wbooze has quit [Read error: Connection reset by peer]
wbooze has joined #ruby
wbooze is now known as inline
inline_ has joined #ruby
inline is now known as wbooze
inline_ is now known as inline
oznek has quit [Remote host closed the connection]
<ih8u>
havenwood, o0x1eef: db is postgres
<ih8u>
i rolled my own hash serialization/deserialization and just stored the hash as text in the db
<ih8u>
it's kind of funny that there's no way to parse a hash from a string in ruby, but rather one must use a roundabout route through json
<ih8u>
or else one could use `eval`, i guess, but that feels to volatile
<ih8u>
too*
<ih8u>
my approach now is basically `hash.inspect` into the db, then `JSON.parse` on the extracted string after a few gsubs, and then re-symbolizing the keys
<ih8u>
it feels weird, but i guess that's how it goes
<ih8u>
i'm not sure `eval` is actually a threat worth avoiding in this particular case, but even still it feels like using a anti-aircraft gun for duck hunting
<mange>
Yeah, jumping to eval for this seems insane, even if it's "safe".
Vonter has quit [Ping timeout: 252 seconds]
<testone>
being the source safe, I would use eval, tbh :)
livoreno has quit [Quit: Connection closed for inactivity]
dviola has quit [Ping timeout: 276 seconds]
<o0x1eef>
ih8u: jsonb column is the way to go imo, that way you can even query the hash at the db level
schne1der has joined #ruby
<mange>
Oh yeah, I can vouch for jsonb as being great, as long as you're happy with the round trip through JSON.
diego has joined #ruby
diego is now known as Guest760
<ih8u>
i think i might just go with `eval` after all
<ih8u>
anything malicious gets put in my database i already got bigger problems
<ih8u>
mm, actually, i don't know
<mange>
It's a big jump from "I can corrupt a database" to "I can execute arbitrary code". I don't know your use case, but I'd want to be *very* confident before knowingly allowing that transition.
<o0x1eef>
eval sounds like a terrible idea
Guest760 has quit [Ping timeout: 272 seconds]
<testone>
I remember a big use of eval in early days of ruby
<testone>
e.g.: you generate code with a piece of code and then evaluate it
<o0x1eef>
Don't get me wrong, eval is awesome, it powers repls and ruby repls are some of the coolest. But for this, it's just not a good idea.
<testone>
I liked this way of 'meta programming'
<testone>
its security entirely depends upon 'safety' of input data, but only ih8u can (or should :) know
<mange>
The key thing is to only eval things that you "trust", and to define that trust very well.
reset has joined #ruby
<ih8u>
yeah, i don't mind playing fast and loose with my own stuff
<mange>
What are you making?
<ih8u>
but an abundance of caution is warranted when you're messing with something that pays the bills
<ih8u>
i'm adding a feature for users to generate certain kinds of printable content
<ih8u>
the content is rendered on-demand from the results of the genesis, stored as a hash of primitive types inside the database
<ih8u>
because we don't pay for cpu load, but we do pay for disk usage
<ih8u>
so i'm deciding on the best way to pull the detail-containing hash for the rasterizer
<ih8u>
honestly, what i've got now works a treat
<ih8u>
but i like getting other perspectives
<mange>
Can the user provide a hash directly? Or does your backend always construct them from known values? Can a user inject an arbitrary string?
<testone>
my first thought: the pricing policy of the provider is making them pay more
<testone>
you could make a little 'sanity' check before writing in db
<testone>
like a regex or so
chair1 has joined #ruby
<mange>
If you're using eval you should do the sanity check before the eval, not before writing to the db (although you could do both).
<ih8u>
the hash is always contructed on the back end, but it is created from user-supplied values
<ih8u>
as long as i verify everything and sanitize the content, it should all be fine
<testone>
if db is compromised, I think last problem is eval in ruby script :D
<ih8u>
it just makes me nervous giving any kind of free reign to user-defined content
<ih8u>
no matter how many sanitization steps are in the middle
<testone>
obviously: lower level priviledge to ruby script
<mange>
People keep saying that db compromise is worse than code injection, but it totally depends on the application.
