Code Retreat  

by posted in Developers
Jul 28
2011

In December last year, Corey Haines ran a Code Retreat here in Melbourne. I was lucky enough to attend, and I have never improved my craft as a software developer so much in a single day.

Now I’m running one at Envato’s shiny new offices on Saturday, August 27th.

What on Earth is a Code Retreat?

It’s a day of deliberate practice, a chance to focus on software development techniques without the distraction of having to deliver real software.

When you have to deliver a product, you always cut corners. You don’t follow all the principles of good design, you don’t have 100% test coverage, you don’t do TDD rigourously. And that’s fine; you’re working within constraints.

But to get really good at any of those things you have to practice them without those constraints. You have to take them too far and see what happens.

A Code Retreat is a chance to do this, and share what you learn with others that are doing the same.

You can read more about Code Retreats here.

The Format of the Day

The day starts at 8:30 AM and goes to around 5:00 PM. It’s free, and Envato is putting on breakfast and lunch.

You’ll be working on a particular problem throughout the day (Conway’s Game of Life), in sessions of about 45 minutes. You’ll pair with somebody different in each session, and it’s up to each pair to decide what language they want to use.

Here’s the important bit: at the end of each session, you’ll delete your code. The only thing that you’ll take away from the session is what you’ve learnt. There’s no pressure to deliver a working product.

We’ll probably get through 5 or 6 sessions, but it depends on how people are feeling.

Registering

We’re opening 20 spots to start with, and we may add a few more later.

Registrations open at 10:00 AM on Tuesday, August 2nd, and it will be first come, best dressed.

Go here to register.

(If you miss out, fear not. There will be more Code Retreats in future!)

I hope to see you there!

SafeShell  

by posted in Developers
Jan 11
2011

Need to call out to shell commands to process user-submitted files from your Rails app? You should be using our safe_shell gem.

The Problem

Let’s say a friendly user has uploaded a file called “avatar.jpg”, and you’re using ImageMagick to find out about it. In your app you do:

info = `identify #{filename}`

That’ll expand to:

info = `identify avatar.jpg`

All good, right?

Now a malicious user comes along and uploads a file called “;rm -rf .”. Now your command expands to:

info = `identify;rm -rf .`

Uh oh. Because the backtick operator forks a shell, and the shell parses the command, this will happily do exactly what you don’t want it to. Bye bye anything your in your Rails app that can be deleted.

So what’s the answer?

Continue Reading