would
work. I will look at his examples when I got some free time and hopefully 
that will help to understand it more. 

On Monday, December 2, 2013 3:52:53 PM UTC+1, Gabriel Sobrinho
wrote:
>
> I see, extracting it as a gem fix the problem, at least for the rails 
> itself, which is what we want.
>
> The extracted gem must explicitly explain the security concerns on the top 
> of README, regardless of people usually don’t read it.
>
>
> Rails already did that for other features, for other reasons but the same 
> idea applies, deprecate the usage on rails itself but allow who explicitly 
> wants/needs to use.
>
> Time to pull request?
>
> Cheers,
>
> Gabriel Sobrinho
> gabrielsobrinho.com
>  
> On Dec 2, 2013, at 12:19 PM, Egor Homakov <hom...@gmail.com
<javascript:>>
> wrote:
>
> Apparently many readers have no clue how this attack works, and people 
> keep asking the same questions. Thanks to people who clarified it in more 
> details than i did.
>
> All we can do is to add is-.xhr? protection or Warning (not necessarily 
> Deprecation). There are no other sane way to mitigate it.
>
>
>
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>
>> Here in discussion I proposed to deprecate JS responder because this 
>> technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way 
>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>
>> i find this bug very often so i know what i''m talking about.
With it
>> attacker can steal user data and authenticity_token if templates with
form
>> were leaked too.
>>
>>
>>
>>
> -- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>.
> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I believe the reason why it''s hard for us to understand how the exploit
works is because it''s pretty hard to find the documentation for RJS 
itself and specially how it works...

I''m assuming, it works like JSONP, since Egor must know what he is 
talking about.

In this case, it won''t require a XHR request and won''t send
any nonce
(like the XSRF token) for GET requests, and will work with a regular 
inline script tag.

In that case, the trick of prepending a "while(1)" would probably fix 
this particular issue because it wouldn''t allow the code to be 
evaluated, no matter whether you have changed the JS global context or not.

Another way of fixing it if I understood correctly would be to require 
all RJS requests to happen with XHR since they are subject to 
same-origin browser''s policy.

Yet another way to fix it would be to always require a nonce even for 
GET requests to XHR templates requests.

Am I missing something?

Best,
Rodrigo.

Em 02-12-2013 12:57, Greg Molnar escreveu:
> I think we should rather try to find a way to make this secure. What 
> would be a sane default? Only respond to js format is the request is xhr?
> To be honest I read Egor''s post but still not sure how this
exploit
> would work. I will look at his examples when I got some free time and 
> hopefully that will help to understand it more.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

-1 for while(true). Let''s consider all use cases

1) JS templates are used with AJAX, thus the X-Requested_with header is 
sent and .xhr? is enough protection
2) JS templates are also used with inline <script> tags. Thus while(true) 
will both break on origin website and on attacker''s website. Not an
option
3) Since we can send additional header why bother with prepending 
while(true);
So .xhr? is most elegant way that covers most of attack vectors. 
I really don''t understand why JSON-hijacking wasn''t solved the
same way.
while(true) is uglyish

On Monday, December 2, 2013 10:24:30 PM UTC+7, Rodrigo Rosenfeld Rosas 
wrote:
>
> I believe the reason why it''s hard for us to understand how the
exploit
> works is because it''s pretty hard to find the documentation for
RJS
> itself and specially how it works... 
>
> I''m assuming, it works like JSONP, since Egor must know what he is
> talking about. 
>
> In this case, it won''t require a XHR request and won''t
send any nonce
> (like the XSRF token) for GET requests, and will work with a regular 
> inline script tag. 
>
> In that case, the trick of prepending a "while(1)" would probably
fix
> this particular issue because it wouldn''t allow the code to be 
> evaluated, no matter whether you have changed the JS global context or 
> not. 
>
> Another way of fixing it if I understood correctly would be to require 
> all RJS requests to happen with XHR since they are subject to 
> same-origin browser''s policy. 
>
> Yet another way to fix it would be to always require a nonce even for 
> GET requests to XHR templates requests. 
>
> Am I missing something? 
>
> Best, 
> Rodrigo. 
>
> Em 02-12-2013 12:57, Greg Molnar escreveu: 
> > I think we should rather try to find a way to make this secure. What 
> > would be a sane default? Only respond to js format is the request is 
> xhr? 
> > To be honest I read Egor''s post but still not sure how this
exploit
> > would work. I will look at his examples when I got some free time and 
> > hopefully that will help to understand it more. 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Yes, it makes sense, because you''re forced to use XHR anyway when you 
include a "while(1);" otherwise you won''t be able to strip it
out.

Maybe the reason was to protect against old browsers that didn''t 
implement proper same-origin policy?

Em 02-12-2013 13:30, Egor Homakov escreveu:
> -1 for while(true). Let''s consider all use cases
>
> 1) JS templates are used with AJAX, thus the X-Requested_with header 
> is sent and .xhr? is enough protection
> 2) JS templates are also used with inline <script> tags. Thus 
> while(true) will both break on origin website and on attacker''s 
> website. Not an option
> 3) Since we can send additional header why bother with prepending 
> while(true);
> So .xhr? is most elegant way that covers most of attack vectors.
> I really don''t understand why JSON-hijacking wasn''t
solved the same
> way. while(true) is uglyish
>
> On Monday, December 2, 2013 10:24:30 PM UTC+7, Rodrigo Rosenfeld Rosas 
> wrote:
>
>     I believe the reason why it''s hard for us to understand how
the
>     exploit
>     works is because it''s pretty hard to find the documentation
for RJS
>     itself and specially how it works...
>
>     I''m assuming, it works like JSONP, since Egor must know what
he is
>     talking about.
>
>     In this case, it won''t require a XHR request and
won''t send any nonce
>     (like the XSRF token) for GET requests, and will work with a regular
>     inline script tag.
>
>     In that case, the trick of prepending a "while(1)" would
probably fix
>     this particular issue because it wouldn''t allow the code to be
>     evaluated, no matter whether you have changed the JS global
>     context or not.
>
>     Another way of fixing it if I understood correctly would be to
>     require
>     all RJS requests to happen with XHR since they are subject to
>     same-origin browser''s policy.
>
>     Yet another way to fix it would be to always require a nonce even for
>     GET requests to XHR templates requests.
>
>     Am I missing something?
>
>     Best,
>     Rodrigo.
>
>     Em 02-12-2013 12:57, Greg Molnar escreveu:
>     > I think we should rather try to find a way to make this secure.
>     What
>     > would be a sane default? Only respond to js format is the
>     request is xhr?
>     > To be honest I read Egor''s post but still not sure how
this exploit
>     > would work. I will look at his examples when I got some free
>     time and
>     > hopefully that will help to understand it more.
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

What do you mean? Hijacking issue was just same, browsers were same, and I 
recall XHR could add additional headers.. so while(1) sounds like weird 
idea 

On Monday, December 2, 2013 10:35:16 PM UTC+7, Rodrigo Rosenfeld Rosas 
wrote:
>
>  Yes, it makes sense, because you''re forced to use XHR anyway when
you
> include a "while(1);" otherwise you won''t be able to
strip it out.
>
> Maybe the reason was to protect against old browsers that didn''t
implement
> proper same-origin policy?
>
> Em 02-12-2013 13:30, Egor Homakov escreveu:
>  
> -1 for while(true). Let''s consider all use cases 
>
>  1) JS templates are used with AJAX, thus the X-Requested_with header is 
> sent and .xhr? is enough protection
> 2) JS templates are also used with inline <script> tags. Thus
while(true)
> will both break on origin website and on attacker''s website. Not
an option
> 3) Since we can send additional header why bother with prepending 
> while(true);
> So .xhr? is most elegant way that covers most of attack vectors. 
> I really don''t understand why JSON-hijacking wasn''t
solved the same way.
> while(true) is uglyish
>
> On Monday, December 2, 2013 10:24:30 PM UTC+7, Rodrigo Rosenfeld Rosas 
> wrote: 
>>
>> I believe the reason why it''s hard for us to understand how
the exploit
>> works is because it''s pretty hard to find the documentation
for RJS
>> itself and specially how it works... 
>>
>> I''m assuming, it works like JSONP, since Egor must know what
he is
>> talking about. 
>>
>> In this case, it won''t require a XHR request and
won''t send any nonce
>> (like the XSRF token) for GET requests, and will work with a regular 
>> inline script tag. 
>>
>> In that case, the trick of prepending a "while(1)" would
probably fix
>> this particular issue because it wouldn''t allow the code to be
>> evaluated, no matter whether you have changed the JS global context or 
>> not. 
>>
>> Another way of fixing it if I understood correctly would be to require 
>> all RJS requests to happen with XHR since they are subject to 
>> same-origin browser''s policy. 
>>
>> Yet another way to fix it would be to always require a nonce even for 
>> GET requests to XHR templates requests. 
>>
>> Am I missing something? 
>>
>> Best, 
>> Rodrigo. 
>>
>> Em 02-12-2013 12:57, Greg Molnar escreveu: 
>> > I think we should rather try to find a way to make this secure.
What
>> > would be a sane default? Only respond to js format is the request
is
>> xhr? 
>> > To be honest I read Egor''s post but still not sure how
this exploit
>> > would work. I will look at his examples when I got some free time
and
>> > hopefully that will help to understand it more. 
>>
>>   -- 
> You received this message because you are subscribed to the Google Groups 
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to rubyonrails-co...@googlegroups.com <javascript:>.
> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>  
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

So you say Egor if rails would raise an error when the request for a js 
format is not xhr? it would solve the security issue?

On Monday, December 2, 2013 4:41:58 PM UTC+1, Egor Homakov
wrote:
>
> What do you mean? Hijacking issue was just same, browsers were same, and I 
> recall XHR could add additional headers.. so while(1) sounds like weird 
> idea 
>
> On Monday, December 2, 2013 10:35:16 PM UTC+7, Rodrigo Rosenfeld Rosas 
> wrote:
>>
>>  Yes, it makes sense, because you''re forced to use XHR anyway
when you
>> include a "while(1);" otherwise you won''t be able to
strip it out.
>>
>> Maybe the reason was to protect against old browsers that
didn''t
>> implement proper same-origin policy?
>>
>> Em 02-12-2013 13:30, Egor Homakov escreveu:
>>  
>> -1 for while(true). Let''s consider all use cases 
>>
>>  1) JS templates are used with AJAX, thus the X-Requested_with header
is
>> sent and .xhr? is enough protection
>> 2) JS templates are also used with inline <script> tags. Thus
while(true)
>> will both break on origin website and on attacker''s website.
Not an option
>> 3) Since we can send additional header why bother with prepending 
>> while(true);
>> So .xhr? is most elegant way that covers most of attack vectors. 
>> I really don''t understand why JSON-hijacking wasn''t
solved the same way.
>> while(true) is uglyish
>>
>> On Monday, December 2, 2013 10:24:30 PM UTC+7, Rodrigo Rosenfeld Rosas 
>> wrote: 
>>>
>>> I believe the reason why it''s hard for us to understand
how the exploit
>>> works is because it''s pretty hard to find the
documentation for RJS
>>> itself and specially how it works... 
>>>
>>> I''m assuming, it works like JSONP, since Egor must know
what he is
>>> talking about. 
>>>
>>> In this case, it won''t require a XHR request and
won''t send any nonce
>>> (like the XSRF token) for GET requests, and will work with a
regular
>>> inline script tag. 
>>>
>>> In that case, the trick of prepending a "while(1)" would
probably fix
>>> this particular issue because it wouldn''t allow the code
to be
>>> evaluated, no matter whether you have changed the JS global context
or
>>> not. 
>>>
>>> Another way of fixing it if I understood correctly would be to
require
>>> all RJS requests to happen with XHR since they are subject to 
>>> same-origin browser''s policy. 
>>>
>>> Yet another way to fix it would be to always require a nonce even
for
>>> GET requests to XHR templates requests. 
>>>
>>> Am I missing something? 
>>>
>>> Best, 
>>> Rodrigo. 
>>>
>>> Em 02-12-2013 12:57, Greg Molnar escreveu: 
>>> > I think we should rather try to find a way to make this
secure. What
>>> > would be a sane default? Only respond to js format is the
request is
>>> xhr? 
>>> > To be honest I read Egor''s post but still not sure
how this exploit
>>> > would work. I will look at his examples when I got some free
time and
>>> > hopefully that will help to understand it more. 
>>>
>>>   -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to rubyonrails-co...@googlegroups.com.
>> To post to this group, send email to rubyonra...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>  
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Please stop conflating the discovery of a security issue with the 
philosophical waxing about architecture. It''s not helping the case. As 
stated previously, responding with JS is not only a wonderful architectural 
pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
not anywhere. We''ll fix the security issue, and Rails will continue to 
proudly champion the use of this great pattern.