<ih8u>
code injection is way worse
<testone>
if you had the possibility to change db at will, you will already know a lot of the system and probably control it too
<mange>
Earlier you said "anything malicious gets put in my database i already got bigger problems". :P
<ih8u>
yeah i did
<ih8u>
i was wrong
<ih8u>
i was trying to justify using `eval` to myself
<ih8u>
db access alone ain't gonna result in any wiped disks
<ih8u>
or completely hijacked servers
<ih8u>
though in this case the db could only be compromised by someone who's have that power anyway
<ih8u>
ugh, my head hurts
<ih8u>
i'm just going to play it safe and keep doing this weird thing i'm currently doing
<testone>
unless the programs writing the db have vulnerabilities that make you only write db, I would be very more concerned of random stuff in db than the possibility of eval inside a low priviledge ruby script
<testone>
you can run ruby scripts inside a docker or so too
<testone>
if you don't pay for CPU, make it heavy :D
<mange>
Hopefully we can agree, though, that in either case compromising the database shouldn't *also* give you code execution powers.
<ih8u>
definitely
<testone>
yes
<testone>
but executing code as root isn't executing code as... nobody :)
<testone>
or as root inside a VM
<testone>
[where you only execute that ruby script]
<ih8u>
well i actually did have the foresight to have this app running as an unprivileged user
<ih8u>
and i do have root-owned backups of everything, so an attacker could wipe everything they had access to and still not bring the whole thing down
<ih8u>
and they wouldn't have access to passwords or payment information, though they would have access to other personal details
dviola has joined #ruby
<ih8u>
but still, i'm just going to play it safe and let the provider eat the extra cycles of the hash->string->json-hash trip
<testone>
I like to be paranoid in theory
<testone>
but in practice... "they" was "no one" all my life :D
<mange>
I expect going through JSON will actually be faster than eval.
<ih8u>
that's fortunate
<ih8u>
we're just big enough to get an uncomfortable amount of attention from bad actors
<mange>
But it will approximate your Ruby types into JSON types.
<testone>
I always managed small projects, but if you are big, better to be safer
<ih8u>
as long as we're talking about bools, strings, floats, ints, nil, and arrays of the above, what's the difference?
<mange>
Well, earlier you also had keys as symbols. That's probably the main one, although I think dates/times come back as strings as well.
<ih8u>
`JSON.parse(string.gsub(/:([a-zA-z]+)/,'"\\1"').gsub('=>', ': ').gsub(/\bnil\b/, "null")).transform_keys do |k| k.to_sym end`
<ih8u>
`string` is the text pulled from the db, which is just `hash.inspect`
<ih8u>
i hadn't tested time values
<mange>
Why not just JSON.unparse instead of .inspect and the gsub dance?
<ih8u>
i don't need them in my hash (i have the luxury of being able to store those in dedicated columns), but now i'm curious
<ih8u>
because i don't like json
<ih8u>
i don't want to store json-formatted text in my db
<ih8u>
in case i ever need to manually read over it, i want it to look like a ruby hash
<mange>
Okie doke. It sounds like you're avoiding the right tool for the job, that your database natively supports in jsonb, because you don't want to maybe have to look at it one day.
<mange>
If you do end up with a date/time object in your hash then your gsub solution will break, because you'll create invalid JSON.
<ih8u>
indeed
<ih8u>
in that case, though, i just to to `.to_s` on the Time object to be back where i would be with json anyway
<ih8u>
i already expect to only be able to use primitive types
<mange>
Yes, absolutely. If you want more complex stuff you can use Marshal (https://ruby-doc.org/3.4.1/Marshal.html), but it has a warning saying "don't use this on untrusted stuff - if you want to do that use JSON or whatever".
<mange>
Marshal isn't intended to be read by a human, though, so that doesn't meet your criteria.
