As I am learning Ruby on Rails, I am finding interesting tidbits in relation to it’s history. This one was brought up in a recent HackerNews thread about GitHub updating to Rails 5.2:
So back in 2012 rails had a default behavior where you could mass assign values from a POST to a user and there wasn’t any scrubbing of that, by default. Egor Homakov realized this was a Bad Thing and issued a pull request that would have fixed it. Instead of accepting the pull request, the Rails repository admins said something along the lines of ‘competent programmers would not leave that setting in place’ and rejected the pull request.
Homakov thought about this and tried it against GitHub, which was known to run on Rails. The code worked! In theory, he could have manipulated the permissions on GitHub to get access to the Rails repository where he would then be able to reopen and accept his own pull request.
Instead, he just chose to push a simple commit to GitHub’s master branch in order to prove his point.
GitHub temporarily suspended his account while they launched an investigation, but after finding Homakov to be in the right, had it reinstated.
Some links related to this:
- link 1 – Detailed explanation about how Homakov’s hack worked.
- link 2 – GitHub’s official response to the hack
- link 3 – HackerNews thread after the hack took place