Rails 3.2.11 upgrade (lorra lorra security issues…)

There have been quite a few Rails issues over the last few weeks… so I better upgrade mine too :( Note I use rvm with gemsets to separate gem versions – probably could stop using gemsets given the latest bundler, but havent got on that bandwagon yet.

Bingo Caller!

link Not currently live on a public site, but good basic example to test the upgrade. This is currently rails 3.2.8 (rails 1.9.3/sqlite), which is not too far behind the latest, 3.2.11 – so it should be easy… First step, rvm implode and re-install – I have lots of rvm/gemset cruft and now seems like a good time to tidy that up.  Then run bundle to get the gems that should currently work. Then realised that rvm wasnt loaded properly and so the gem installs did not go into my gemset – so re-started the terminal session and ran bundle again (probably could have source’d rvm, but probably better this way). Make sure the db is up to date (rake db:migrate). Then try running the app (rails server) [yup – no tests…].  Seems to be working fine – thought for a moment I was done, but then realised I have not upgraded rails yet – doh! bundle update Now I am on rails 3.2.11.  Lets try again – rake db:migrate; rails server. And seems to be working ok. Checked the log files – one error about binary data in a string field (encrypted_password) – but then we had that previously. Also used the rails_admin gem for a quick built in db-viewer – thats working ok too. Time to see if it works on Heroku too…

  1. Install the Heroku Toolbelt
  2. (re-) create the app – heroku create –app bingo-caller
  3. push the code – git push heroku master
  4. Which failed :( – something about sqlite3 – but that shouldn’t be in prod mode…
  5. Gemfile did not specify ‘pg’ for Postgres – so amended it to say sqlite3 for dev/test and pg for prod (group :production do … end)
  6. This deployed, but then got an error when trying the app ( http://bingo-caller.herokuapp.com )
  7. Maybe it needs the db setup (heroku rake db:migrate) – that also failed “undefined method `database_authenticatable’ for #<ActiveRecord::ConnectionAdapters::PostgreSQLAdapter::TableDefinition:0x00000004a16f68>”.  Looks like some Devise related issue.
  8. Mmm – lets try re-creating the sqlite db – does that work? Nope – same error.
  9. This was a Devise 2.1.2 to 2.2.1 upgrade… a quick google highlights that the schema layout has changed. Re-organised as per that link and now its deploying/working ok.

Humming Now

link Largely a javascript based site – but does use Devise, so that upgrade might make it problematic. Rails 3.2.1 (ruby 1.9.2/sqlite/postgres)

  1. Decided to make sure gcc was good (surprised I didnt get issues above…)
  2. Installed brew.
  3. Install brew gcc etc utils, see here and here.
  4. Install 1.9.2 (seemed to be more reliable for this app, ssl related issues – although that could be an issue with my mac config)
  5. Now we can get to the app, run bundle to install the current gem versions.
  6. but that failed to find one gem version – “Could not find jquery-rails-2.0.0 in any of the sources” – strange, has it been removed? (shows as ‘yanked’ here – http://rubygems.org/gems/jquery-rails/versions )
  7. So, trying to get the latest version, via ‘bundle update jquery-rails’
  8. But then found another missing one – “Could not find twitter-2.0.2 in any of the sources”
  9. So maybe I will just update them all :) ‘bundle update’ – phew, that seems to have worked.
  10. Moved aside the sqlite db and tried ‘rake db:migrate’, which got the devise/db auth error as above.
  11. So followed the above fix, re-did the schema and that worked.
  12. Tried rails console and that seems ok
  13. Then tried rails server, got a warning from Devise – “Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it”
  14. The home page seems to load, but there is a javascript error behind the scenes, looks like its not escaping the json stuff ” … Router({&#x27;url_root&#x …”
  15. Looks like ruby/erb is encoding the model json stuff – noticing that I have <%== (double equals) in the other js parameter, which is working – so I tried that in the first one and it worked.  Cant seem to find it defined anywhere, but presumably its to not escape the value.
  16. Tried running rails console – but got [BUG] Segmentation fault.  Then ran rake db:migrate and tried rails c again and it worked (also changed directory elsewhere and back…)
  17. The Twitter gem used has moved on from 2.0.2 which is currently used – latest is 4.4.4, in particular, Twitter has removed the public timeline, which this site uses.
  18. Tried to remove public timeline, but getting issues with current_user not being defined.
  19. Tweetstream gem allows access to public timeline via the streaming API – thats worked :) , but entities/link urls are coming through strangely…  :(
  20. Getting some issues around the user/session.  It seems to let me login (via Twitter) and the user home page comes up.  But any subsequent requests are failing – it finds no current user. Its like the session is losing the user or its being re-created.
  21. I then reverted those changes and tried to just get the current app running and I am still getting the same issue.  I had to update some gems which had been yanked, but then that led to other gems getting updated… But have fixed the Rails/devise/rack/omniauth gems at their original versions.
  22. I would think that devise/rails looks after the user in the session – so that would be the place to look – but now I have pinned those to the current live version, that doesnt seem likely…
  23. Time to try a different approach – just patching the current Rails version – see if that can be done on Heroku…
  24. As a couple of the gems have been ‘yanked’, I amended the Gemfile to use github versions, like so
  25. gem ‘twitter’, :git => ‘https://github.com/sferik/twitter.git‘, :tag => ‘v1.6.0’

  26. And it worked – well, now I have a running app, time to patch it!
  27. Best link I found is this Engine Yard one.
  28. Before/after I tried this exploit tester – but it seemed like it was ok before/after.
  29. From the above work trying the big bang update, I re-applied the changes to get the public timeline working via tweetstream.  Oops – just noticed search does not work… something for later.
  30. And then pushed it to production, next!

Quoter

Largely a backend site, but has a few public urls with stats on.  Use Mechanize and Savon, will probably need to update these too.

  1. Following the steps above, via rvm/bundler – get all the required gems in place.
  2. First, lets try the exploit tester… says its not vulnerable (at least without logging in)- but better safe than sorry…
  3. Ok, lets try a full update of Rails – currently on 3.2.3… change the Gemfile and run ‘bundle update rails’
  4. But that didnt work – seems some old gem is causing issues, getting error “NoMethodError: undefined method `field_changed?'”
  5. so lets try ‘big bang’ – ‘bundle update’ …
  6. It seemed to work, but needs more testing ….
  7. So, went for the patch option from the Engine Yard link above.  Did some testing, seems ok.
  8. And then pushed to prod :)

Image Site

Not deployed, so perhaps leave… last version used  – 3.0.9 …

Other useful links:

  • http://railsapps.github.com/updating-rails.html
  • https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