AjaxScasffold, Security and Deployment Problems in Rails
Posted by Guy Naor Wed, 17 Jan 2007 23:05:28 GMT
AjaxScaffold was already mentioned in my previous post, so no need to sing it's praise again...
While deploying the Famundo help to my staging server, it stopped working, not even leaving a single clue in the logs. For me this is always a sign that something isn't initializing correctly. So it was time for a small investigation.
After playing a bit with the code, I realized the problem is caused by init.rb in AjaxScaffold trying to copy it's files into the application main directories. The reason this is a problem is my desire to make the system as secure as possible. Part of that is not letting the user the application runs as, write access into the application directory. This prevents a bug or breakin from writing into the application directories, reducing the damage that can be caused. The user running the application has only read access to the application directories.
Time to fix AjaxScaffold. First of all, I don't think that in production mode those files need to be copied over. It's done in development mode, and then are there for production mode. I do think it's a nice thing for development mode as it allows easy upgrade to a new AjaxScaffold version. Second, an error like that shouldn't kill the application with no explanation.
So my fix just adds an if around the copy and skip it in production mode, and also surounds it with begin/rescue/end, logging the error if one happens.
I also opened a ticket in the AjaxScaffold bug database, and I'll try to find who to email this to. For now, just take this file and replace your init.rb with it, or just copy the changes.
NOTE: The edge code of AjaxScaffold plugin moved the file copy to install.rb, so you'll have to change that file instead.
# Include hook code here
require 'ajax_scaffold_plugin'
ActionController::Base.send(:include, AjaxScaffold)
ActionView::Base.send(:include, AjaxScaffold::Helper)
# copy all the files over to the main rails app, want to avoid .svn
# Do not copy in production mode!!! And catch errors and log them
if ENV['RAILS_ENV'] != 'production'
begin
source = File.join(directory,'/app/views/ajax_scaffold')
dest = File.join(RAILS_ROOT, '/app/views/ajax_scaffold')
FileUtils.mkdir(dest) unless File.exist?(dest)
FileUtils.cp_r(Dir.glob(source+'/*.*'), dest)
source = File.join(directory,'/public')
dest = RAILS_ROOT + '/public'
FileUtils.cp_r(Dir.glob(source+'/*.*'), dest)
source = File.join(directory,'/public/stylesheets')
dest = RAILS_ROOT + '/public/stylesheets'
FileUtils.cp_r(Dir.glob(source+'/*.*'), dest)
source = File.join(directory,'/public/javascripts')
dest = RAILS_ROOT + '/public/javascripts'
FileUtils.cp_r(Dir.glob(source+'/*.*'), dest)
source = File.join(directory,'/public/images')
dest = RAILS_ROOT + '/public/images'
FileUtils.cp_r(Dir.glob(source+'/*.*'), dest)
rescue Exception => ex
RAILS_DEFAULT_LOGGER.error "AjaxScaffold error while copying the AjaxScaffold files to the application directory. (#{ex.t_s})"
end
end