Guess what, it won''t be the last security issue Rails ever has. Just
like
it won''t be the last security issue any piece of software ever has. But
we
need to level up as a community in our handling of these issues.

Frankly, I''m surprised that people are willing to hire Homakov for any
work
in the area given his reputation for irresponsible disclosure. Finding a 
legit security issues is a great services, but disregarding all security 
issue management protocols in their publication is doing a disservice to 
all who would otherwise benefit from the work.

Rails has had a codified security process for many years now. It''s 
available for all to read on http://rubyonrails.org/security. Making a blog 
post on your personal site isn''t one of the channels listed as a 
responsible way of disclosing discoveries. Posting specific 0-day attack 
vectors against affected sites is not one either.

Making a public report over a holiday weekend, and then, when the response 
to the report doesn''t immediately follow the proposed solution (remove
the
feature), go off the reservation with specific attacks is just plain 
irresponsible. No two ways about it. It also goes to undermine any other 
recommendations or suggestions coming from said reporter.

So. Damage is already done for this issue. But lest it encourages others to 
act as irresponsibly as Homakov has done of this issue, I hope others take 
a broader approach for future issues. Report systemic or framework issues 
per the reporting instructions on http://rubyonrails.org/security. Report 
specific application issues directly to application developers responsibly 
per their reporting instructions 
(see https://37signals.com/security-response for the one we use at 
37signals).

Presumably we''re all in the same boat here: Make Rails better and more 
secure. Let''s row like we mean that. The Rails security team (Michael 
Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the past 
to provide us with a good process, they''ve followed that process, and
they
deserve our thanks and support.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

David, first I must say I admire both you and Homakov and I''d certainly
hire him if I could afford it.

I believe what led him to create that post was exactly your reponse to 
his e-mail.

I agree he shouldn''t have created this discussion publicly but you 
shouldn''t have replied the way you did either. You should instead try
to
understand the problem first before saying it would go nowhere.

I believe this is what caused Homakov reaction.

Sincerely,
Rodrigo.

Em 02-12-2013 13:47, DHH escreveu:
> Please stop conflating the discovery of a security issue with the 
> philosophical waxing about architecture. It''s not helping the
case. As
> stated previously, responding with JS is not only a wonderful 
> architectural pattern, it''s also not going anywhere. Not in a gem,
not
> in a deprecation, not anywhere. We''ll fix the security issue, and 
> Rails will continue to proudly champion the use of this great pattern.
>
> Guess what, it won''t be the last security issue Rails ever has.
Just
> like it won''t be the last security issue any piece of software
ever
> has. But we need to level up as a community in our handling of these 
> issues.
>
> Frankly, I''m surprised that people are willing to hire Homakov for
any
> work in the area given his reputation for irresponsible disclosure. 
> Finding a legit security issues is a great services, but disregarding 
> all security issue management protocols in their publication is doing 
> a disservice to all who would otherwise benefit from the work.
>
> Rails has had a codified security process for many years now. It''s
> available for all to read on http://rubyonrails.org/security. Making a 
> blog post on your personal site isn''t one of the channels listed
as a
> responsible way of disclosing discoveries. Posting specific 0-day 
> attack vectors against affected sites is not one either.
>
> Making a public report over a holiday weekend, and then, when the 
> response to the report doesn''t immediately follow the proposed 
> solution (remove the feature), go off the reservation with specific 
> attacks is just plain irresponsible. No two ways about it. It also 
> goes to undermine any other recommendations or suggestions coming from 
> said reporter.
>
> So. Damage is already done for this issue. But lest it encourages 
> others to act as irresponsibly as Homakov has done of this issue, I 
> hope others take a broader approach for future issues. Report systemic 
> or framework issues per the reporting instructions 
> on http://rubyonrails.org/security. Report specific application issues 
> directly to application developers responsibly per their reporting 
> instructions (see https://37signals.com/security-response for the one 
> we use at 37signals).
>
> Presumably we''re all in the same boat here: Make Rails better and
more
> secure. Let''s row like we mean that. The Rails security team
(Michael
> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the 
> past to provide us with a good process, they''ve followed that
process,
> and they deserve our thanks and support.
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Rodrigo, many great things around the word can be dangerous if used in the 
wrong way but there are great people who try to make the usage of tools 
secure so humanity can profit from them. 
I am not the fun of don''t use this or that because it can be dangerous.
Let''s find a way to make it secure. That''s harder but better
in the long
run I think.



On Monday, December 2, 2013 4:52:04 PM UTC+1, Rodrigo Rosenfeld Rosas
wrote:
>
> David, first I must say I admire both you and Homakov and I''d
certainly
> hire him if I could afford it. 
>
> I believe what led him to create that post was exactly your reponse to 
> his e-mail. 
>
> I agree he shouldn''t have created this discussion publicly but you
> shouldn''t have replied the way you did either. You should instead
try to
> understand the problem first before saying it would go nowhere. 
>
> I believe this is what caused Homakov reaction. 
>
> Sincerely, 
> Rodrigo. 
>
> Em 02-12-2013 13:47, DHH escreveu: 
> > Please stop conflating the discovery of a security issue with the 
> > philosophical waxing about architecture. It''s not helping the
case. As
> > stated previously, responding with JS is not only a wonderful 
> > architectural pattern, it''s also not going anywhere. Not in a
gem, not
> > in a deprecation, not anywhere. We''ll fix the security issue,
and
> > Rails will continue to proudly champion the use of this great pattern.
> > 
> > Guess what, it won''t be the last security issue Rails ever
has. Just
> > like it won''t be the last security issue any piece of
software ever
> > has. But we need to level up as a community in our handling of these 
> > issues. 
> > 
> > Frankly, I''m surprised that people are willing to hire
Homakov for any
> > work in the area given his reputation for irresponsible disclosure. 
> > Finding a legit security issues is a great services, but disregarding 
> > all security issue management protocols in their publication is doing 
> > a disservice to all who would otherwise benefit from the work. 
> > 
> > Rails has had a codified security process for many years now.
It''s
> > available for all to read on http://rubyonrails.org/security. Making a
> > blog post on your personal site isn''t one of the channels
listed as a
> > responsible way of disclosing discoveries. Posting specific 0-day 
> > attack vectors against affected sites is not one either. 
> > 
> > Making a public report over a holiday weekend, and then, when the 
> > response to the report doesn''t immediately follow the
proposed
> > solution (remove the feature), go off the reservation with specific 
> > attacks is just plain irresponsible. No two ways about it. It also 
> > goes to undermine any other recommendations or suggestions coming from
> > said reporter. 
> > 
> > So. Damage is already done for this issue. But lest it encourages 
> > others to act as irresponsibly as Homakov has done of this issue, I 
> > hope others take a broader approach for future issues. Report systemic
> > or framework issues per the reporting instructions 
> > on http://rubyonrails.org/security. Report specific application issues
> > directly to application developers responsibly per their reporting 
> > instructions (see https://37signals.com/security-response for the one 
> > we use at 37signals). 
> > 
> > Presumably we''re all in the same boat here: Make Rails better
and more
> > secure. Let''s row like we mean that. The Rails security team
(Michael
> > Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the 
> > past to provide us with a good process, they''ve followed that
process,
> > and they deserve our thanks and support. 
> > -- 
> > You received this message because you are subscribed to the Google 
> > Groups "Ruby on Rails: Core" group. 
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to rubyonrails-co...@googlegroups.com <javascript:>. 
> > To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

What email is that? I replied to Homakov on Twitter thanking him for the
discovery and stating a clear intent to get the issue resolved. What I rejected
outright was the knee-jerk reaction to remove the possibility of generating JS
responses from Rails. This rejection was confirmed when it got clear that the
motivation behind that specific mitigation strategy was also motivated by
architectural opinions on what''s dinosaur and what''s not.

But again, even having this discussion here or on Twitter simply isn''t
the proper forum to discuss 0-day exploits. It''s the reason we have a
standardized security reporting and response protocol. It''s why we go
to great lengths to coordinate proper fixes across multiple versions of Rails,
following the CVE process, and other responsible steps in the process.

To sidestep all that doesn''t help anyone but Homakov in the short-term
to build a reputation as a take-no-prisoners grey hatter. I question the
business strategy of that long-term (imagine having a business dispute with
Homakov after giving him access to your system -- yikes!).

Again, my opinion of the process is removed from the value of finding security
holes. Of course finding and responsibly disclosing security holes is a good
thing. I just wish that Homakov, and others who might be inspired by his
tactics, would realize that there''s plenty of gain to be had personally
by subscribing to these time-tested practices.


On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas <rr.rosas@gmail.com>
wrote:
> David, first I must say I admire both you and Homakov and I''d
certainly hire him if I could afford it.
> 
> I believe what led him to create that post was exactly your reponse to his
e-mail.
> 
> I agree he shouldn''t have created this discussion publicly but you
shouldn''t have replied the way you did either. You should instead try
to understand the problem first before saying it would go nowhere.
> 
> I believe this is what caused Homakov reaction.
> 
> Sincerely,
> Rodrigo.
> 
> Em 02-12-2013 13:47, DHH escreveu:
>> Please stop conflating the discovery of a security issue with the
philosophical waxing about architecture. It''s not helping the case. As
stated previously, responding with JS is not only a wonderful architectural
pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation, not anywhere. We''ll fix the security issue, and Rails will
continue to proudly champion the use of this great pattern.
>> 
>> Guess what, it won''t be the last security issue Rails ever
has. Just like it won''t be the last security issue any piece of
software ever has. But we need to level up as a community in our handling of
these issues.
>> 
>> Frankly, I''m surprised that people are willing to hire Homakov
for any work in the area given his reputation for irresponsible disclosure.
Finding a legit security issues is a great services, but disregarding all
security issue management protocols in their publication is doing a disservice
to all who would otherwise benefit from the work.
>> 
>> Rails has had a codified security process for many years now.
It''s available for all to read on http://rubyonrails.org/security.
Making a blog post on your personal site isn''t one of the channels
listed as a responsible way of disclosing discoveries. Posting specific 0-day
attack vectors against affected sites is not one either.
>> 
>> Making a public report over a holiday weekend, and then, when the
response to the report doesn''t immediately follow the proposed solution
(remove the feature), go off the reservation with specific attacks is just plain
irresponsible. No two ways about it. It also goes to undermine any other
recommendations or suggestions coming from said reporter.
>> 
>> So. Damage is already done for this issue. But lest it encourages
others to act as irresponsibly as Homakov has done of this issue, I hope others
take a broader approach for future issues. Report systemic or framework issues
per the reporting instructions on http://rubyonrails.org/security. Report
specific application issues directly to application developers responsibly per
their reporting instructions (see https://37signals.com/security-response for
the one we use at 37signals).
>> 
>> Presumably we''re all in the same boat here: Make Rails better
and more secure. Let''s row like we mean that. The Rails security team
(Michael Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the
past to provide us with a good process, they''ve followed that process,
and they deserve our thanks and support.
>> -- 
>> You received this message because you are subscribed to the Google
Groups "Ruby on Rails: Core" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to rubyonrails-core+unsubscribe@googlegroups.com.
>> To post to this group, send email to rubyonrails-core@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

As many have already mentioned, enforcing request.xhr? for js requests 
provides adequate protection. You can''t set custom headers when making
a
cross-domain request with a <script> tag so checking for one ensures the 
request is local. That''s what request.xhr? does.

