Readit News logoReadit News
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
sam0x17 · 4 years ago
Hey this is a very cool project! When you were developing it, I'm curious if you took any special security precautions in your design of this project, seeing how XML/JSON/YAML serialization and de-serialization are the topic of many high profile CVEs, particularly in the Ruby community?
beerkg · 4 years ago
Shale uses Ruby's standard library parsers out of the box, so if you keep your Ruby up to date with security updates you will be good. Also others in this thread suggested to set minimal version on dependencies, so I'll probably do that in the future version.
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
alipitch · 4 years ago
When using the shale gem, how would you avoid the mass assignment problem? Is there a configuration, or a way of using the shale gem to avoid it?

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)

beerkg · 4 years ago
If you don't define attributes explicitly on the model, Shale will ignore them.

Regarding attributes that you defined but still don't want to be assigned, you should probably filter them before passing them to Shale, or alternatively filter them with Shale before passing them further down the stack (e.g to ActiveRecord)

beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
danychok · 4 years ago
Just noticed when sharing the site link - the summary reads: Vue-powered Static Site Generator. A bit misleading.

<meta name="description" content="Vue-powered Static Site Generator">

Kudos for choosing Vue tho =)

beerkg · 4 years ago
Documentation site was based on https://vuepress.vuejs.org/ but it evolved so much I dropped Vue all together and wen't with plain HTML instead. I must have left that meta tag from the early days.

Regarding Vue I use it daily at my job, great library :)

beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
Spone · 4 years ago
Nice library with a very approachable documentation, congrats!

I'll probably give it a go to replace my current implementation using nokogiri-happymapper (https://github.com/mvz/happymapper)

beerkg · 4 years ago
HappyMapper was actually an inspiration for Shale. If it had support for JSON, Shale probably wouldn't be created :)
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
codesnik · 4 years ago
You don't have to sacrifice that simplicity, actually. (And I insist on that simplicity being a wrong type, it'll bite users of your library basically right away, when they try to use it for anything apart from storage/serialisation)

But you can just give an upgrade path! consider something like this:

  class Address
    attr_accessor :street, :city
  end

  class Person
    attr_accessor :address
  end

  class AddressMapper < Shale::Mapper
    mapped_class Address
    attribute :street, Shale::Type::String
    attribute :city, Shale::Type::String
  end

  class PersonMapper < Shale::Mapper
    mapped_class Person
    attribute :address, AddressMapper
  end

  # use like this
  PersonMapper.from_xml("...."); PersonMapper.to_xml(person)
and then, for _dead_ simplicity, you can add another method generate_mapped_class "Person"

which will define that PORO class for user for extra DRYness. API is basically the same, no repetition, but amount of rewrite with new requirements is drastically less.

I'm not asking you to rewrite your library, and I probably won't write and release mine, just saying that considering future self isn't that hard. And yeah, it's a bit of a rant about ActiveRecord from user of Rails, since 2006.

beerkg · 4 years ago
I like it actually, using POROs (or any class for that matter) is definitely a big advantage. Maybe I implement something like that for version 2 :)
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
forgingahead · 4 years ago
Thanks for this! Definitely going to use this for one of our big projects.

*Edit: nice docs site as well - what are you using for it?

beerkg · 4 years ago
It's a custom template I created (based on https://vuepress.vuejs.org/), because I couldn't find anything that simple. The source code is available on https://github.com/kgiszczak/shale-website

Interactive examples are powered by https://opalrb.com/

beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
pmontra · 4 years ago
It would be great to be able to generate the Ruby models from XML Schema Definition files (.xsd) No mistakes and a huge time saver.
beerkg · 4 years ago
Yeah, Shale supports generating models from JSON Schema for now, XML is work in progress and should be ready in two or three weeks.
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
zwp · 4 years ago
Rexml has been gemified. Shale's gemspec doesn't require a specific version of rexml and rexml<3.2.5 is vulnerable to CVE-2021-28965. I just checked Ubuntu 20.04 LTS and got Ruby 2.7 with rexml 3.2.3 by default so this seems like a realistic concern and it would be safer if shale required a minimum rexml version.

See http://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-v...

beerkg · 4 years ago
I have a mixed feelings about this, standard library's vulnerabilities are part of Ruby's vulnerabilities, so you would update your Ruby version anyway. But you're right specifing version explicitly would prevent this.
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
codesnik · 4 years ago
One of the things that keeps being repeated in ruby land is that domain objects are usually married to storage/serialisation method. At some point of application maturity you'll need some other method of serialisation, some other type casting or conversion logic for your form or something else, but by that time a lot of surrounding code would depend on implicit logic of the original base library. ActiveRecord does this, and your library does it too. Object mappers which can initialize or serialize instances of other classes, including PORO, are much more versatile and future-proof. And API for doing that could look almost the same as yours.
beerkg · 4 years ago
I totally agree with your points, but this approach has one big advantage - it's dead simple - define attributes and mapping and you're good to go.
beerkg commented on Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML   shalerb.org/... · Posted by u/beerkg
WJW · 4 years ago
In the last example, where does it find the values for the `married`, `age`, `zip` and `hobbies` attributes? They are not present in the JSON string?
beerkg · 4 years ago
Ah, I messed up the example, Person class definition should look like this:

  class Person < Shale::Mapper
    attribute :first_name, Shale::Type::String
    attribute :last_name, Shale::Type::String
    attribute :age, Shale::Type::Integer
    attribute :married, Shale::Type::Boolean, default: false
    attribute :hobbies, Shale::Type::String, collection: true
    attribute :address, Address
  end
And the JSON used for parsing also should contain those atttributes, like:

  {
    "first_name": "John",
    "last_name": "Doe",
    "age": 30,
    "married": false,
    "hobbies": ["Singing", "Dancing"],
    "address": {
      "street": "Oxford Street",
      "city": "London"
    }
  }

b

u/beerkg

KarmaCake day118May 17, 2022View Original