giant robots smashing into other giant robots

Written by thoughtbot

December 14, 2012

dancroak

Faster tests: sign in through the back door

One way to make tests faster is to avoid loading and submitting the sign in form during the setup phase.

This back door inserts Rack middleware into a Rails app that uses Clearance:

# config/environments/test.rb
class ClearanceBackDoor
  def initialize(app)
    @app = app
  end

  def call(env)
    @env = env
    sign_in_through_the_back_door
    @app.call(@env)
  end

  private

  def sign_in_through_the_back_door
    if user_id = params['as']
      user = User.find(user_id)
      @env[:clearance].sign_in(user)
    end
  end

  def params
    Rack::Utils.parse_query(@env['QUERY_STRING'])
  end
end

MyRailsApp::Application.configure do
  # ...
  config.middleware.use ClearanceBackDoor
  # ...
end

Then, include a user in an as parameter in integration tests:

visit root_path(as: user)

It works for any URL:

visit new_feedback_path(as: giver)

This is similar to Mislav’s approach except the Rack middleware works with Rails routing constraints.

On one project using this technique, the total test suite time was reduced 23%.

Written by .

July 27, 2012

drapergeek

This week in open source

factory_girl

Version 3.6.0. of factory_girl is hot and ready (919543e).

Joshua Clayton (joshuaclayton) added memoization to the names of attributes which adds a 33% speed increase on factories with overrides (acb2636). He also removed the unnecessary dependency on bluecloth (8d2b352) and added a respond_to_missing on NullObjects to make the release more compatible with Ruby 1.9 (e038bf8). Alex P (ifesdjeen) also added jRuby support, you can check the GETTING_STARTED page for set up information.

dotfiles

The space bar is now working as the leader key in our dotfiles thanks to sjas (sjas). Dan Croak (croaky) also changed the prompt to only list your current working directory instead of the full path (4208970).

paperclip

paperclip saw release 3.1.4 (70f0f1f) with an awesome commit message from Prem Sichanugrist (sikachu).

Matthew Schulkind (mschulkindi) added the ability to specify the format of the file and override the built in content-type detection (3103da5). Nick DeSteffen (nick-desteffen) and Yasith Fernando (thekindofme) found and fixed a few typos (ef4725f) (786a13f).  Sergio Cambra (scambra) fixed a syntax issue affecting users on ruby 1.8.7 (f7b76cd).

Thanks to Aditya Sanghi (asanghi), paperclip now features a URI adapter (5d06ad8).

trail-map

If you haven’t checked it out already, the trail-map is a great resource for anyone interested in improving their programming or design skills. This week Darren Woodley (manvsmachine) updated our unix map to include I/O redirection (a9279f8e).

Clearance

Our beloved Clearance had a 1.0.0.rc1 release this week (26860a1) and we would be thrilled to get feedback on it via Github issues or support@thoughtbot.com. This release features a multitude of changes including enforcing database constraints (fd6fbc0), removing unnecessary flash messages  (7184e7d) and a change to using BCrypt for encryption over SHA1 (be37c35) for improved security.

June 1, 2012

lolconomy

Clearance 0.16.3 fixes a password reset vulnerability

The new release of Clearance works around the latest Rails SQL injection. Upgrade to Clearance 0.16.3 for the security fix.


gem 'clearance', '~> 0.16.3'

Background

In Clearance we generate a confirmation_token when you forget your password, and clear it when you successfully reset your password. In the controller we find the user like this:


@user = User.find_by_id_and_confirmation_token(params[:user_id], params[:token])

This approximately translates to this ARel query:


User.where(:id => params[:user_id], :confirmation_token => params[:token])

Normally this generates perfectly safe SQL:


SELECT users.*
FROM users
WHERE users.id = 1
AND users.confirmation_token = 'hello'
LIMIT 1

Exploit

If params[:token] is a list with one nil element, the generated SQL is closer to this:


SELECT users.*
FROM users
WHERE users.id = 1
AND users.confirmation_token IS NULL
LIMIT 1

That is, if you can get params[:token] to produce [nil] then you can become any user without a confirmation_token.

Prior to Rails 3.2.5, this URL would generate [nil]:

/users/1/password/edit?token[]

We catch this in Clearance now.

Fix

Upgrade to Clearance 0.16.3. If you are using Rails 3.2.5 or above then you do not need to upgrade Clearance to get this fix.

Acknowledgements

Thank you to Ben Murphy for bringing this to our attention in a professional manner, and to the Rails team for fixing it quickly.