Here''s the solution we''re using:
https://gist.github.com/javan/7725255

I could see wrapping that up into something convenient like 
protect_from_forgery and making it a default in Rails.

-Javan
37signals

On Thursday, November 28, 2013 3:41:37 AM UTC-5, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Your first message in this thread. He even quoted the relevant part in 
his article:

"Not only are js.erb templates not deprecated, they are a great way to 
develop an application with Ajax responses where you can reuse your 
server-side templates. It''s fine to explore ways to make this more 
secure by default, but the fundamental development style of returning JS 
as a response is both architecturally sound and an integral part of 
Rails. So that''s not going anywhere.

So let''s instead explore ways of having better escaping tools,
warnings,
or defaults that''ll work with the wonders of RJS."

I understand you had the best of the intentions, but I wouldn''t have 
started the discussion by ending it. By this time you were not yet aware 
on how applications were affected and if there was a sane way to fix 
this issue. If I were you, I''d first *ask* if there''s an
alternative way
instead of deprecating its usage *before* deciding it wouldn''t go
anywhere.

I guess that was what pissed him off...

I agree with you that this is not the "correct" way of dealing with
the
situation, from an ethics perspective, but let''s be honest: Homakov 
wouldn''t probably be a known name if he hadn''t put the attack
to GitHub
into practice. I''m not defending this approach to self marketing, but 
you can''t tell us it isn''t effective ;)

Best,
Rodrigo.


Em 02-12-2013 14:01, David Heinemeier Hansson escreveu:
> What email is that? I replied to Homakov on Twitter thanking him for the
discovery and stating a clear intent to get the issue resolved. What I rejected
outright was the knee-jerk reaction to remove the possibility of generating JS
responses from Rails. This rejection was confirmed when it got clear that the
motivation behind that specific mitigation strategy was also motivated by
architectural opinions on what''s dinosaur and what''s not.
>
> But again, even having this discussion here or on Twitter simply
isn''t the proper forum to discuss 0-day exploits. It''s the
reason we have a standardized security reporting and response protocol.
It''s why we go to great lengths to coordinate proper fixes across
multiple versions of Rails, following the CVE process, and other responsible
steps in the process.
>
> To sidestep all that doesn''t help anyone but Homakov in the
short-term to build a reputation as a take-no-prisoners grey hatter. I question
the business strategy of that long-term (imagine having a business dispute with
Homakov after giving him access to your system -- yikes!).
>
> Again, my opinion of the process is removed from the value of finding
security holes. Of course finding and responsibly disclosing security holes is a
good thing. I just wish that Homakov, and others who might be inspired by his
tactics, would realize that there''s plenty of gain to be had personally
by subscribing to these time-tested practices.
>
>
> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.rosas@gmail.com> wrote:
>
>> David, first I must say I admire both you and Homakov and I''d
certainly hire him if I could afford it.
>>
>> I believe what led him to create that post was exactly your reponse to
his e-mail.
>>
>> I agree he shouldn''t have created this discussion publicly but
you shouldn''t have replied the way you did either. You should instead
try to understand the problem first before saying it would go nowhere.
>>
>> I believe this is what caused Homakov reaction.
>>
>> Sincerely,
>> Rodrigo.
>>
>> Em 02-12-2013 13:47, DHH escreveu:
>>> Please stop conflating the discovery of a security issue with the
philosophical waxing about architecture. It''s not helping the case. As
stated previously, responding with JS is not only a wonderful architectural
pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation, not anywhere. We''ll fix the security issue, and Rails will
continue to proudly champion the use of this great pattern.
>>>
>>> Guess what, it won''t be the last security issue Rails ever
has. Just like it won''t be the last security issue any piece of
software ever has. But we need to level up as a community in our handling of
these issues.
>>>
>>> Frankly, I''m surprised that people are willing to hire
Homakov for any work in the area given his reputation for irresponsible
disclosure. Finding a legit security issues is a great services, but
disregarding all security issue management protocols in their publication is
doing a disservice to all who would otherwise benefit from the work.
>>>
>>> Rails has had a codified security process for many years now.
It''s available for all to read on http://rubyonrails.org/security.
Making a blog post on your personal site isn''t one of the channels
listed as a responsible way of disclosing discoveries. Posting specific 0-day
attack vectors against affected sites is not one either.
>>>
>>> Making a public report over a holiday weekend, and then, when the
response to the report doesn''t immediately follow the proposed solution
(remove the feature), go off the reservation with specific attacks is just plain
irresponsible. No two ways about it. It also goes to undermine any other
recommendations or suggestions coming from said reporter.
>>>
>>> So. Damage is already done for this issue. But lest it encourages
others to act as irresponsibly as Homakov has done of this issue, I hope others
take a broader approach for future issues. Report systemic or framework issues
per the reporting instructions on http://rubyonrails.org/security. Report
specific application issues directly to application developers responsibly per
their reporting instructions (see https://37signals.com/security-response for
the one we use at 37signals).
>>>
>>> Presumably we''re all in the same boat here: Make Rails
better and more secure. Let''s row like we mean that. The Rails security
team (Michael Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in
the past to provide us with a good process, they''ve followed that
process, and they deserve our thanks and support.
>>> -- 
>>> You received this message because you are subscribed to the Google
Groups "Ruby on Rails: Core" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send an email to rubyonrails-core+unsubscribe@googlegroups.com.
>>> To post to this group, send email to
rubyonrails-core@googlegroups.com.
>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>> -- 
>> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
>> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
>> To post to this group, send email to rubyonrails-core@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

This fix seems great.

Homakov, what do you think? May fix the problem?

Cheers,

Gabriel Sobrinho
gabrielsobrinho.com

On Dec 2, 2013, at 2:09 PM, Javan Makhmali <javanm@gmail.com> wrote:
> As many have already mentioned, enforcing request.xhr? for js requests
provides adequate protection. You can''t set custom headers when making
a cross-domain request with a <script> tag so checking for one ensures the
request is local. That''s what request.xhr? does.
> 
> Here''s the solution we''re using:
https://gist.github.com/javan/7725255
> 
> I could see wrapping that up into something convenient like
protect_from_forgery and making it a default in Rails.
> 
> -Javan
> 37signals
> 
> On Thursday, November 28, 2013 3:41:37 AM UTC-5, Egor Homakov wrote:
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
> 
> Here in discussion I proposed to deprecate JS responder because this
technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
> 
> i find this bug very often so i know what i''m talking about. With
it attacker can steal user data and authenticity_token if templates with form
were leaked too.
> 
> 
> 
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

There''s a precise reason why I did so called "full
disclosure"

I started writing an email to security@37singals, then i checked out the 
previous conversation we had, where i was asked about my link for Hall of 
Fame. I gave the link and after a month it wasn''t added. No, i
don''t really
care, but given some other details (it was the second RJS bug in basecamp, 
"RJS bug" overall wasn''t 0 day at all, your ultimate
rejection of RJS
removal) i somehow ended up writing a post with full disclosure. 

I *mostly* follow responsible disclosure policies. But this is not my duty. 
Especially when i have couple of reasons to follow other policy.



On Monday, December 2, 2013 11:01:21 PM UTC+7, DHH
wrote:
>
> What email is that? I replied to Homakov on Twitter thanking him for the 
> discovery and stating a clear intent to get the issue resolved. What I 
> rejected outright was the knee-jerk reaction to remove the possibility of 
> generating JS responses from Rails. This rejection was confirmed when it 
> got clear that the motivation behind that specific mitigation strategy was 
> also motivated by architectural opinions on what''s dinosaur and
what''s not.
>
> But again, even having this discussion here or on Twitter simply
isn''t the
> proper forum to discuss 0-day exploits. It''s the reason we have a 
> standardized security reporting and response protocol. It''s why we
go to
> great lengths to coordinate proper fixes across multiple versions of Rails,
> following the CVE process, and other responsible steps in the process. 
>
> To sidestep all that doesn''t help anyone but Homakov in the
short-term to
> build a reputation as a take-no-prisoners grey hatter. I question the 
> business strategy of that long-term (imagine having a business dispute with
> Homakov after giving him access to your system -- yikes!). 
>
> Again, my opinion of the process is removed from the value of finding 
> security holes. Of course finding and responsibly disclosing security holes
> is a good thing. I just wish that Homakov, and others who might be inspired
> by his tactics, would realize that there''s plenty of gain to be
had
> personally by subscribing to these time-tested practices. 
>
>
> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com<javascript:>>
> wrote: 
>
> > David, first I must say I admire both you and Homakov and I''d
certainly
> hire him if I could afford it. 
> > 
> > I believe what led him to create that post was exactly your reponse to
> his e-mail. 
> > 
> > I agree he shouldn''t have created this discussion publicly
but you
> shouldn''t have replied the way you did either. You should instead
try to
> understand the problem first before saying it would go nowhere. 
> > 
> > I believe this is what caused Homakov reaction. 
> > 
> > Sincerely, 
> > Rodrigo. 
> > 
> > Em 02-12-2013 13:47, DHH escreveu: 
> >> Please stop conflating the discovery of a security issue with the 
> philosophical waxing about architecture. It''s not helping the
case. As
> stated previously, responding with JS is not only a wonderful architectural
> pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
> not anywhere. We''ll fix the security issue, and Rails will
continue to
> proudly champion the use of this great pattern. 
> >> 
> >> Guess what, it won''t be the last security issue Rails
ever has. Just
> like it won''t be the last security issue any piece of software
ever has.
> But we need to level up as a community in our handling of these issues. 
> >> 
> >> Frankly, I''m surprised that people are willing to hire
Homakov for any
> work in the area given his reputation for irresponsible disclosure. Finding
> a legit security issues is a great services, but disregarding all security 
> issue management protocols in their publication is doing a disservice to 
> all who would otherwise benefit from the work. 
> >> 
> >> Rails has had a codified security process for many years now.
It''s
> available for all to read on http://rubyonrails.org/security. Making a 
> blog post on your personal site isn''t one of the channels listed
as a
> responsible way of disclosing discoveries. Posting specific 0-day attack 
> vectors against affected sites is not one either. 
> >> 
> >> Making a public report over a holiday weekend, and then, when the 
> response to the report doesn''t immediately follow the proposed
solution
> (remove the feature), go off the reservation with specific attacks is just 
> plain irresponsible. No two ways about it. It also goes to undermine any 
> other recommendations or suggestions coming from said reporter. 
> >> 
> >> So. Damage is already done for this issue. But lest it encourages 
> others to act as irresponsibly as Homakov has done of this issue, I hope 
> others take a broader approach for future issues. Report systemic or 
> framework issues per the reporting instructions on 
> http://rubyonrails.org/security. Report specific application issues 
> directly to application developers responsibly per their reporting 
> instructions (see https://37signals.com/security-response for the one we 
> use at 37signals). 
> >> 
> >> Presumably we''re all in the same boat here: Make Rails
better and more
> secure. Let''s row like we mean that. The Rails security team
(Michael
> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the past 
> to provide us with a good process, they''ve followed that process,
and they
> deserve our thanks and support. 
> >> -- 
> >> You received this message because you are subscribed to the Google
> Groups "Ruby on Rails: Core" group. 
> >> To unsubscribe from this group and stop receiving emails from it,
send
> an email to rubyonrails-co...@googlegroups.com <javascript:>. 
> >> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> >> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >> For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > -- 
> > You received this message because you are subscribed to a topic in the
> Google Groups "Ruby on Rails: Core" group. 
> > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> > To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>. 
> > To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I feel entirely comfortable with shooting down REMOVE THE FEATURE as the first
response to any security reporting. Our response should be, as it was here -- as
it always is, let''s fix the issue. This is doubly so when security
reportings are conflated with other architectural agendas, like "dinosaur
feature removal quests".

