3807 cards

Security issues with hash conditions in Rails 2 and Rails 3

Find conditions for scopes can be given either as an array (:conditions => ['state = ?', 'draft']) or a hash (:conditions => { 'state' => 'draft' }). The later is nicer to read, but has horrible security implications in some versions of Ruby on Rails.

Affected versions

Version Affected? Remedy
2.3.18 yes Use chain_safely workaround
3.0.20 no ...

Where to find .desktop files on Ubuntu

.desktop files define launchers for applications installed on your machine. They specify the command that will be executed when launched, icons, titles, etc. There are two directories in which these files are stored:

# basic installation

# installed via snap
Linked contentRepeats

What's so hard about PDF text extraction? ​

There is a common view that extracting text from a PDF document should not be too difficult. After all, the text is right there in front of our eyes and humans consume PDF content all the time with great success. Why would it be difficult to automatically extract the text data?

Turns out, much how working with human names is difficult due to numerous edge cases and incorrect assumptions, working with PDFs is difficult due to the extreme flexibility given by the PDF format.

Auto-destruct in 10 days

QueryDiet 0.7.0 released

We released a new version of our gem QueryDiet.

0.7.0 2020-09-24

Compatible changes

  • Added: CSP support for query diet widget (#23)
  • Added the CHANGELOG file.

You can pass whether to use a nonce for style and script tags.
Note that the key must be a symbol like in the example below, otherwise it defaults to false.

<%= query_diet_widget(nonce: true) if Rails.env.development? %>

In your content security policy initializer of...

Auto-destruct in 6 days

Cucumber Factory 2.3.0 and 2.3.1 released

Versions 2.3.0 and 2.3.1 of our gem Cucumber Factory have been released.


  • Added a step to add file objects to a model:
    Given there is a user with the avatar file:"path/to/avatar.jpg"
    Both single and double quotes are supported.


  • Lowered the priority of all steps in this gem to avoid issues with overlapping steps.

How to implement simple queue limiting/throttling for Sidekiq

The sidekiq-rate-limiter gem allows rate-limiting Sidekiq jobs and works like a charm. However, it needs to be integrated on a per-worker basis.

If you want to limit a whole queue instead, and if your requirements are simple enough, you can do it via a Sidekiq middleware yourself.

Here is an example that limits concurrency of the "mailers" queue to 1. It uses a database mutex via the [with_advisory_lock](https://github.com/ClosureTree/wit...

Generated face images for UI mockups

Generated Photos produces AI-generated face images.

This is useful for UI mockups where you don't want to show real people or copyrighted stock photography.

VCR and the webdrivers gem

If you're using the webdrivers gem and VCR together, depending on your configuration, VCR will yell at you regulary.
The webdrivers gem tries to update your webdrivers on your local machine. To do so, it checks the internet for newer versions, firing an HTTP-request to e.g. https://chromedriver.storage.googleapis.com

You can "fix" this in multiple ways:

  1. Update your drivers on your machine with
    RAILS_ENV=test rake webdrivers:chromedriver:update

  2. Ignore the driver update-URL in your ...

Rails: How to list all validations on a model or an attribute

If a model inherits from others or uses many concerns / traits, it might be hard to see in the code which validators it has.
But fortunately there's a method for that:

irb(main):002:0> pp UserGroup.validators
  @delimiter=[true, false],
  @options={:in=>[true, false], :allow_nil=>false}>,
  @delimiter=[true, false],
  @options={:in=>[true, false], ...
Linked contentRepeats

Simple form examples with bootstrap

Good reference how to build bootstrap forms with simple_form.


Always, always declare your associations with symbols

Never ever declare your associations with a string, especially when doing metaprogramming. A common mistake is something like

class Page < ActiveRecord::Base
  %w[main sub].each do |type|
    belongs_to "#{type}_title"

class Page < ActiveRecord::Base
  %w[main sub].each do |type|
    belongs_to :"#{type}_title"

Always convert to a symbol, otherwise you'll have [all](/makandra/4177-bugfix-rails-does-not-find-an-association-when-it-is-named-w...


Don't assign time values to date attributes

Do not pass times to date attributes. Always convert times to dates when your application uses time zones.


A time-zoned Time attribute on a Rails record is converted to UTC using to_s(:db) to be stored, and converted back into the correct time zone when the record is loaded from the database. So when you are not on UTC, time objects will be converted as follows.

>> Time.current
=> Fri, 15 Mar 2013 11:56:03 CET +01:00
>> Time.current.to_s(:db)
=> "2013-03-15 10:56:03" # This is now UTC


That will...

Linked contentRepeats

What edge_rider offers you

edge_rider is Power tools for ActiveRecord relations (scopes). Please note that some of the functions edge_rider provides have native implementations in newer rails versions.

Useful in applications


Edge Rider gives your relations a method #traverse_association which returns a new relation by "pivoting" around a named association. You can traverse multiple associations in a single call. E.g. to turn a relation of posts into a relation of all posts o...

How to include Sidekiq job IDs in Rails logs

When logging in Rails, you can use the log_tags configuration option to add extra information to each line, like :request_id or :subdomain. However, those are only valid inside a request context and have no effect when your application is logging from inside a Sidekiq process.
This includes custom as well as any framework logs, like query logging from ActiveRecord.

Since Sidekiq Workers run inside threads of a single process, running multiple jobs in...

Linked content


Pagy is a gem for pagination.
They make some bold claims:

Pagy is the ultimate pagination gem that outperforms the others in each and every benchmark and comparison.

Maybe this is worth trying out.

How to generate GIDs from an ActiveRecord scope

ActiveRecord provides the ids method to pluck ids from a scope, but what if you need to pluck Global IDs?

While you could just call map(&:to_global_id) on your scope, this approach would instantiate each record just to do that. When you have many records, this will at the very least be slow.

Here is a method that does it for you efficiently. It respects Single Table Inheritance (STI).
Put it in your project's ApplicationRecord to make it available on all models.

class ApplicationRecord

Ruby: How to determine the absolute path relative to a file

If you want to get the path of a file relative to another, you can use the expand_path method with either the constant __FILE__ or the method __dir__. Read this card for more information about __FILE__ and __dir__.



├── bin
│   ├── format_changelog


#!/usr/bin/env ruby

changelog_path = ? # How to get the path to ../CHANGELOG.md independent of the working dir of the caller
changelog = File.read(changelog_path)

# ... further actions h...

Chrome: Using browser notifications


Google Chrome disables Notifications for insecure origins (i.e. those using HTTP). Only http://localhost is considered secure.

If you need to use browser notifications on other origins, you can set a flag: chrome://flags/#unsafely-treat-insecure-origin-as-secure. Enable the flag and add your origins. Remember that "origin" refers to the combination of protocol+hostname+port, e.g. "http://example.com:8088".

This website uses short-lived cookies to improve usability.
Accept or learn more