Brakeman is a static analysis tool for Ruby on Rails that looks for security vulnerabilities. The cool thing about Brakeman is that pretty much all you need is your code: there is no need to set up a database or a web server or anything of that sort. The code doesn’t even need to be working completely.

Brakeman has been working pretty well for Rails 2.x code, but no one really cares about that any more. Rails 3.x is the new hotness. So I have been working on getting Brakeman to work with Rails 3. The latest gems will attempt to detect Rails 3 automatically (otherwise, there is the `-3` options). There are some known issues to be fixed, but I think it’s past the “catastrophic crash and burn” stage. I would encourage people to try it out.

Also, I have released a Jenkins/Hudson plugin for Brakeman With a minimal amount of setup, you can have Jenkins run Brakeman automatically. It uses another nice plugin to make pretty graphs and tracks the vulnerabilities found so you can see right away when things go wrong.

From Tom Sawyer:

...Work consists of whatever a body is obliged to do, and that Play consists of whatever a body is not obliged to do.

It is common in the open source world to hear that someone wrote some software to “scratch their own itch.” The implication is usually that they wrote the code to meet some need (or annoyance?) they had, and it may, by mere coincidence, be useful to others as well. Sometimes this phrase also used to excuse the software or lack of support for it. It may also be used to provide guidance for those wanting to write software: do something useful for yourself.

I think there is a considerable amount of wisdom in this approach. Nothing motivates a person like a genuine interest in a project. The best learning (in my non-scientific opinion) occurs when a person is driven by their own interest. Outside pressures can only do so much.

I often see Project Euler or some kind of “programming koans” offered up as suggestions to improve one’s programming skills. I find these to be unhelpful for me, as I cannot make myself be interested in them. In fact, I should not need to force myself to be interested at all: that pushes the activity into the “work” category and the exercise has already failed.

For programmers, we should be writing code which we want to write, solving problems we want to solve, and producing something we want to make.

Along the way, we may accidentally learn all kinds of new things, but only because those things are on the path of building our project. It is not about making something useful, or good, or desirable. It is about the joy of creation.

That does not mean it is all bunnies and sunshine, though. I have hit my head against the wall more times over software I was writing for fun than any homework problem. Why? Because they were problems I intensely desired to overcome – for myself.

The point, in case I have not beaten it to death already, is that you should write code for you. It doesn’t matter if it isn’t perfect or won’t compile on anyone else’s machine. It doesn’t matter if twenty other programs exist that do the same thing. All that matters is that you write it. Learning is merely a side effect.

There are a few examples around the ‘net of chat servers in Ruby, which seem to me to be unnecessarily complex or else too simplistic.

This is a simple version, too, as it is intended to meet the requirements over at RosettaCode. However, I think I’ve covered most of the common failure points.

Caution

If connecting with a client like PuTTY, use “raw” mode to avoid telnet negotiation.

I spent this summer doing an internship at ATTi, during which I developed a static analysis tool called brakeman for finding security vulnerabilities in Ruby on Rails applications.

What it is

Brakeman uses Ryan Davis’ Ruby Parser to parse the code of your RoR application, mangles it a bit, extracts some information, and then runs various checks on the result. It then uses Ruport to generate a report.

The HTML reports look like this.

Because brakeman analyzes the source code, there is no need to wait until the application is deployed to start testing it. Brakeman can be run at any point in the development process.

What it can do

Right now, brakeman can find these kinds of problems:

• Cross site scripting vulnerabilities
• SQL injection
• Command injection
• Unsafe redirects
• Unrestricted mass assignments
• Insufficient validation regexes
• Default routes
• Dynamic render paths

It can also check configuration settings, such as cross site request forgery protection and session secret length.

Unfortunately, it is not (yet?) compatible with Rails 3.0. Hopefully it will still be of use to a lot of people, though.

Installation

Brakeman can be installed as a gem (and, in fact, that is how I would recommend doing it):

gem install brakeman

(may require sudo).

Documentation

brakeman -h provides information on the options available. I’ve also been working on fleshing out the wiki with more detailed info.

Problems?

I really want this to be a useful tool, so if it does not work for you or there are any problems, please file an issue or even just leave a comment on this post. I’ll do my best to get everything fixed up.

As a result of a Ruby bounty, I wrote a patch for RubyGems which provides suggestions when you try to install a gem and you get the name a little wrong. You can see all the details here.

Now that RubyGems 1.3.7 is out, I’m going to go ahead and provide a patched version for those who frequently forget, mistype, or misspell gem names (this includes myself).