As it turns out, there is a very reasonable proposal for fixing this as well:
Check js requests for xhr? and add the xhr header to all js requests through the
framework, so it''ll work for GET as well. We''ll get this
proposal vetted, of course, but if that pans out, it would be an entirely
invisible fix that requires zero adjustment of the architectural style. Just
like I mentioned it would, and as Homakov rejected outright initially as a
possibility.

Yes, there are many ways to make a buck, if you don''t care about how
you do it. I don''t find that worthy of celebration.

On Dec 2, 2013, at 8:13 AM, Rodrigo Rosenfeld Rosas <rr.rosas@gmail.com>
wrote:
> Your first message in this thread. He even quoted the relevant part in his
article:
> 
> "Not only are js.erb templates not deprecated, they are a great way to
develop an application with Ajax responses where you can reuse your server-side
templates. It''s fine to explore ways to make this more secure by
default, but the fundamental development style of returning JS as a response is
both architecturally sound and an integral part of Rails. So that''s not
going anywhere.
> 
> So let''s instead explore ways of having better escaping tools,
warnings, or defaults that''ll work with the wonders of RJS."
> 
> I understand you had the best of the intentions, but I wouldn''t
have started the discussion by ending it. By this time you were not yet aware on
how applications were affected and if there was a sane way to fix this issue. If
I were you, I''d first *ask* if there''s an alternative way
instead of deprecating its usage *before* deciding it wouldn''t go
anywhere.
> 
> I guess that was what pissed him off...
> 
> I agree with you that this is not the "correct" way of dealing
with the situation, from an ethics perspective, but let''s be honest:
Homakov wouldn''t probably be a known name if he hadn''t put the
attack to GitHub into practice. I''m not defending this approach to self
marketing, but you can''t tell us it isn''t effective ;)
> 
> Best,
> Rodrigo.
> 
> 
> Em 02-12-2013 14:01, David Heinemeier Hansson escreveu:
>> What email is that? I replied to Homakov on Twitter thanking him for
the discovery and stating a clear intent to get the issue resolved. What I
rejected outright was the knee-jerk reaction to remove the possibility of
generating JS responses from Rails. This rejection was confirmed when it got
clear that the motivation behind that specific mitigation strategy was also
motivated by architectural opinions on what''s dinosaur and
what''s not.
>> 
>> But again, even having this discussion here or on Twitter simply
isn''t the proper forum to discuss 0-day exploits. It''s the
reason we have a standardized security reporting and response protocol.
It''s why we go to great lengths to coordinate proper fixes across
multiple versions of Rails, following the CVE process, and other responsible
steps in the process.
>> 
>> To sidestep all that doesn''t help anyone but Homakov in the
short-term to build a reputation as a take-no-prisoners grey hatter. I question
the business strategy of that long-term (imagine having a business dispute with
Homakov after giving him access to your system -- yikes!).
>> 
>> Again, my opinion of the process is removed from the value of finding
security holes. Of course finding and responsibly disclosing security holes is a
good thing. I just wish that Homakov, and others who might be inspired by his
tactics, would realize that there''s plenty of gain to be had personally
by subscribing to these time-tested practices.
>> 
>> 
>> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.rosas@gmail.com> wrote:
>> 
>>> David, first I must say I admire both you and Homakov and
I''d certainly hire him if I could afford it.
>>> 
>>> I believe what led him to create that post was exactly your reponse
to his e-mail.
>>> 
>>> I agree he shouldn''t have created this discussion publicly
but you shouldn''t have replied the way you did either. You should
instead try to understand the problem first before saying it would go nowhere.
>>> 
>>> I believe this is what caused Homakov reaction.
>>> 
>>> Sincerely,
>>> Rodrigo.
>>> 
>>> Em 02-12-2013 13:47, DHH escreveu:
>>>> Please stop conflating the discovery of a security issue with
the philosophical waxing about architecture. It''s not helping the case.
As stated previously, responding with JS is not only a wonderful architectural
pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation, not anywhere. We''ll fix the security issue, and Rails will
continue to proudly champion the use of this great pattern.
>>>> 
>>>> Guess what, it won''t be the last security issue Rails
ever has. Just like it won''t be the last security issue any piece of
software ever has. But we need to level up as a community in our handling of
these issues.
>>>> 
>>>> Frankly, I''m surprised that people are willing to hire
Homakov for any work in the area given his reputation for irresponsible
disclosure. Finding a legit security issues is a great services, but
disregarding all security issue management protocols in their publication is
doing a disservice to all who would otherwise benefit from the work.
>>>> 
>>>> Rails has had a codified security process for many years now.
It''s available for all to read on http://rubyonrails.org/security.
Making a blog post on your personal site isn''t one of the channels
listed as a responsible way of disclosing discoveries. Posting specific 0-day
attack vectors against affected sites is not one either.
>>>> 
>>>> Making a public report over a holiday weekend, and then, when
the response to the report doesn''t immediately follow the proposed
solution (remove the feature), go off the reservation with specific attacks is
just plain irresponsible. No two ways about it. It also goes to undermine any
other recommendations or suggestions coming from said reporter.
>>>> 
>>>> So. Damage is already done for this issue. But lest it
encourages others to act as irresponsibly as Homakov has done of this issue, I
hope others take a broader approach for future issues. Report systemic or
framework issues per the reporting instructions on
http://rubyonrails.org/security. Report specific application issues directly to
application developers responsibly per their reporting instructions (see
https://37signals.com/security-response for the one we use at 37signals).
>>>> 
>>>> Presumably we''re all in the same boat here: Make Rails
better and more secure. Let''s row like we mean that. The Rails security
team (Michael Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in
the past to provide us with a good process, they''ve followed that
process, and they deserve our thanks and support.
>>>> -- 
>>>> You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Core" group.
>>>> To unsubscribe from this group and stop receiving emails from
it, send an email to rubyonrails-core+unsubscribe@googlegroups.com.
>>>> To post to this group, send email to
rubyonrails-core@googlegroups.com.
>>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>>> For more options, visit
https://groups.google.com/groups/opt_out.
>>> -- 
>>> You received this message because you are subscribed to a topic in
the Google Groups "Ruby on Rails: Core" group.
>>> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
>>> To post to this group, send email to
rubyonrails-core@googlegroups.com.
>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>>> For more options, visit https://groups.google.com/groups/opt_out.
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I''m sorry that you weren''t added to the hall of fame in a
timely manner, and I''ll check into what happened, but that hardly
justifies this shotgun approach to disclosure. Had you also contacted the other
application makers for which you provided 0-day attacks? Did they also slight
you in some way that justified this treatment?

I''m just trying to figure out what the thought process is here, so we
can calibrate our response for next time. If you get a response that a certain
architectural style isn''t going to be changed as you first suggest,
should the community expect that you''ll blast random applications with
specific attack vectors on a 0-day basis?

And if the reasons you describe are enough to, in your mind, warrant the 0-day
option, should potential clients expect that similar minor disputes or
grievances might result in 0-day public releases from the code bases you have
examined?

You''re obviously skilled at finding security issues. That''s a
great skill to have, and it''s valuable to the community when wielded
with care. But you''re not wielding it with care.


On Dec 2, 2013, at 8:18 AM, Egor Homakov <homakov@gmail.com> wrote:
> There''s a precise reason why I did so called "full
disclosure"
> 
> I started writing an email to security@37singals, then i checked out the
previous conversation we had, where i was asked about my link for Hall of Fame.
I gave the link and after a month it wasn''t added. No, i don''t
really care, but given some other details (it was the second RJS bug in
basecamp, "RJS bug" overall wasn''t 0 day at all, your
ultimate rejection of RJS removal) i somehow ended up writing a post with full
disclosure.
> 
> I *mostly* follow responsible disclosure policies. But this is not my duty.
Especially when i have couple of reasons to follow other policy.
> 
> 
> 
> On Monday, December 2, 2013 11:01:21 PM UTC+7, DHH wrote:
> What email is that? I replied to Homakov on Twitter thanking him for the
discovery and stating a clear intent to get the issue resolved. What I rejected
outright was the knee-jerk reaction to remove the possibility of generating JS
responses from Rails. This rejection was confirmed when it got clear that the
motivation behind that specific mitigation strategy was also motivated by
architectural opinions on what''s dinosaur and what''s not.
> 
> But again, even having this discussion here or on Twitter simply
isn''t the proper forum to discuss 0-day exploits. It''s the
reason we have a standardized security reporting and response protocol.
It''s why we go to great lengths to coordinate proper fixes across
multiple versions of Rails, following the CVE process, and other responsible
steps in the process.
> 
> To sidestep all that doesn''t help anyone but Homakov in the
short-term to build a reputation as a take-no-prisoners grey hatter. I question
the business strategy of that long-term (imagine having a business dispute with
Homakov after giving him access to your system -- yikes!).
> 
> Again, my opinion of the process is removed from the value of finding
security holes. Of course finding and responsibly disclosing security holes is a
good thing. I just wish that Homakov, and others who might be inspired by his
tactics, would realize that there''s plenty of gain to be had personally
by subscribing to these time-tested practices.
> 
> 
> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com> wrote:
> 
> > David, first I must say I admire both you and Homakov and I''d
certainly hire him if I could afford it.
> > 
> > I believe what led him to create that post was exactly your reponse to
his e-mail.
> > 
> > I agree he shouldn''t have created this discussion publicly
but you shouldn''t have replied the way you did either. You should
instead try to understand the problem first before saying it would go nowhere.
> > 
> > I believe this is what caused Homakov reaction. 
> > 
> > Sincerely, 
> > Rodrigo. 
> > 
> > Em 02-12-2013 13:47, DHH escreveu: 
> >> Please stop conflating the discovery of a security issue with the
philosophical waxing about architecture. It''s not helping the case. As
stated previously, responding with JS is not only a wonderful architectural
pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation, not anywhere. We''ll fix the security issue, and Rails will
continue to proudly champion the use of this great pattern.
> >> 
> >> Guess what, it won''t be the last security issue Rails
ever has. Just like it won''t be the last security issue any piece of
software ever has. But we need to level up as a community in our handling of
these issues.
> >> 
> >> Frankly, I''m surprised that people are willing to hire
Homakov for any work in the area given his reputation for irresponsible
disclosure. Finding a legit security issues is a great services, but
disregarding all security issue management protocols in their publication is
doing a disservice to all who would otherwise benefit from the work.
> >> 
> >> Rails has had a codified security process for many years now.
It''s available for all to read on http://rubyonrails.org/security.
Making a blog post on your personal site isn''t one of the channels
listed as a responsible way of disclosing discoveries. Posting specific 0-day
attack vectors against affected sites is not one either.
> >> 
> >> Making a public report over a holiday weekend, and then, when the
response to the report doesn''t immediately follow the proposed solution
(remove the feature), go off the reservation with specific attacks is just plain
irresponsible. No two ways about it. It also goes to undermine any other
recommendations or suggestions coming from said reporter.
> >> 
> >> So. Damage is already done for this issue. But lest it encourages
others to act as irresponsibly as Homakov has done of this issue, I hope others
take a broader approach for future issues. Report systemic or framework issues
per the reporting instructions on http://rubyonrails.org/security. Report
specific application issues directly to application developers responsibly per
their reporting instructions (see https://37signals.com/security-response for
the one we use at 37signals).
> >> 
> >> Presumably we''re all in the same boat here: Make Rails
better and more secure. Let''s row like we mean that. The Rails security
team (Michael Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in
the past to provide us with a good process, they''ve followed that
process, and they deserve our thanks and support.
> >> -- 
> >> You received this message because you are subscribed to the Google
Groups "Ruby on Rails: Core" group.
> >> To unsubscribe from this group and stop receiving emails from it,
send an email to rubyonrails-co...@googlegroups.com.
> >> To post to this group, send email to rubyonra...@googlegroups.com.
> >> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >> For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > -- 
> > You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> > To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
rubyonrails-co...@googlegroups.com.
> > To post to this group, send email to rubyonra...@googlegroups.com. 
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> 
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

> Homakov rejected outright initially as a possibility
https://twitter.com/homakov/status/406466616897986560
Sorry for using "REMOVE THE FEATURE" wordings, now I see how it
sounded.
All i wanted is to fix security bug itself, throwing the feature away 
wasn''t my goal. 
 