<ih8u>
that's really cool
<ih8u>
going to save that for future reference
<ih8u>
definitely not necessary in this case
<ih8u>
and i've already accounted for the Time objects in my serialize/deserialize methods
<ih8u>
despite not needing them at all
<ih8u>
shame on you for nerd-sniping me like that
<ih8u>
lol
<chair1>
"hello.rb:3:in 'IO.read': No such file or directory @ rb_sysopen..." is this an exception? can you give me a link tutorial for common ways to handle exceptions?
<chair1>
I never programmed in Ruby before
<chair1>
top results on Google all seem SEO-optimized BS :(
<chair1>
my friend who is Ruby-addicted claims that it is full of sugar to simplify stuff. I wish to know about them
<testone>
chair1: you are trying to read a non-existent file
<testone>
what you are giving to IO.read?
<chair1>
yes. then I want to create this file if it doesn't exist
<chair1>
`File.read('private_key.pem')`
<testone>
ah, there are some methods like .exists? in a library, IIRC
<mange>
You want to create the file if it doesn't exist... when reading it?
<mange>
That would make sense when writing it, but reading? That's odd.
<chair1>
yes. sorry. my background is C. in C you never check if a file exist. you just read it, if reading fail, then you create it
<chair1>
is this `.exists?` the way to go in Ruby?
<testone>
or FileUtils.touch
<mange>
In C wouldn't you usually open it with O_CREAT to automatically create it when you want to write it?
<testone>
[but FileUtils.touch will also change times of file if it exists]
<chair1>
sorry mange I just stick to f-family functions like fopen fread fwrite which are buffered and blocking
<chair1>
time doesn't matter tho
<mange>
Right, so then you'd use a move with 'a' or 'w' usually, right? These work the same with File.open in Ruby.
<testone>
anyway, sorry for having given you a deprecated name, it's File.exist? from some time, without "s"
<mange>
Obviously this isn't "create the file when you try to read it", but I still think that's a weird thing to want to do. :)
<mange>
s/move/mode/
<testone>
chair1: another thing, File.exist? should give you true even if it is a directory, so you should check with Dir.exist? if it's a dir and not a file
<chair1>
I used this thing `begin..rescure..end`
<chair1>
I got it working. I will now proceed to more machinations
<testone>
this isn't .py, there are many ways to do any thing :D
<chair1>
I'm an adept of XGH, so there is only one way.
<testone>
jargon file would call it a "fascistic" language :D
<chair1>
haha nice
<testone>
anyway, after reading the doc I should have read before, the correct method to use would have been File.file? that returns true if file exists and it's a regular file or a symlink referring to a regular file
<chair1>
my friend shared some code on LinkedIn using |>
infinityfye has joined #ruby
<chair1>
how do I read a newline from terminal? like, I want to wait the user to type an empty line, like pressing ENTER from keyboard
<chair1>
my Google-fu is really weak tonight
<testone>
chair1: look for ruby gets
<chair1>
thanks, it worked!
<chair1>
I have advanced too much now... thanks for all the help guys
<testone>
of nothing
SpaciousCoder78 has joined #ruby
<SpaciousCoder78>
hi
<SpaciousCoder78>
im having issues with running an older version of rails and ruby
<SpaciousCoder78>
im using ruby 2.6.2 and rails 5.2.x. I'm running an already built web app but theres this gem called redis which gives me timeout errors when i do any POST
<SpaciousCoder78>
turns out i needed to install and launch redis server
gr33n7007h has quit [Ping timeout: 276 seconds]
R2 has joined #ruby
R2robot has quit [Ping timeout: 260 seconds]
gr33n7007h has joined #ruby
gr33n7007h has quit [Ping timeout: 245 seconds]
gr33n7007h has joined #ruby
gr33n7007h has quit [Ping timeout: 265 seconds]
blacknova has quit [Quit: Connection closed for inactivity]
gr33n7007h has joined #ruby
pookie has quit [Ping timeout: 252 seconds]
gr33n7007h has quit [Ping timeout: 252 seconds]
olspookishmagus has joined #ruby
gr33n7007h has joined #ruby
msv has quit [Remote host closed the connection]
msv has joined #ruby
GreenResponse has joined #ruby
andy-turner has joined #ruby
andy-turner has quit [Quit: Leaving]
chair1 has quit [Quit: Client closed]
pages has quit [Ping timeout: 260 seconds]
pastelowl has quit [Quit: WeeChat 4.6.3]
pastelowl has joined #ruby
blacknova has joined #ruby
user71 has joined #ruby
TomyWork has joined #ruby
Albarello has joined #ruby
victori- has joined #ruby
victori has quit [Ping timeout: 244 seconds]
Pixi` has quit [Quit: Leaving]
mange has quit [Quit: Zzz...]