Download .tar.gz

Download .zip

After decompressing, I recommend installing it with

ruby setup.rb --no-rdoc --no-ri

(and probably sudo).

Here are some examples of what this adds to your RubyGems experience:

$ gem install Blah
ERROR:  Could not find a valid gem 'Blah' (>= 0) in any repository
        Possible alternatives: blahblahblah

$ gem install Nkojiri
ERROR:  Could not find a valid gem 'Nkojiri' (>= 0) in any repository
        Possible alternatives: nokogiri

$ gem install blue
ERROR:  Could not find a valid gem 'blue' (>= 0) in any repository
        Possible alternatives: bluecloth, BlueCloth, bluefeather,
         blue_light_special, blue_light_special_heroku_fork, glue, bluepill,
         blueprintr, blueprints, bluepay, ...

$ gem install sinatar-capcha
ERROR:  Could not find a valid gem 'sinatar-capcha' (>= 0) in any repository
        Possible alternatives: sinatra-captcha, sinatra-cache, sinatra-cas, sinatra-auth,
         sinatra, sinatra-any, sinatra_app_gen, sinatra-flash, sinatra-dm, sinatra-dm-auth,
         sinatra-doc, sinatra-erb, sinatra-compass, ...

I’m putting that first for people who don’t need a story.

To be honest, I cannot believe it took me so long to find this out. It seems like such a simple thing. You have a git repo. You’ve made changes to a few different files, when you realize you just want to start over on one of them. You could do git reset --hard, but then you lose all of your changes. You could commit all the other changed files, then do a git reset, but what if you aren’t done with editing the other files?

In Subversion you can svn revert a single file. Since that is what I fairly frequently wish to do, I searched high and low for a way to do this seemingly simple operation.

Then, one day glorious day, I found it. And now so have you.

Recently, the main Ruby Gems hosting has moved from RubyForge to Gemcutter. This is pretty cool, and I was excited to publish my first gem there (the JRuby gdbm library I’ve mentioned before).

I get excited imagining that people actual use my stuff, so I’ve been tracking the downloads reported by Gemcutter. I seem to recall there being a problem a little while ago with numbers being off, but I thought that had been solved. In any case, I was surprised by the number of downloads (up to 137 now). It’s not very high for most things, I guess, but for a library for a specific dbm for a specific Ruby implementation, it seems suspicious.

My current theory is that people are installing it on accident, perhaps thinking that they need it to use gdbm in the main Ruby implementation (or perhaps others?). Fortunately, I’ve checked it out, and it appears that even if you install it this way, it will not interfere with the gdbm library in Ruby’s standard library. This is likely because the gem paths are later in the search path. Of course, if Ruby’s standard gdbm is not working for you, then my gem probably won’t either, unless you are using it with JRuby, as intended.

In retrospect, perhaps I should have named the gem a little bit better, to avoid confusion…

Here’s some links to interesting Ruby information. I intend to update it periodically.

Ruby Doc – Best site for looking up the core Ruby API and the standard libraries.

AllGems – Documentation for most Ruby gems.

Ruby Forum – Mirrors of the main Ruby mailing lists. Some are read-only.

Gemcutter – The new gem hosting site.

RubyForge – The old Ruby project hosting site. It is slowly being phased out.

Try Ruby – The new Try Ruby page, where you can go through an interactive tutorial directly in your browser.

Ruby Inside – Popular Ruby blog, with frequent articles.

Ruby Flow – Community-submitted Ruby links.

Ruby Trends – View and vote for trends in Ruby software, books, and more.

Ruby Pulse – Screencasts of Ruby software and libraries.

Ruby Subreddit – Reddit site for Ruby. Not incredibly active.

Ruby Stack Overflow – Ruby questions on Stack Overlow.

Confreaks – Not strictly Ruby, but videos from many Ruby events are available for streaming.

I am just so excited right now. I was watching Dave Thomas’ (not the Wendy’s guy) keynote talk from RubyConf 2008, in which he proposes several “forks” of Ruby. At about 40 minutes in, he discusses having a fork of Ruby that has real closures instead of blocks. I thought to myself, “Self, that sounds a lot like Brat.” Five seconds later, he mentioned the problem with passing in multiple closure literals to a function: the comma is ugly.

some_method { do_stuff }, { 1 + 2 }

I agree! I think this is an ugly issue in Brat right now.

But then he proposed an awesome solution: if two closures are next to each other in the argument list, you don’t need a comma! Now you can do this:

some_method { do_stuff } { 1 + 2 }

This took approximately 2 minutes to implement for Brat.