On Monday, December 2, 2013 11:18:59 PM UTC+7, DHH
wrote:
>
> I feel entirely comfortable with shooting down REMOVE THE FEATURE as the 
> first response to any security reporting. Our response should be, as it was
> here -- as it always is, let''s fix the issue. This is doubly so
when
> security reportings are conflated with other architectural agendas, like 
> "dinosaur feature removal quests". 
>
> As it turns out, there is a very reasonable proposal for fixing this as 
> well: Check js requests for xhr? and add the xhr header to all js requests 
> through the framework, so it''ll work for GET as well.
We''ll get this
> proposal vetted, of course, but if that pans out, it would be an entirely 
> invisible fix that requires zero adjustment of the architectural style. 
> Just like I mentioned it would, and as Homakov rejected outright initially 
> as a possibility. 
>
> Yes, there are many ways to make a buck, if you don''t care about
how you
> do it. I don''t find that worthy of celebration. 
>
> On Dec 2, 2013, at 8:13 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com<javascript:>>
> wrote: 
>
> > Your first message in this thread. He even quoted the relevant part in
> his article: 
> > 
> > "Not only are js.erb templates not deprecated, they are a great
way to
> develop an application with Ajax responses where you can reuse your 
> server-side templates. It''s fine to explore ways to make this more
secure
> by default, but the fundamental development style of returning JS as a 
> response is both architecturally sound and an integral part of Rails. So 
> that''s not going anywhere. 
> > 
> > So let''s instead explore ways of having better escaping
tools, warnings,
> or defaults that''ll work with the wonders of RJS." 
> > 
> > I understand you had the best of the intentions, but I
wouldn''t have
> started the discussion by ending it. By this time you were not yet aware on
> how applications were affected and if there was a sane way to fix this 
> issue. If I were you, I''d first *ask* if there''s an
alternative way instead
> of deprecating its usage *before* deciding it wouldn''t go
anywhere.
> > 
> > I guess that was what pissed him off... 
> > 
> > I agree with you that this is not the "correct" way of
dealing with the
> situation, from an ethics perspective, but let''s be honest:
Homakov
> wouldn''t probably be a known name if he hadn''t put the
attack to GitHub
> into practice. I''m not defending this approach to self marketing,
but you
> can''t tell us it isn''t effective ;) 
> > 
> > Best, 
> > Rodrigo. 
> > 
> > 
> > Em 02-12-2013 14:01, David Heinemeier Hansson escreveu: 
> >> What email is that? I replied to Homakov on Twitter thanking him
for
> the discovery and stating a clear intent to get the issue resolved. What I 
> rejected outright was the knee-jerk reaction to remove the possibility of 
> generating JS responses from Rails. This rejection was confirmed when it 
> got clear that the motivation behind that specific mitigation strategy was 
> also motivated by architectural opinions on what''s dinosaur and
what''s not.
> >> 
> >> But again, even having this discussion here or on Twitter simply
isn''t
> the proper forum to discuss 0-day exploits. It''s the reason we
have a
> standardized security reporting and response protocol. It''s why we
go to
> great lengths to coordinate proper fixes across multiple versions of Rails,
> following the CVE process, and other responsible steps in the process. 
> >> 
> >> To sidestep all that doesn''t help anyone but Homakov in
the short-term
> to build a reputation as a take-no-prisoners grey hatter. I question the 
> business strategy of that long-term (imagine having a business dispute with
> Homakov after giving him access to your system -- yikes!). 
> >> 
> >> Again, my opinion of the process is removed from the value of
finding
> security holes. Of course finding and responsibly disclosing security holes
> is a good thing. I just wish that Homakov, and others who might be inspired
> by his tactics, would realize that there''s plenty of gain to be
had
> personally by subscribing to these time-tested practices. 
> >> 
> >> 
> >> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com<javascript:>>
> wrote: 
> >> 
> >>> David, first I must say I admire both you and Homakov and
I''d
> certainly hire him if I could afford it. 
> >>> 
> >>> I believe what led him to create that post was exactly your
reponse to
> his e-mail. 
> >>> 
> >>> I agree he shouldn''t have created this discussion
publicly but you
> shouldn''t have replied the way you did either. You should instead
try to
> understand the problem first before saying it would go nowhere. 
> >>> 
> >>> I believe this is what caused Homakov reaction. 
> >>> 
> >>> Sincerely, 
> >>> Rodrigo. 
> >>> 
> >>> Em 02-12-2013 13:47, DHH escreveu: 
> >>>> Please stop conflating the discovery of a security issue
with the
> philosophical waxing about architecture. It''s not helping the
case. As
> stated previously, responding with JS is not only a wonderful architectural
> pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
> not anywhere. We''ll fix the security issue, and Rails will
continue to
> proudly champion the use of this great pattern. 
> >>>> 
> >>>> Guess what, it won''t be the last security issue
Rails ever has. Just
> like it won''t be the last security issue any piece of software
ever has.
> But we need to level up as a community in our handling of these issues. 
> >>>> 
> >>>> Frankly, I''m surprised that people are willing to
hire Homakov for
> any work in the area given his reputation for irresponsible disclosure. 
> Finding a legit security issues is a great services, but disregarding all 
> security issue management protocols in their publication is doing a 
> disservice to all who would otherwise benefit from the work. 
> >>>> 
> >>>> Rails has had a codified security process for many years
now. It''s
> available for all to read on http://rubyonrails.org/security. Making a 
> blog post on your personal site isn''t one of the channels listed
as a
> responsible way of disclosing discoveries. Posting specific 0-day attack 
> vectors against affected sites is not one either. 
> >>>> 
> >>>> Making a public report over a holiday weekend, and then,
when the
> response to the report doesn''t immediately follow the proposed
solution
> (remove the feature), go off the reservation with specific attacks is just 
> plain irresponsible. No two ways about it. It also goes to undermine any 
> other recommendations or suggestions coming from said reporter. 
> >>>> 
> >>>> So. Damage is already done for this issue. But lest it
encourages
> others to act as irresponsibly as Homakov has done of this issue, I hope 
> others take a broader approach for future issues. Report systemic or 
> framework issues per the reporting instructions on 
> http://rubyonrails.org/security. Report specific application issues 
> directly to application developers responsibly per their reporting 
> instructions (see https://37signals.com/security-response for the one we 
> use at 37signals). 
> >>>> 
> >>>> Presumably we''re all in the same boat here: Make
Rails better and
> more secure. Let''s row like we mean that. The Rails security team
(Michael
> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the past 
> to provide us with a good process, they''ve followed that process,
and they
> deserve our thanks and support. 
> >>>> -- 
> >>>> You received this message because you are subscribed to
the Google
> Groups "Ruby on Rails: Core" group. 
> >>>> To unsubscribe from this group and stop receiving emails
from it,
> send an email to rubyonrails-co...@googlegroups.com <javascript:>. 
> >>>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> >>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >>>> For more options, visit
https://groups.google.com/groups/opt_out.
> >>> -- 
> >>> You received this message because you are subscribed to a
topic in the
> Google Groups "Ruby on Rails: Core" group. 
> >>> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> >>> To unsubscribe from this group and all its topics, send an
email to
> rubyonrails-co...@googlegroups.com <javascript:>. 
> >>> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> >>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >>> For more options, visit
https://groups.google.com/groups/opt_out.
> > 
> > -- 
> > You received this message because you are subscribed to a topic in the
> Google Groups "Ruby on Rails: Core" group. 
> > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> > To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>. 
> > To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>
>  
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Homakov, what we all want is to fix security bugs. There isn''t any
justification for thinking that we aren''t all in the same boat on that.
Things get muddy when you hinge the reporting of a security issue to your
personal assessment of what a good architectural pattern is, though.

So please. I implore you to change your ways. You can be a great part of this
community and you can build a reputable security consulting business without
resorting to these irresponsible tactics.

We will get this specific issue fixed shortly (as soon as the GET .js solution
by adding xhr headers has been vetted), I''m not in the least concerned
about that. I''m concerned that we''ll be right back at square
one next time you find an issue and you arm the internets with 0-day exploits
against a random selection of applications before giving the makers a reasonable
timeframe to defend themselves (one holiday weekend isn''t it).

