Imagine a development environment where you can't use CI, you need to do code archaeology for an unknown number of revisions. Patches, repros, tests, announcements, must all be done in secret. Then, if you did it right, the absolute best outcome you can hope for is that everyone upgrades and they notice no changes. It's extremely high risk (no CI, done in secret), low reward (nobody is stoked they have to upgrade bc security)

3
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
Aaron Patterson ✅

Investigation is a huge pain, and the scope of the problems sometimes makes the process cumbersome and demoralizing. Let's take an example: discuss.rubyonrails.org/t/poss

For your app to be vulnerable to this, you have to

* call `translate` from a controller
* use a translation key that ends in "_html"
* use a translation default where the default translation text is untrusted text
* be missing the specific translation
* Trick a victim in to seeing this

1
9mo
noxy_key

@tenderlove My heart goes out to you.

Doing any kind of forensic analysis of undocumented code is probably the most expensive thing you can do in programming,.

0
9mo
Renaud Chaput

@tenderlove for Mastodon we started using security advisories to get a private fork and it improved things a little bit. At least we get a branch per version, and CI runs on them.

0
9mo
Replies