joako_ has quit [Quit: quit]
Pixi has joined #ruby
joako has joined #ruby
Albarello has quit [Ping timeout: 252 seconds]
Albarello has joined #ruby
Albarello has quit [Ping timeout: 248 seconds]
fantazo has quit [Quit: Lost terminal]
inline has quit [Quit: Leaving]
cappy has joined #ruby
schne1der has quit [Ping timeout: 248 seconds]
donofrio3 has joined #ruby
svm has joined #ruby
ih8u2 has joined #ruby
nakilon_ has joined #ruby
user71 has quit [Quit: Leaving]
joako_ has joined #ruby
victori has joined #ruby
smp_ has joined #ruby
brokkoli_originl has joined #ruby
finstern1s has joined #ruby
cappy has quit [*.net *.split]
joako has quit [*.net *.split]
victori- has quit [*.net *.split]
GreenResponse has quit [*.net *.split]
msv has quit [*.net *.split]
brokkoli_origin has quit [*.net *.split]
szkl has quit [*.net *.split]
donofrio2 has quit [*.net *.split]
Rounin has quit [*.net *.split]
Furai has quit [*.net *.split]
ih8u has quit [*.net *.split]
nakilon has quit [*.net *.split]
smp has quit [*.net *.split]
matoro has quit [*.net *.split]
finsternis has quit [*.net *.split]
nakilon_ is now known as nakilon
smp_ is now known as smp
finstern1s is now known as finsternis
ih8u2 is now known as ih8u
GreenResponse has joined #ruby
TomyWork has quit [Quit: Leaving]
cappy has joined #ruby
Albarello has joined #ruby
szkl has joined #ruby
Furai has joined #ruby
Rounin has joined #ruby
matoro has joined #ruby
matoro has quit [Max SendQ exceeded]
Furai has quit [Max SendQ exceeded]
matoro has joined #ruby
Furai has joined #ruby
szkl has quit [Ping timeout: 260 seconds]
Albarello has quit [Ping timeout: 260 seconds]
szkl has joined #ruby
levitating_ has joined #ruby
Albarello has joined #ruby
pastelowl has quit [Quit: WeeChat 4.6.3]
levitating_ has quit [Client Quit]
schne1der has joined #ruby
Rounin has quit [*.net *.split]
R2 is now known as R2robot
Rounin has joined #ruby
Rounin has quit [Changing host]
Rounin has joined #ruby
Albarello has quit [Ping timeout: 268 seconds]
cappy has quit [Quit: Leaving]
svm is now known as msv
schne1der has quit [Ping timeout: 272 seconds]
msv has quit [Remote host closed the connection]
msv has joined #ruby
msv has quit [Remote host closed the connection]
msv has joined #ruby
reset has quit [Quit: reset]
andy-turner has joined #ruby
infinityfye has quit [Read error: Connection reset by peer]
andy-turner has quit [Quit: Leaving]
GreenResponse has quit [Quit: Leaving]
ruby[bot] has quit [Remote host closed the connection]
ruby[bot] has joined #ruby
jmcantrell has joined #ruby
Albarello has joined #ruby
jmcantrell has quit [Ping timeout: 245 seconds]
Albarello has quit [Remote host closed the connection]
hansolo has quit [Ping timeout: 244 seconds]
hansolo has joined #ruby
hansolo has quit [Ping timeout: 248 seconds]
<The_Camel_>
does anyone happen to know if there's a way to refactor multiple possible params in a controller?
<The_Camel_>
i got a giant switch statement which checks if each of the 6 possible queryparams is going to be available.