On Dec 2, 2013, at 8:30 AM, Egor Homakov <homakov@gmail.com> wrote:
> > Homakov rejected outright initially as a possibility
> https://twitter.com/homakov/status/406466616897986560
> Sorry for using "REMOVE THE FEATURE" wordings, now I see how it
sounded. All i wanted is to fix security bug itself, throwing the feature away
wasn''t my goal.
>  
> 
> On Monday, December 2, 2013 11:18:59 PM UTC+7, DHH wrote:
> I feel entirely comfortable with shooting down REMOVE THE FEATURE as the
first response to any security reporting. Our response should be, as it was here
-- as it always is, let''s fix the issue. This is doubly so when
security reportings are conflated with other architectural agendas, like
"dinosaur feature removal quests".
> 
> As it turns out, there is a very reasonable proposal for fixing this as
well: Check js requests for xhr? and add the xhr header to all js requests
through the framework, so it''ll work for GET as well. We''ll
get this proposal vetted, of course, but if that pans out, it would be an
entirely invisible fix that requires zero adjustment of the architectural style.
Just like I mentioned it would, and as Homakov rejected outright initially as a
possibility.
> 
> Yes, there are many ways to make a buck, if you don''t care about
how you do it. I don''t find that worthy of celebration.
> 
> On Dec 2, 2013, at 8:13 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com> wrote:
> 
> > Your first message in this thread. He even quoted the relevant part in
his article:
> > 
> > "Not only are js.erb templates not deprecated, they are a great
way to develop an application with Ajax responses where you can reuse your
server-side templates. It''s fine to explore ways to make this more
secure by default, but the fundamental development style of returning JS as a
response is both architecturally sound and an integral part of Rails. So
that''s not going anywhere.
> > 
> > So let''s instead explore ways of having better escaping
tools, warnings, or defaults that''ll work with the wonders of
RJS."
> > 
> > I understand you had the best of the intentions, but I
wouldn''t have started the discussion by ending it. By this time you
were not yet aware on how applications were affected and if there was a sane way
to fix this issue. If I were you, I''d first *ask* if there''s
an alternative way instead of deprecating its usage *before* deciding it
wouldn''t go anywhere.
> > 
> > I guess that was what pissed him off... 
> > 
> > I agree with you that this is not the "correct" way of
dealing with the situation, from an ethics perspective, but let''s be
honest: Homakov wouldn''t probably be a known name if he hadn''t
put the attack to GitHub into practice. I''m not defending this approach
to self marketing, but you can''t tell us it isn''t effective ;)
> > 
> > Best, 
> > Rodrigo. 
> > 
> > 
> > Em 02-12-2013 14:01, David Heinemeier Hansson escreveu: 
> >> What email is that? I replied to Homakov on Twitter thanking him
for the discovery and stating a clear intent to get the issue resolved. What I
rejected outright was the knee-jerk reaction to remove the possibility of
generating JS responses from Rails. This rejection was confirmed when it got
clear that the motivation behind that specific mitigation strategy was also
motivated by architectural opinions on what''s dinosaur and
what''s not.
> >> 
> >> But again, even having this discussion here or on Twitter simply
isn''t the proper forum to discuss 0-day exploits. It''s the
reason we have a standardized security reporting and response protocol.
It''s why we go to great lengths to coordinate proper fixes across
multiple versions of Rails, following the CVE process, and other responsible
steps in the process.
> >> 
> >> To sidestep all that doesn''t help anyone but Homakov in
the short-term to build a reputation as a take-no-prisoners grey hatter. I
question the business strategy of that long-term (imagine having a business
dispute with Homakov after giving him access to your system -- yikes!).
> >> 
> >> Again, my opinion of the process is removed from the value of
finding security holes. Of course finding and responsibly disclosing security
holes is a good thing. I just wish that Homakov, and others who might be
inspired by his tactics, would realize that there''s plenty of gain to
be had personally by subscribing to these time-tested practices.
> >> 
> >> 
> >> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com> wrote:
> >> 
> >>> David, first I must say I admire both you and Homakov and
I''d certainly hire him if I could afford it.
> >>> 
> >>> I believe what led him to create that post was exactly your
reponse to his e-mail.
> >>> 
> >>> I agree he shouldn''t have created this discussion
publicly but you shouldn''t have replied the way you did either. You
should instead try to understand the problem first before saying it would go
nowhere.
> >>> 
> >>> I believe this is what caused Homakov reaction. 
> >>> 
> >>> Sincerely, 
> >>> Rodrigo. 
> >>> 
> >>> Em 02-12-2013 13:47, DHH escreveu: 
> >>>> Please stop conflating the discovery of a security issue
with the philosophical waxing about architecture. It''s not helping the
case. As stated previously, responding with JS is not only a wonderful
architectural pattern, it''s also not going anywhere. Not in a gem, not
in a deprecation, not anywhere. We''ll fix the security issue, and Rails
will continue to proudly champion the use of this great pattern.
> >>>> 
> >>>> Guess what, it won''t be the last security issue
Rails ever has. Just like it won''t be the last security issue any piece
of software ever has. But we need to level up as a community in our handling of
these issues.
> >>>> 
> >>>> Frankly, I''m surprised that people are willing to
hire Homakov for any work in the area given his reputation for irresponsible
disclosure. Finding a legit security issues is a great services, but
disregarding all security issue management protocols in their publication is
doing a disservice to all who would otherwise benefit from the work.
> >>>> 
> >>>> Rails has had a codified security process for many years
now. It''s available for all to read on http://rubyonrails.org/security.
Making a blog post on your personal site isn''t one of the channels
listed as a responsible way of disclosing discoveries. Posting specific 0-day
attack vectors against affected sites is not one either.
> >>>> 
> >>>> Making a public report over a holiday weekend, and then,
when the response to the report doesn''t immediately follow the proposed
solution (remove the feature), go off the reservation with specific attacks is
just plain irresponsible. No two ways about it. It also goes to undermine any
other recommendations or suggestions coming from said reporter.
> >>>> 
> >>>> So. Damage is already done for this issue. But lest it
encourages others to act as irresponsibly as Homakov has done of this issue, I
hope others take a broader approach for future issues. Report systemic or
framework issues per the reporting instructions on
http://rubyonrails.org/security. Report specific application issues directly to
application developers responsibly per their reporting instructions (see
https://37signals.com/security-response for the one we use at 37signals).
> >>>> 
> >>>> Presumably we''re all in the same boat here: Make
Rails better and more secure. Let''s row like we mean that. The Rails
security team (Michael Koziarski, Jeremy Kemper, and Aaron Patterson) has worked
hard in the past to provide us with a good process, they''ve followed
that process, and they deserve our thanks and support.
> >>>> -- 
> >>>> You received this message because you are subscribed to
the Google Groups "Ruby on Rails: Core" group.
> >>>> To unsubscribe from this group and stop receiving emails
from it, send an email to rubyonrails-co...@googlegroups.com.
> >>>> To post to this group, send email to
rubyonra...@googlegroups.com.
> >>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >>>> For more options, visit
https://groups.google.com/groups/opt_out.
> >>> -- 
> >>> You received this message because you are subscribed to a
topic in the Google Groups "Ruby on Rails: Core" group.
> >>> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> >>> To unsubscribe from this group and all its topics, send an
email to rubyonrails-co...@googlegroups.com.
> >>> To post to this group, send email to
rubyonra...@googlegroups.com.
> >>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
> >>> For more options, visit
https://groups.google.com/groups/opt_out.
> > 
> > -- 
> > You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> > To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
rubyonrails-co...@googlegroups.com.
> > To post to this group, send email to rubyonra...@googlegroups.com. 
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> 
>  
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I think i may have a solution, if i am wrong please don''t shoot me ;)

https://github.com/artellectual/transponder/blob/develop/RAILS_UJS_VULNERABILITY_FIX.md

On Monday, December 2, 2013 11:37:04 PM UTC+7, DHH
wrote:
>
> Homakov, what we all want is to fix security bugs. There isn''t any
> justification for thinking that we aren''t all in the same boat on
that.
> Things get muddy when you hinge the reporting of a security issue to your 
> personal assessment of what a good architectural pattern is, though. 
>
> So please. I implore you to change your ways. You can be a great part of 
> this community and you can build a reputable security consulting business 
> without resorting to these irresponsible tactics. 
>
> We will get this specific issue fixed shortly (as soon as the GET .js 
> solution by adding xhr headers has been vetted), I''m not in the
least
> concerned about that. I''m concerned that we''ll be right
back at square one
> next time you find an issue and you arm the internets with 0-day exploits 
> against a random selection of applications before giving the makers a 
> reasonable timeframe to defend themselves (one holiday weekend
isn''t it).
>
> On Dec 2, 2013, at 8:30 AM, Egor Homakov <hom...@gmail.com
<javascript:>>
> wrote: 
>
> > > Homakov rejected outright initially as a possibility 
> > https://twitter.com/homakov/status/406466616897986560 
> > Sorry for using "REMOVE THE FEATURE" wordings, now I see how
it sounded.
> All i wanted is to fix security bug itself, throwing the feature away 
> wasn''t my goal. 
> >   
> > 
> > On Monday, December 2, 2013 11:18:59 PM UTC+7, DHH wrote: 
> > I feel entirely comfortable with shooting down REMOVE THE FEATURE as
the
> first response to any security reporting. Our response should be, as it was
> here -- as it always is, let''s fix the issue. This is doubly so
when
> security reportings are conflated with other architectural agendas, like 
> "dinosaur feature removal quests". 
> > 
> > As it turns out, there is a very reasonable proposal for fixing this
as
> well: Check js requests for xhr? and add the xhr header to all js requests 
> through the framework, so it''ll work for GET as well.
We''ll get this
> proposal vetted, of course, but if that pans out, it would be an entirely 
> invisible fix that requires zero adjustment of the architectural style. 
> Just like I mentioned it would, and as Homakov rejected outright initially 
> as a possibility. 
> > 
> > Yes, there are many ways to make a buck, if you don''t care
about how you
> do it. I don''t find that worthy of celebration. 
> > 
> > On Dec 2, 2013, at 8:13 AM, Rodrigo Rosenfeld Rosas
<rr.r...@gmail.com>
> wrote: 
> > 
> > > Your first message in this thread. He even quoted the relevant
part in
> his article: 
> > > 
> > > "Not only are js.erb templates not deprecated, they are a
great way to
> develop an application with Ajax responses where you can reuse your 
> server-side templates. It''s fine to explore ways to make this more
secure
> by default, but the fundamental development style of returning JS as a 
> response is both architecturally sound and an integral part of Rails. So 
> that''s not going anywhere. 
> > > 
> > > So let''s instead explore ways of having better escaping
tools,
> warnings, or defaults that''ll work with the wonders of RJS." 
> > > 
> > > I understand you had the best of the intentions, but I
wouldn''t have
> started the discussion by ending it. By this time you were not yet aware on
> how applications were affected and if there was a sane way to fix this 
> issue. If I were you, I''d first *ask* if there''s an
alternative way instead
> of deprecating its usage *before* deciding it wouldn''t go
anywhere.
> > > 
> > > I guess that was what pissed him off... 
> > > 
> > > I agree with you that this is not the "correct" way of
dealing with
> the situation, from an ethics perspective, but let''s be honest:
Homakov
> wouldn''t probably be a known name if he hadn''t put the
attack to GitHub
> into practice. I''m not defending this approach to self marketing,
but you
> can''t tell us it isn''t effective ;) 
> > > 
> > > Best, 
> > > Rodrigo. 
> > > 
> > > 
> > > Em 02-12-2013 14:01, David Heinemeier Hansson escreveu: 
> > >> What email is that? I replied to Homakov on Twitter thanking
him for
> the discovery and stating a clear intent to get the issue resolved. What I 
> rejected outright was the knee-jerk reaction to remove the possibility of 
> generating JS responses from Rails. This rejection was confirmed when it 
> got clear that the motivation behind that specific mitigation strategy was 
> also motivated by architectural opinions on what''s dinosaur and
what''s not.
> > >> 
> > >> But again, even having this discussion here or on Twitter
simply
> isn''t the proper forum to discuss 0-day exploits. It''s
the reason we have a
> standardized security reporting and response protocol. It''s why we
go to
> great lengths to coordinate proper fixes across multiple versions of Rails,
> following the CVE process, and other responsible steps in the process. 
> > >> 
> > >> To sidestep all that doesn''t help anyone but Homakov
in the
> short-term to build a reputation as a take-no-prisoners grey hatter. I 
> question the business strategy of that long-term (imagine having a business
> dispute with Homakov after giving him access to your system -- yikes!). 
> > >> 
> > >> Again, my opinion of the process is removed from the value of
finding
> security holes. Of course finding and responsibly disclosing security holes
> is a good thing. I just wish that Homakov, and others who might be inspired
> by his tactics, would realize that there''s plenty of gain to be
had
> personally by subscribing to these time-tested practices. 
> > >> 
> > >> 
> > >> On Dec 2, 2013, at 7:52 AM, Rodrigo Rosenfeld Rosas <
> rr.r...@gmail.com> wrote: 
> > >> 
> > >>> David, first I must say I admire both you and Homakov and
I''d
> certainly hire him if I could afford it. 
> > >>> 
> > >>> I believe what led him to create that post was exactly
your reponse
> to his e-mail. 
> > >>> 
> > >>> I agree he shouldn''t have created this
discussion publicly but you
> shouldn''t have replied the way you did either. You should instead
try to
> understand the problem first before saying it would go nowhere. 
> > >>> 
> > >>> I believe this is what caused Homakov reaction. 
> > >>> 
> > >>> Sincerely, 
> > >>> Rodrigo. 
> > >>> 
> > >>> Em 02-12-2013 13:47, DHH escreveu: 
> > >>>> Please stop conflating the discovery of a security
issue with the
> philosophical waxing about architecture. It''s not helping the
case. As
> stated previously, responding with JS is not only a wonderful architectural
> pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
> not anywhere. We''ll fix the security issue, and Rails will
continue to
> proudly champion the use of this great pattern. 
> > >>>> 
> > >>>> Guess what, it won''t be the last security
issue Rails ever has.
> Just like it won''t be the last security issue any piece of
software ever
> has. But we need to level up as a community in our handling of these 
> issues. 
> > >>>> 
> > >>>> Frankly, I''m surprised that people are
willing to hire Homakov for
> any work in the area given his reputation for irresponsible disclosure. 
> Finding a legit security issues is a great services, but disregarding all 
> security issue management protocols in their publication is doing a 
> disservice to all who would otherwise benefit from the work. 
> > >>>> 
> > >>>> Rails has had a codified security process for many
years now. It''s
> available for all to read on http://rubyonrails.org/security. Making a 
> blog post on your personal site isn''t one of the channels listed
as a
> responsible way of disclosing discoveries. Posting specific 0-day attack 
> vectors against affected sites is not one either. 
> > >>>> 
> > >>>> Making a public report over a holiday weekend, and
then, when the
> response to the report doesn''t immediately follow the proposed
solution
> (remove the feature), go off the reservation with specific attacks is just 
> plain irresponsible. No two ways about it. It also goes to undermine any 
> other recommendations or suggestions coming from said reporter. 
> > >>>> 
> > >>>> So. Damage is already done for this issue. But lest
it encourages
> others to act as irresponsibly as Homakov has done of this issue, I hope 
> others take a broader approach for future issues. Report systemic or 
> framework issues per the reporting instructions on 
> http://rubyonrails.org/security. Report specific application issues 
> directly to application developers responsibly per their reporting 
> instructions (see https://37signals.com/security-response for the one we 
> use at 37signals). 
> > >>>> 
> > >>>> Presumably we''re all in the same boat here:
Make Rails better and
> more secure. Let''s row like we mean that. The Rails security team
(Michael
> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the past 
> to provide us with a good process, they''ve followed that process,
and they
> deserve our thanks and support. 
> > >>>> -- 
> > >>>> You received this message because you are subscribed
to the Google
> Groups "Ruby on Rails: Core" group. 
> > >>>> To unsubscribe from this group and stop receiving
emails from it,
> send an email to rubyonrails-co...@googlegroups.com. 
> > >>>> To post to this group, send email to
rubyonra...@googlegroups.com.
> > >>>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>
> > >>>> For more options, visit
https://groups.google.com/groups/opt_out.
> > >>> -- 
> > >>> You received this message because you are subscribed to a
topic in
> the Google Groups "Ruby on Rails: Core" group. 
> > >>> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> > >>> To unsubscribe from this group and all its topics, send
an email to
> rubyonrails-co...@googlegroups.com. 
> > >>> To post to this group, send email to
rubyonra...@googlegroups.com.
> > >>> Visit this group at
http://groups.google.com/group/rubyonrails-core.
>
> > >>> For more options, visit
https://groups.google.com/groups/opt_out.
> > > 
> > > -- 
> > > You received this message because you are subscribed to a topic
in the
> Google Groups "Ruby on Rails: Core" group. 
> > > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> > > To unsubscribe from this group and all its topics, send an email
to
> rubyonrails-co...@googlegroups.com. 
> > > To post to this group, send email to
rubyonra...@googlegroups.com.
> > > Visit this group at
http://groups.google.com/group/rubyonrails-core.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > 
> >   
> > 
> > -- 
> > You received this message because you are subscribed to a topic in the
> Google Groups "Ruby on Rails: Core" group. 
> > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
>
> > To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>. 
> > To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/rubyonrails-core. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I may have a possible solution, check it out (sorry if i double posted not 
sure if my previous post went through, as I have shitty internet)