April 13, 2012

gabebw

This Week in Open Source

clearance

Gabe Berke-Williams (gabebw - that’s me!) cleaned up the clearance Rakefile a bit (4f016db).

factory_girl

Joshua Clayton (joshuaclayton) released version 3.1.0 of factory_girl (f1d3018). For the full list of changes, see the NEWS file. Josh updated a few dependencies too (20becc9, 29157d6). Kristian Mandrup (kristianmandrup) added the ability to alias sequences, just like you can alias factories (f387e38, 178a7ab). To see how to use it, see the documentation (f013335) he added for it. I love documentation pull requests.

factory_girl_rails

Joshua Clayton (joshuaclayton) bumped factory_girl_rails to version 3.1.0 (4259e4c) to match factory_girl’s new version.

paperclip

Prem Sichanugrist (sikachu) released version 3.0.2 (240147e) of paperclip. Unfortunately, the NEWS file hasn’t been updated for 3.0.2 yet. Prem removed an obsolete generator, then added a test for it (a2a4c7a, 03700c8). Preston Guillory (pguillory) fixed a typo (853595a). Typo fixes are always welcome! Michael Galero (mikong) pluralized the table name in the migration generator to follow Rails convention (28e2d1b). And Rafael Mendonça França (rafaelfranca) removed init.rb, since plugins will be deprecated in Rails 4.0 (ae7b7c5).

shoulda-matchers

Gabe Berke-Williams (gabebw - me again!) finally released a new version of shoulda-matchers! Version 1.1.0 has a bunch of changes that you can see in the NEWS file. One of the noteworthy changes is that shoulda-matchers now depends on ActiveSupport >= 3.0.0 (c65e43a), meaning it’s Rails 3-only. We’ve been only testing against Rails 3 for a while, so this just makes it official. Gabe made a couple of documentation fixes (9203275, 8fcc3d2, a4edff0) and also cleaned up the code (5873502, 41088bc, 3039cc6, 820f216, 2e73b35, 457be62). Brendan Loudermilk (bloudermilk) added an accept_nested_attributes_for matcher (ee74222).

this-week-in-open-source

Finally, Gabe Berke-Williams (gabebw) fixed a little bug in this-week-in-open-source (which I used to generate this post!) to print missing directories before doing anything else (564c7c9).

March 30, 2012

lolconomy

This week in open source

laptop

I was reminded that I’ve been missing out on our sweet laptop script, which is a program we maintain to get a Rails environment set up on OS X as quickly as possible. So over the past week, Antonio Salazar Cardozo (Shadowfiend) fixed our capitalization of Qt (b667280), Prem Sichanugrist (sikachu) fixed our capitalization of JavaScript (87fe88f), and Dan Croak (croaky) removed the deprecated Heroku Labs plugin (842cd0d) and gave instructions on installing the command-line XCode tools (a177cca).

suspenders

The suspenders gem, which has helped many people start a Rails app, now shows that the build is broken. Gabe Berke-Williams (gabebw) added that (76e42eb).

shoulda-matchers

The shoulda-matchers gem is a collection of RSpec matchers for various Rails things. Gabe Berke-Williams (gabebw) went to town on it this week, cleaning everything up in an effort to make it more pleasant to hack on (2b98e49, 09544fa, 7b3d6d0, 96df0b1, 36006d8, 4ff1344, 3b3181b, 4574f51, 1c517d2, bd52483, e70e1bf, 41bccc8). Having done that, he added a :primary option to the have_db_column matcher (68e65b2). Matthew Daubert (MDaubs) fixed a JRuby failure and also added support for Rails 3.0 (d85503f).

bourne

Due to my complaining last week, the bourne gem now has a NEWS file (8dfb077), thanks to Gabe Berke-Williams (gabebw).

paperclip

So we have this gem named paperclip. You might have heard of it. This week, Tony Brewerio (tony-brewerio) fixed the :content_type validator (c4c22f8).

Prem Sichanugrist (sikachu) released version 3.0.1, which breaks backward compatibility (d61ddd5, 51bb0f9, 7088f5b, e1951ed, 9ea4a9b, 36d1289, 8390516, b3f9690, 8e80310, ee4107a, b3a63ed, 8a758c2, 84d2d08, fe706c6, b54904e, d3a7427, da5d716, ee42b19, e83f88f, 03f777f, 5232b19, 19aedbc).

Jon Yurek (jyurek) merged in something he has been working on: adapters for different types of I/O (6c5fe19, e10edcd, f4b6d48, 78cfebd, 89c8d11). Adding new file-like things is now easier, including URLs that act like files. Yeah, that’s right.

Jon is so going to write a blog post about this with more explanations, after he updates the README.

factory_girl

A bunch of fun commits to factory_girl this week. Chris Griego (cgriego) used pull requests as a forum to promote his ActiveAttr gem (81c9f2c and 4e2a672). Joshua Clayton (joshuaclayton) added a before_create callback (24d417d).

Vasiliy Ermolovich (nashby) used ActiveSupport for deprecation warnings (bca13f1 and 28e3c25) and also made use of the singleton_class method in Ruby 1.9 (08d01c1).

Mike Subelsky (subelsky) fixed a typo in the docs around the name FactoryGirl::Syntax::Methods (266b1d6), Dan Croak (croaky) mentioned the supported Ruby versions in the README (bed50ec), Josh renamed Changelog to NEWS because that’s exactly what it is (4f5b775) and also renamed *rb files to *erb to handle yardoc better (a6ccbcb).

capybara-webkit

I totally dropped the ball on releasing a new version of capybara-webkit this week. Sorry about that! Joe Ferris (jferris), however, refactored some of the C++, which is very welcome (c2a2bd0 and 4531f65).

appraisal

Some news in our appraisal gem this week: Gabe Berke-Williams (gabebw) added a contribution guideline (fd05fdf), then osheroff fixed appraisal to handle weird filenames (1d4fa93, b21220a, and 75a4970).