The Dev Blog: AjaxScasffold, Security and Deployment Problems in Rails http://devblog.famundo.com/articles/2007/01/17/ajaxscasffold-security-and-deployment-problems-in-rails en-us 40 Putting Family Management on Rails! AjaxScasffold, Security and Deployment Problems in Rails <p><a href="http://www.ajaxscaffold.com/">AjaxScaffold</a> was already mentioned in my <a href="http://devblog.famundo.com/articles/2007/01/12/ruby-duck-typing-goodness">previous post</a>, so no need to sing it's praise again...</p> <p>While deploying the <a href="http://help.famundo.com">Famundo help</a> to my staging server, it stopped working, not even leaving a single clue in the logs. For me this is always a sign that something isn't initializing correctly. So it was time for a small investigation.</p> <p>After playing a bit with the code, I realized the problem is caused by init.rb in AjaxScaffold trying to copy it's files into the application main directories. The reason this is a problem is my desire to make the system as secure as possible. Part of that is not letting the user the application runs as, write access into the application directory. This prevents a bug or breakin from writing into the application directories, reducing the damage that can be caused. The user running the application has only read access to the application directories.</p> <p>Time to fix AjaxScaffold. First of all, I don't think that in production mode those files need to be copied over. It's done in development mode, and then are there for production mode. I do think it's a nice thing for development mode as it allows easy upgrade to a new AjaxScaffold version. Second, an error like that shouldn't kill the application with no explanation.</p> <p>So my fix just adds an if around the copy and skip it in production mode, and also surounds it with begin/rescue/end, logging the error if one happens.</p> <p>I also opened a ticket in the AjaxScaffold bug database, and I'll try to find who to email this to. For now, just take this file and replace your init.rb with it, or just copy the changes.</p> <p><em>NOTE</em>: The edge code of AjaxScaffold plugin moved the file copy to install.rb, so you'll have to change that file instead.</p> <div class="typocode"><pre><code class="typocode_ruby "><span class="comment"># Include hook code here</span> <span class="ident">require</span> <span class="punct">'</span><span class="string">ajax_scaffold_plugin</span><span class="punct">'</span> <span class="constant">ActionController</span><span class="punct">::</span><span class="constant">Base</span><span class="punct">.</span><span class="ident">send</span><span class="punct">(</span><span class="symbol">:include</span><span class="punct">,</span> <span class="constant">AjaxScaffold</span><span class="punct">)</span> <span class="constant">ActionView</span><span class="punct">::</span><span class="constant">Base</span><span class="punct">.</span><span class="ident">send</span><span class="punct">(</span><span class="symbol">:include</span><span class="punct">,</span> <span class="constant">AjaxScaffold</span><span class="punct">::</span><span class="constant">Helper</span><span class="punct">)</span> <span class="comment"># copy all the files over to the main rails app, want to avoid .svn</span> <span class="comment"># Do not copy in production mode!!! And catch errors and log them</span> <span class="keyword">if</span> <span class="constant">ENV</span><span class="punct">['</span><span class="string">RAILS_ENV</span><span class="punct">']</span> <span class="punct">!=</span> <span class="punct">'</span><span class="string">production</span><span class="punct">'</span> <span class="keyword">begin</span> <span class="ident">source</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="ident">directory</span><span class="punct">,'</span><span class="string">/app/views/ajax_scaffold</span><span class="punct">')</span> <span class="ident">dest</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="constant">RAILS_ROOT</span><span class="punct">,</span> <span class="punct">'</span><span class="string">/app/views/ajax_scaffold</span><span class="punct">')</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">mkdir</span><span class="punct">(</span><span class="ident">dest</span><span class="punct">)</span> <span class="keyword">unless</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">exist?</span><span class="punct">(</span><span class="ident">dest</span><span class="punct">)</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">cp_r</span><span class="punct">(</span><span class="constant">Dir</span><span class="punct">.