Now instead of

while { x < 1 },
    { 
        p x
        x = x + 1 
    }

You can do

while { x < 1 } { 
        p x
        x = x + 1 
    }

I think this is awesome and makes Brat a lot more attractive.

In fact, I went totally crazy so now you can do

x = 101
true? x > 100
      { p "> 100!" }
      { p "<= 100!" }

Just be careful when using bare variables:

true? a { p "truth!" } { p "lies!" }

This is parsed into:

true?(a({ p "truth!" }, { p "lies!" }))

This is so cool…now to update all of Brat’s docs with this syntax. :)

Motivation

(Warning: boring story ahead. Skip to next section if you want.)

Quite a while ago, I thought it would be kind of nice if my Ruby MUD server would run on JRuby, since JRuby might be better at dealing with long-running server processes. Unfortunately, at the time, EventMachine did not have a Java version, so I decided to wait for that to work.

A while later, there was some kind of Java release for EventMachine. I tried it out, but then ran into another problem: gdbm is provided as a C extension for the standard Ruby distribution. So, I gave up again.

Then, along came Ruby FFI and I thought, “Hm…wonder if I could use that…” and then I gave up because I am not very good at C, even just trying to read it.

THEN, I saw this blog post about the next version of JRuby (1.4) and decided maybe I should do something about it, after all. So I did.

ffi-gdbm

The result is a gdbm library which should be fully compatible with the standard C extension distributed with Ruby, including reading and writing gdbm files which can be read/written by either implementation.

Requirements

Although I had hoped to make this library compatible with any Ruby FFI implementation, unfortunately it only works with JRuby, and it needs at least version 1.4. Perhaps this will change as the other Ruby FFI implementations get fancier.

Installation

You can checkout ffi-gdbm on GitHub. All you actually need is the gdbm.rb file.

Alternatively, you can install it as a gem:

Make sure you require "rubygems" if you do use the gem version.

Usage

You can use this library just as you would the standard library that comes with Ruby. See here for documentation.

Aftermath

Unfortunately, the Java version of EventMachine is still incomplete, so it’s a bit of letdown, although kams does work at least nominally using it. Hopefully, EventMachine will one day be completely stable under JRuby.

Lately, there has been a particular activity which I consistently look forward to with excitement. That is writing libraries for my own programming language. Even if it is just wrapping existing libraries, there is something really cool about enabling a language to do “real world” type things, such as communicating with other processes or generating HTML or making a full-blown GUI.

Since I have started working on my own little programming language, I have repeatedly made attempts to take a look around at other little languages that people may be working on. However, either my Google-fu is weak or it is just difficult to find these little guys.

Part of the difficulty is that most people do not want to see your little half-finished, half-working language. A recent discussion on Reddit showed that people can be very reactionary to such languages. Now, there is Esolang, but that site is more focused on languages that are purposefully unusable.

Thus, I have created a new site to be the home of fledgling languages, appropriately entitled The Fledgling Languages List. Anyone is welcome to submit their own language or languages they know about for listing. Each language has its own little page with a description and people can leave comments or feedback for each language.

I am very open to suggestions or feedback concerning the site, especially if something is broken.

Previously, I had pretty much avoided implementing any kind of operator precedence for Brat and covered up my reluctance by saying that was just how it was. So binary operations were strictly left-to-right affairs. But that makes things like 1 + 3 * 4 very disappointing. Since I keep feeling like Brat should at least pretend to be a real language, I decided I really needed to do something about this.

What is so hard about it? It doesn’t seem difficult at first. It seems like there ought to be a nice recursive solution to the problem. And there probably is, but if you are using a typical recursive descent parser, this recursion will not be possible.

There are a few ways to go at this issue, but I wanted the simplest and easiest to deal with. A while ago, I had been thinking about this and ran across a reference to the shunting yard algorithm. At the time, I couldn’t really see how it was related. This time around, I looked at it a bit more closely.

The purpose of the algorithm is basically to convert equations which use infix notation (typical math notation with operators in between their arguments) into Reverse Polish Notation. Why would you want to do that? Well, because RPN is explicit about which order operations are evaluated in. It is also pretty straight-forward to implement (which is the important part, really.)