Kontax on Heroku <http://kontax.herokuapp.com>

Kontax on Github <http://github.com/xpdr/kontax>

https://github.com/artellectual/transponder/blob/develop/RAILS_UJS_VULNERABILITY_FIX.md

On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

In this thread it has been repeated several times that .js endpoints via
GET are a security breach. And that people should stick to JSON.

Let me make clear for the archives that is not generally the case. There
are valid use cases for dynamically generated public JavaScript, for
example when your application exposes a widget 3rd party clients request to
have their DOM modified with content. Think Disqus. I have implemented
centralized rating systems for hotel providers that work that way.

The potential problem happens when your JavaScript GET endpoint exposes
sensitive/private data.

Now, since the former is a rare use-case compared to the latter, the XHR
protection should probably be enabled by default, but you need still to be
able to opt-out.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Xavier, absolutely. Javan has suggested we have something like
protect_from_forgery, which can be opt-out of on a per action/controller basis.

On Dec 2, 2013, at 10:12 AM, Xavier Noria <fxn@hashref.com> wrote:
> In this thread it has been repeated several times that .js endpoints via
GET are a security breach. And that people should stick to JSON.
> 
> Let me make clear for the archives that is not generally the case. There
are valid use cases for dynamically generated public JavaScript, for example
when your application exposes a widget 3rd party clients request to have their
DOM modified with content. Think Disqus. I have implemented centralized rating
systems for hotel providers that work that way.
> 
> The potential problem happens when your JavaScript GET endpoint exposes
sensitive/private data.
> 
> Now, since the former is a rare use-case compared to the latter, the XHR
protection should probably be enabled by default, but you need still to be able
to opt-out.
> 
> 
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I much appreciate RoR, its community Homakov included. I never saw RoR 
security team at least one time to appreciate Homakov''s findings.
Perhaps
you should take it closer by first recognize his security work over RoR. 
I''m quite sure that Homakov would have comply to your rules in the end.

On Monday, December 2, 2013 5:47:07 PM UTC+2, DHH wrote:
>
> Please stop conflating the discovery of a security issue with the 
> philosophical waxing about architecture. It''s not helping the
case. As
> stated previously, responding with JS is not only a wonderful architectural
> pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
> not anywhere. We''ll fix the security issue, and Rails will
continue to
> proudly champion the use of this great pattern.
>
> Guess what, it won''t be the last security issue Rails ever has.
Just like
> it won''t be the last security issue any piece of software ever
has. But we
> need to level up as a community in our handling of these issues.
>
> Frankly, I''m surprised that people are willing to hire Homakov for
any
> work in the area given his reputation for irresponsible disclosure. Finding
> a legit security issues is a great services, but disregarding all security 
> issue management protocols in their publication is doing a disservice to 
> all who would otherwise benefit from the work.
>
> Rails has had a codified security process for many years now. It''s
> available for all to read on http://rubyonrails.org/security. Making a 
> blog post on your personal site isn''t one of the channels listed
as a
> responsible way of disclosing discoveries. Posting specific 0-day attack 
> vectors against affected sites is not one either.
>
> Making a public report over a holiday weekend, and then, when the response 
> to the report doesn''t immediately follow the proposed solution
(remove the
> feature), go off the reservation with specific attacks is just plain 
> irresponsible. No two ways about it. It also goes to undermine any other 
> recommendations or suggestions coming from said reporter.
>
> So. Damage is already done for this issue. But lest it encourages others 
> to act as irresponsibly as Homakov has done of this issue, I hope others 
> take a broader approach for future issues. Report systemic or framework 
> issues per the reporting instructions on http://rubyonrails.org/security. 
> Report specific application issues directly to application developers 
> responsibly per their reporting instructions (see 
> https://37signals.com/security-response for the one we use at 37signals).
>
> Presumably we''re all in the same boat here: Make Rails better and
more
> secure. Let''s row like we mean that. The Rails security team
(Michael
> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the past 
> to provide us with a good process, they''ve followed that process,
and they
> deserve our thanks and support.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I am trying to imagine "dynamically generated public JavaScript" but 
nothing comes to my mind. Any small bit of information, even the fact that 
user is logged in, or blocked, is somewhat sensitive IMO.
Opt-out is must-have indeed. E.g. in development env it might be convenient 
to reach .json endpoints directly.

On Tuesday, December 3, 2013 1:12:14 AM UTC+7, Xavier Noria
wrote:
>
> In this thread it has been repeated several times that .js endpoints via 
> GET are a security breach. And that people should stick to JSON.
>
> Let me make clear for the archives that is not generally the case. There 
> are valid use cases for dynamically generated public JavaScript, for 
> example when your application exposes a widget 3rd party clients request to
> have their DOM modified with content. Think Disqus. I have implemented 
> centralized rating systems for hotel providers that work that way.
>
> The potential problem happens when your JavaScript GET endpoint exposes 
> sensitive/private data.
>
> Now, since the former is a rare use-case compared to the latter, the XHR 
> protection should probably be enabled by default, but you need still to be 
> able to opt-out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

On Mon, Dec 2, 2013 at 7:43 PM, Egor Homakov <homakov@gmail.com> wrote:

I am trying to imagine "dynamically generated public JavaScript"
but
> nothing comes to my mind.
>
This is an old trick.

Your service provides a small JavaScript snippet for hosting sites to
embed. The snippet generates a SCRIPT tag in the hosting DOM whose creation
triggers a (GET) request to fetch JavaScript from the central service, in
the provider''s domain. That as you know is not subjected to the
same-origin
policy, hence the technique.

See for example the snippet of Disqus:

    http://disqus.com/admin/universalcode/

The response contains JavaScript, whose evaluation injects content in the
host page.

The user browsing the hosting website is not a user of the service
provider, users may not even realize there is a centralized service
providing that section of the page.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Embeddable gists are another example: <script 
src="https://gist.github.com/javan/7725255.js"></script>

On Monday, December 2, 2013 2:11:24 PM UTC-5, Xavier Noria
wrote:
>
> On Mon, Dec 2, 2013 at 7:43 PM, Egor Homakov
<hom...@gmail.com<javascript:>
> > wrote:
>
> I am trying to imagine "dynamically generated public JavaScript"
but
>> nothing comes to my mind.
>>
>
> This is an old trick.
>
> Your service provides a small JavaScript snippet for hosting sites to 
> embed. The snippet generates a SCRIPT tag in the hosting DOM whose creation
> triggers a (GET) request to fetch JavaScript from the central service, in 
> the provider''s domain. That as you know is not subjected to the
same-origin
> policy, hence the technique.
>
> See for example the snippet of Disqus:
>
>     http://disqus.com/admin/universalcode/
>
> The response contains JavaScript, whose evaluation injects content in the 
> host page.
>
> The user browsing the hosting website is not a user of the service 
> provider, users may not even realize there is a centralized service 
> providing that section of the page.
>
>
>  
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

I''ve been using RJS for quite a while and I think it''s a
wonderful way to
render server-side template and form errors. I agree with everyone that 
this issue is important as my ticket shows 
(https://github.com/rails/rails/issues/11509).

I''ve had a somewhat crazy idea a few months back and I''m sorry
if I side
track the issue at hand. I am currently thinking about using a websocket 
for this kind of query (I have a very rough alpha working). The gist would 
be to have a websocket open on DOMContentReady (there wouldn''t be any 
reconnection due to the nature of turbolinks). From there, every ajax 
request would be made through the websocket instead of the normal HTTP 
procedure. This, as far as I understand, would have the advantage of making 
XSS impossible (Websockets follows the same-origin policy).

Right now, this idea would be somewhat of a hack for different reason: A 
Javascript client script would have to take every click event on 
a[data-remote=true] and take the URL and pass it to the websocket which 
would then use Journey as normal to dispatch the request to the right 
controller. The response would then be sent through the websocket (The 
headers could be entirely drop).

I think this idea could possibly fix this issue altogether while being 
completely transparent to developers. 

Do I make sense? Is it a stupid idea?

On Thursday, November 28, 2013 3:41:37 AM UTC-5, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Marius, your solution is not much different from responding a render :json
: you send only the data, and the processing code is already on client
side; transponder.js seems to me that it adds an abstraction level in order
to manage the data, but it is different from RJS, which sends the execution
code too, that is necessary for running the examples made before, like
Disqus, or single page apps.

transponder.js a good solution if you don''t want / need to send the
execution code, as render :json , but I think I got that RJS is necessary
for other contexts.