</span><span class="ident">glob</span><span class="punct">(</span><span class="ident">source</span><span class="punct">+'</span><span class="string">/*.*</span><span class="punct">'),</span> <span class="ident">dest</span><span class="punct">)</span> <span class="ident">source</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="ident">directory</span><span class="punct">,'</span><span class="string">/public</span><span class="punct">')</span> <span class="ident">dest</span> <span class="punct">=</span> <span class="constant">RAILS_ROOT</span> <span class="punct">+</span> <span class="punct">'</span><span class="string">/public</span><span class="punct">'</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">cp_r</span><span class="punct">(</span><span class="constant">Dir</span><span class="punct">.</span><span class="ident">glob</span><span class="punct">(</span><span class="ident">source</span><span class="punct">+'</span><span class="string">/*.*</span><span class="punct">'),</span> <span class="ident">dest</span><span class="punct">)</span> <span class="ident">source</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="ident">directory</span><span class="punct">,'</span><span class="string">/public/stylesheets</span><span class="punct">')</span> <span class="ident">dest</span> <span class="punct">=</span> <span class="constant">RAILS_ROOT</span> <span class="punct">+</span> <span class="punct">'</span><span class="string">/public/stylesheets</span><span class="punct">'</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">cp_r</span><span class="punct">(</span><span class="constant">Dir</span><span class="punct">.</span><span class="ident">glob</span><span class="punct">(</span><span class="ident">source</span><span class="punct">+'</span><span class="string">/*.*</span><span class="punct">'),</span> <span class="ident">dest</span><span class="punct">)</span> <span class="ident">source</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="ident">directory</span><span class="punct">,'</span><span class="string">/public/javascripts</span><span class="punct">')</span> <span class="ident">dest</span> <span class="punct">=</span> <span class="constant">RAILS_ROOT</span> <span class="punct">+</span> <span class="punct">'</span><span class="string">/public/javascripts</span><span class="punct">'</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">cp_r</span><span class="punct">(</span><span class="constant">Dir</span><span class="punct">.</span><span class="ident">glob</span><span class="punct">(</span><span class="ident">source</span><span class="punct">+'</span><span class="string">/*.*</span><span class="punct">'),</span> <span class="ident">dest</span><span class="punct">)</span> <span class="ident">source</span> <span class="punct">=</span> <span class="constant">File</span><span class="punct">.</span><span class="ident">join</span><span class="punct">(</span><span class="ident">directory</span><span class="punct">,'</span><span class="string">/public/images</span><span class="punct">')</span> <span class="ident">dest</span> <span class="punct">=</span> <span class="constant">RAILS_ROOT</span> <span class="punct">+</span> <span class="punct">'</span><span class="string">/public/images</span><span class="punct">'</span> <span class="constant">FileUtils</span><span class="punct">.</span><span class="ident">cp_r</span><span class="punct">(</span><span class="constant">Dir</span><span class="punct">.</span><span class="ident">glob</span><span class="punct">(</span><span class="ident">source</span><span class="punct">+'</span><span class="string">/*.*</span><span class="punct">'),</span> <span class="ident">dest</span><span class="punct">)</span> <span class="keyword">rescue</span> <span class="constant">Exception</span> <span class="punct">=&gt;</span> <span class="ident">ex</span> <span class="constant">RAILS_DEFAULT_LOGGER</span><span class="punct">.</span><span class="ident">error</span> <span class="punct">&quot;</span><span class="string">AjaxScaffold error while copying the AjaxScaffold files to the application directory. (<span class="expr">#{ex.t_s}</span>)</span><span class="punct">&quot;</span> <span class="keyword">end</span> <span class="keyword">end</span></code></pre></div> Wed, 17 Jan 2007 18:05:28 -0500 urn:uuid:098c7ac2-acb5-4a80-8b09-8439c7e6af3f guy.naor@famundo.com (Guy Naor) http://devblog.famundo.com/articles/2007/01/17/ajaxscasffold-security-and-deployment-problems-in-rails Rails Ruby Linux