Let’s take a look at the two main parsing rules, written in Treetop, which deal with binary operations. I have elided the related code:

  rule binary_operation
        lhs:binary_operation_chain rhs:expression { ... }
  end

  rule binary_operation_chain
        (lhs:binary_lhs_expression ~space op:operator ~space)+  { ... }
   end

The first rule will match any binary operations. The second rule is a helper, which matches a list of binary operations, all except for the far right expression. There may have been some explicit reason why I separated these before, but it remains convenient in the code to do so.

The second rule will essentially return a list of alternating values and operators, just what the shunting yard algorithm needs.(Well, actually it’s simpler than the algorithm needs.) This list will be fed into the algorithm, which will spit out a new list of values and operators, now in the proper RPN form.

The parser then “evaluates” the RPN expression. It essentially runs through the algorithm for evaluating RPN, outputting code to evaluate expressions and using temporary values. In other words, the RPN algorithm is not explicitly emitted in the code, but the intent is in the order that things are evaluated.

The whole thing ends up being about 50 lines of code, which is far less than I thought I would be looking at for this.

Anyhow, just wanted to share. I’m pretty excited that Brat has this feature now, especially since it can be implemented in such a flexible way. Operator precedence is stored in a hash table which just associates operators with an integer representing its precedence level, so it is quite simple to add more operators (operators not in the table are just given the lowest precedence, though, so arbitrary operators are still completely supported).

When I started with kams, it was just going to be my own little MUD server that I puttered around with. So I set up a little Subversion repository and went at it. That repository slowly turned into my main server for the game. That way, I could do version control and keep a backup copy of everything. That worked pretty well for quite a while, until the decision was made to release some code. To do so, I created a branch, stripped out all of the stuff I didn’t want publicly released, and then released that code. Well, that is the way it was supposed to work. Actually, I had to fix things along the way as I was preparing the release code. This meant copying/merging back and forth between the branch and the trunk versions of the code.

This became annoying.

Now that I have been using Git for a while, I was hoping to do something so that I can continue my current path (keeping my private stuff private, but in the Subversion repository), but also maintaining an on-going public code repository.

To compound the issue, I (very foolishly?) do most of the development work on the live server. (Keep in mind, no one is actually using the live server, so this really does not matter.)

This is what I came up with. First, I created a GitHub repository for the public code. Then I copied my latest branch into the Git repository, committed it. Next, I created a new branch, deleted all the files, and then did an svn checkout to the new branch, and finally committed the private files to that Git branch.

Now what I can do is make code updates on my trunk code (kept in Subversion), then do an svn update on the private Git branch, then do a Git commit of the specific changes I want put in the public repository, then do a git cherry-pick of that commit into my master branch. Finally, a git push puts it all up on Github.

This works in reverse, as well. Changes made in the Git repository can be propagated to the private branch, from there to the Subversion repository of the trunk.

Works fairly well, actually, and it will make it considerably easier to create future releases. Yay.

As I mentioned before, there is no real reason or goal behind developing Brat, I just saw potion and decided I wanted to be cool, too.

What that means is that features in Brat are sort of based on two things: 1) How easy is it to implement in Neko and 2) Is it something I expect to have because I am spoiled by Ruby.

For example, closures/functions in Brat started off being identical to Neko’s, because obviously that was the easiest thing to do. And I hadn’t planned on taking the ‘prototyping’ approach, but it was easy and is likely the brattiest way to go.

Anyhow, when I was doing stuff for array objects, I was thinking I should really copy Ruby’s approach, which is to have an enumerable module and then mix it in to array and hash and so on. But, of course, that would mean implementing mixins somehow. I knew I didn’t want to add in any new things (like modules) and it’s all about the lowest resistance, so I created squish-ins.

I have no idea if this concept has been used before (probably), but essentially you can take an object and copy all the methods of another object into it.

a = new
b = new
a.something = { p "do something" }
b.squish a
b.something  #prints "do something" 

Note that I said it “copies” the methods from the other object. This is and isn’t true. Squishing in another object’s methods does not create copies of them, only references. However, it is a reference to the object’s actual methods at the time of the squishing. In other words, this is a copying action rather than an inheritance or subclassing action. If the squished-in object’s methods change, the…squisher(?) will still reference the old methods.

a = new
b = new
a.something = { p "do something" }
b.squish a
b.something
a.something = { p "now do something else" }
b.something   #still prints "do something" 

So we get the code-sharing of mixins but not the inheritance properties. For now, I’m fine with that. Of course, it is actually not that difficult to do both:

a = new
b = new
a.something = { p "do something" }
b.something = { a.something }
a.something = { p "now do something else" }
b.something   #prints "now do something else" 

I am not sure which is preferable.