--

Maurizio De Santis


2013/12/2 Marius Corîci <marius.corci4@gmail.com>
> I much appreciate RoR, its community Homakov included. I never saw RoR
> security team at least one time to appreciate Homakov''s findings.
Perhaps
> you should take it closer by first recognize his security work over RoR.
> I''m quite sure that Homakov would have comply to your rules in the
end.
>
>
> On Monday, December 2, 2013 5:47:07 PM UTC+2, DHH wrote:
>>
>> Please stop conflating the discovery of a security issue with the
>> philosophical waxing about architecture. It''s not helping the
case. As
>> stated previously, responding with JS is not only a wonderful
architectural
>> pattern, it''s also not going anywhere. Not in a gem, not in a
deprecation,
>> not anywhere. We''ll fix the security issue, and Rails will
continue to
>> proudly champion the use of this great pattern.
>>
>> Guess what, it won''t be the last security issue Rails ever
has. Just like
>> it won''t be the last security issue any piece of software ever
has. But we
>> need to level up as a community in our handling of these issues.
>>
>> Frankly, I''m surprised that people are willing to hire Homakov
for any
>> work in the area given his reputation for irresponsible disclosure.
Finding
>> a legit security issues is a great services, but disregarding all
security
>> issue management protocols in their publication is doing a disservice
to
>> all who would otherwise benefit from the work.
>>
>> Rails has had a codified security process for many years now.
It''s
>> available for all to read on http://rubyonrails.org/security. Making a
>> blog post on your personal site isn''t one of the channels
listed as a
>> responsible way of disclosing discoveries. Posting specific 0-day
attack
>> vectors against affected sites is not one either.
>>
>> Making a public report over a holiday weekend, and then, when the
>> response to the report doesn''t immediately follow the proposed
solution
>> (remove the feature), go off the reservation with specific attacks is
just
>> plain irresponsible. No two ways about it. It also goes to undermine
any
>> other recommendations or suggestions coming from said reporter.
>>
>> So. Damage is already done for this issue. But lest it encourages
others
>> to act as irresponsibly as Homakov has done of this issue, I hope
others
>> take a broader approach for future issues. Report systemic or framework
>> issues per the reporting instructions on
http://rubyonrails.org/security.
>> Report specific application issues directly to application developers
>> responsibly per their reporting instructions (see
https://37signals.com/
>> security-response for the one we use at 37signals).
>>
>> Presumably we''re all in the same boat here: Make Rails better
and more
>> secure. Let''s row like we mean that. The Rails security team
(Michael
>> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in the
past
>> to provide us with a good process, they''ve followed that
process, and they
>> deserve our thanks and support.
>>
>  --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Sorry, I meant Zack.

--

Maurizio De Santis


2013/12/3 Maurizio De Santis <desantis.maurizio@gmail.com>
> Marius, your solution is not much different from responding a render :json
> : you send only the data, and the processing code is already on client
> side; transponder.js seems to me that it adds an abstraction level in order
> to manage the data, but it is different from RJS, which sends the execution
> code too, that is necessary for running the examples made before, like
> Disqus, or single page apps.
>
> transponder.js a good solution if you don''t want / need to send
the
> execution code, as render :json , but I think I got that RJS is necessary
> for other contexts.
>
> --
>
> Maurizio De Santis
>
>
> 2013/12/2 Marius Corîci <marius.corci4@gmail.com>
>
>> I much appreciate RoR, its community Homakov included. I never saw RoR
>> security team at least one time to appreciate Homakov''s
findings. Perhaps
>> you should take it closer by first recognize his security work over
RoR.
>> I''m quite sure that Homakov would have comply to your rules in
the end.
>>
>>
>> On Monday, December 2, 2013 5:47:07 PM UTC+2, DHH wrote:
>>>
>>> Please stop conflating the discovery of a security issue with the
>>> philosophical waxing about architecture. It''s not helping
the case. As
>>> stated previously, responding with JS is not only a wonderful
architectural
>>> pattern, it''s also not going anywhere. Not in a gem, not
in a deprecation,
>>> not anywhere. We''ll fix the security issue, and Rails will
continue to
>>> proudly champion the use of this great pattern.
>>>
>>> Guess what, it won''t be the last security issue Rails ever
has. Just
>>> like it won''t be the last security issue any piece of
software ever has.
>>> But we need to level up as a community in our handling of these
issues.
>>>
>>> Frankly, I''m surprised that people are willing to hire
Homakov for any
>>> work in the area given his reputation for irresponsible disclosure.
Finding
>>> a legit security issues is a great services, but disregarding all
security
>>> issue management protocols in their publication is doing a
disservice to
>>> all who would otherwise benefit from the work.
>>>
>>> Rails has had a codified security process for many years now.
It''s
>>> available for all to read on http://rubyonrails.org/security.
Making a
>>> blog post on your personal site isn''t one of the channels
listed as a
>>> responsible way of disclosing discoveries. Posting specific 0-day
attack
>>> vectors against affected sites is not one either.
>>>
>>> Making a public report over a holiday weekend, and then, when the
>>> response to the report doesn''t immediately follow the
proposed solution
>>> (remove the feature), go off the reservation with specific attacks
is just
>>> plain irresponsible. No two ways about it. It also goes to
undermine any
>>> other recommendations or suggestions coming from said reporter.
>>>
>>> So. Damage is already done for this issue. But lest it encourages
others
>>> to act as irresponsibly as Homakov has done of this issue, I hope
others
>>> take a broader approach for future issues. Report systemic or
framework
>>> issues per the reporting instructions on
http://rubyonrails.org/security.
>>> Report specific application issues directly to application
developers
>>> responsibly per their reporting instructions (see
https://37signals.com/
>>> security-response for the one we use at 37signals).
>>>
>>> Presumably we''re all in the same boat here: Make Rails
better and more
>>> secure. Let''s row like we mean that. The Rails security
team (Michael
>>> Koziarski, Jeremy Kemper, and Aaron Patterson) has worked hard in
the past
>>> to provide us with a good process, they''ve followed that
process, and they
>>> deserve our thanks and support.
>>>
>>  --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ruby on Rails: Core" group.
>> To unsubscribe from this topic, visit
>>
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> rubyonrails-core+unsubscribe@googlegroups.com.
>> To post to this group, send email to rubyonrails-core@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

so if/when this will make it to master?

On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov
wrote:
>
> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>
> Here in discussion I proposed to deprecate JS responder because this 
> technique is insecure and not pragmatic way to transfer data.
> It can be exploited in this way 
> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>
> i find this bug very often so i know what i''m talking about. With
it
> attacker can steal user data and authenticity_token if templates with form 
> were leaked too.
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Jeremy Kemper is assigned to this. We will get this in shortly. 
> On Dec 8, 2013, at 20:19, Egor Homakov <homakov@gmail.com> wrote:
> 
> so if/when this will make it to master?
> 
>> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>> 
>> Here in discussion I proposed to deprecate JS responder because this
technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>> 
>> i find this bug very often so i know what i''m talking about.
With it attacker can steal user data and authenticity_token if templates with
form were leaked too.
> 
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Just add a small flash about this issue. JSON has a similar issue where it 
prepend ''for (;;);'' before the JSON payload. Wouldn''t
it be an idea to
prepend any js.erb template with ''for (;;);'' and use
String.substr(9) to
remove that infinite loop before injecting the payload in the <script>. 
This way, JS would be safe without need to do extra verification on the 
server side.

On Monday, December 9, 2013 12:51:41 AM UTC-5, DHH
wrote:
>
> Jeremy Kemper is assigned to this. We will get this in shortly. 
>
> On Dec 8, 2013, at 20:19, Egor Homakov <hom...@gmail.com
<javascript:>>
> wrote:
>
> so if/when this will make it to master?
>
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>
>> Here in discussion I proposed to deprecate JS responder because this 
>> technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way 
>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>
>> i find this bug very often so i know what i''m talking about.
With it
>> attacker can steal user data and authenticity_token if templates with
form
>> were leaked too.
>>
>>
>>
>>  -- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>.
> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Just had a flash about this issue.

JSON has a similar issue and it solved it by prepending ''for
(;;);'' before
the JSON payload. 

Wouldn''t it be an idea to prepend any js.erb template with
''for (;;);'' and
use String.substr(9) (9 being the size of the for loop) to remove that loop 
before injecting the payload in the <script>. This way, JS would be safe 
without need to do extra verification on the server side.

On Monday, December 9, 2013 12:51:41 AM UTC-5, DHH
wrote:
>
> Jeremy Kemper is assigned to this. We will get this in shortly. 
>
> On Dec 8, 2013, at 20:19, Egor Homakov <hom...@gmail.com
<javascript:>>
> wrote:
>
> so if/when this will make it to master?
>
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>
>> Here in discussion I proposed to deprecate JS responder because this 
>> technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way 
>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>
>> i find this bug very often so i know what i''m talking about.
With it
>> attacker can steal user data and authenticity_token if templates with
form
>> were leaked too.
>>
>>
>>
>>  -- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to 
> rubyonrails-co...@googlegroups.com <javascript:>.
> To post to this group, send email to
rubyonra...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

that solution is ugly. for(;;) means code on server side to add it and code 
on client side to slice. While .xhr? check is one line in 
ApplicationController.

On Saturday, December 14, 2013 7:11:03 AM UTC+7, Pier-Olivier Thibault 
wrote:
>
> Just had a flash about this issue.
>
> JSON has a similar issue and it solved it by prepending ''for
(;;);'' before
> the JSON payload. 
>
> Wouldn''t it be an idea to prepend any js.erb template with
''for (;;);'' and
> use String.substr(9) (9 being the size of the for loop) to remove that loop
> before injecting the payload in the <script>. This way, JS would be
safe
> without need to do extra verification on the server side.
>
> On Monday, December 9, 2013 12:51:41 AM UTC-5, DHH wrote:
>>
>> Jeremy Kemper is assigned to this. We will get this in shortly. 
>>
>> On Dec 8, 2013, at 20:19, Egor Homakov <hom...@gmail.com> wrote:
>>
>> so if/when this will make it to master?
>>
>> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>>
>>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>>
>>> Here in discussion I proposed to deprecate JS responder because
this
>>> technique is insecure and not pragmatic way to transfer data.
>>> It can be exploited in this way 
>>>
http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>>
>>> i find this bug very often so i know what i''m talking
about. With it
>>> attacker can steal user data and authenticity_token if templates
with form
>>> were leaked too.
>>>
>>>
>>>
>>>  -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "Ruby on Rails: Core" group.
>> To unsubscribe from this topic, visit 
>>
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to 
>> rubyonrails-co...@googlegroups.com.
>> To post to this group, send email to rubyonra...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/rubyonrails-core.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

For Rails 4.1: https://github.com/rails/rails/pull/13345

Since we don''t know the response format until rendering, it''s
simplest
to use an after_action to verify that we aren''t serving JS to a
non-XHR GET request.

This piggybacks on the same `protect_from_forgery` declarations that
apps already use, so they''ll transparently get protection without
changing anything.

Apps that intentionally expose JavaScript responses (like third-party
widgets, per-customer API embeds, etc) will need to exclude those
actions using existing `protect_from_forgery` API.

Thanks everyone for the (long) discussion and thanks to Egor for the
initial report - months ago now! - and this reminder.

On Sun, Dec 8, 2013 at 10:51 PM, David Heinemeier Hansson
<david@loudthinking.com> wrote:
> Jeremy Kemper is assigned to this. We will get this in shortly.
>
> On Dec 8, 2013, at 20:19, Egor Homakov <homakov@gmail.com> wrote:
>
> so if/when this will make it to master?
>
> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote:
>>
>> https://github.com/rails/rails/issues/12374#issuecomment-29446761
>>
>> Here in discussion I proposed to deprecate JS responder because this
>> technique is insecure and not pragmatic way to transfer data.
>> It can be exploited in this way
>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
>>
>> i find this bug very often so i know what i''m talking about.
With it
>> attacker can steal user data and authenticity_token if templates with
form
>> were leaked too.
>>
>>
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> rubyonrails-core+unsubscribe@googlegroups.com.
>
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.