bundler-audit is a small utility which can check your Gemfile’s contents against the Ruby Advisory Database.

You can simply run it via bundle audit and it will report insecure gem sources as well as library versions that have known vulnerabilities:

$ bundle audit
Insecure Source URI found: git://github.com/compass/compass-rails.git
Insecure Source URI found: git://github.com/sinatra/sinatra.git
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018–8048
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3
Name: paperclip
Version: 4.3.7
Advisory: CVE-2017–0889
Criticality: High
URL: https://github.com/thoughtbot/paperclip/pull/2435
Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. …

I originally wrote this article for Codementor in October 2014. It should have something for everyone, from fairly new git users to experienced developers.

1. Discard local file modifications

Sometimes the best way to get a feel for a problem is diving in and playing around with the code. Unfortunately, the changes made in the process sometimes turn out to be less than optimal, in which case reverting the file to its original state can be the fastest and easiest solution:

git checkout -- Gemfile # reset specified path 
git checkout -- lib bin # also works with multiple arguments

In case you’re wondering, the double dash (--) is a common way for command line utilities to signify the end of command options. …

I’m fascinated by Postgres: the more I learn about it, the more I realize how much I still don’t know. Recently I discovered its asynchronous communication capabilities, which apparently have been around for a long time ¯\(ツ)/¯

Let’s look at the two most interesting commands related to this topic, NOTIFY and LISTEN. Here's what the documentation has to say on them:

NOTIFY provides a simple interprocess communication mechanism for a collection of processes accessing the same PostgreSQL database. …

We all know the problem: different developers prefer different libraries, especially for their development workflow. However, for various reasons we may not just want to add them unconditionally to our application’s Gemfile:

  • Added dependencies (including their own dependencies) for something that doesn’t directly relate to the actual app.
  • Bikeshedding discussions about the virtue of gem A over gem B or why we should never use gem C 🙄

For this reason I generally add a Gemfile.dev entry to my .gitignore, which every developer can customize to their heart’s content with a list of gems that fit their workflow but may not be interesting to/wanted by other people on the same team. …

Like many Ruby and Rails developers I use Pry instead of IRB for almost all of my projects.

Recently I realized that many people are not aware of the fact that pry supports project-specific .pryrc files, which can come in very handy, for example when trying things out in a Rails console. Just add a .pryrc file at the root of your application and add code you want to be available in each console session there. Here's a modified example from one of our applications:

This way when I start a new rails console session, I can always access admin or user and the caching will ensure the database only gets hit the first time the method is…

This is the first in a series of Ruby on Rails related quick tips I’m going to publish over the next few days/weeks.

If I had to name the most underused tool in most Rails developer’s toolboxes, rails console --sandbox would be my choice. Here’s what the documentation has to say on it:

If you wish to test out some code without changing any data, you can do that by invoking rails console --sandbox.

Here’s an example sandbox console session:

→ rails c --sandbox
Loading development environment in sandbox (Rails 5.2.0)
Any modifications you make will be rolled back on exit
[1] (rails_new) main: 0> User.count
(17.7ms) SELECT COUNT(*) FROM “users”
=> 1
[2] (rails_new) main: 0> User.destroy_all
User Load (0.4ms) SELECT “users”.* FROM “users”
(1.5ms) SAVEPOINT active_record_1
User Destroy (7.4ms) DELETE FROM “users” WHERE “users”.”id” = $1 [[“id”, 1]]
(0.7ms) RELEASE SAVEPOINT active_record_1
=> [#<User id: 1, email: “test@example.com”, created_at: “2018–06–26 07:22:18”, updated_at: “2018–06–26 07:22:18”>]
[3] (rails_new) main: 0> User.count
(0.3ms) SELECT COUNT(*) FROM “users”
=> 0
[4] (rails_new) main: 0>
(0.8ms) …

This is a rather old post I originally wrote in 2013, but it’s still a good introduction to Lua and Nmap scripting, so I decided to repost it.

Whether you are working as a security professional or a network administrator, chances are that Nmap (“Network Mapper”) is part of your regular toolkit. For many people this project, which was started by Gordon “Fyodor” Lyon in 1997, is the first choice when it comes to host and service discovery. …

For many years now Postgres has been my database of choice, but I still regularly find new and interesting features that I wasn’t yet aware of. The latest entry in this long list are “foreign data wrappers", an implementation of the SQL/MED (“SQL Management of External Data”) specification which was added in Postgres 9.1.

This mechanism allows for integrating our database with data stored outside of it. …

I don’t know about you, but I can’t really remember the last time I added a bookmark to my browser (at least not on purpose, -D is right next to -F after all). So when I saw rustref.com, I knew I wanted to build something like this for the Ruby community, which is now available as rubyref.net.


RubyRef defines a list of CNAME records of the form *.rubyref.net which redirect to different Ruby related documentation sites. For example ruby.rubyref.net brings you to the core documentation, whereas api.ruby.net redirects to the C API documentation and awesome.rubyref.net

One thing I always liked about Smalltalk was the “Method Finder” available in several of its dialects. The following screenshot shows the version included in Pharo as an example:

Image for post
Image for post
Image taken from “A quick tour of Pharo”, http://pharo.gforge.inria.fr/PBE1/PBE1ch2.html

Essentially, this offers two different featues:

  1. Search for a method by (partial) name.
  2. Search for a method by example. By inputting a receiver, arguments (optional) and the expected result, one could find all methods that provide this functionality.

In early 2009 I had started teaching courses at RubyLearning, and in 2011 it dawned on me that a Ruby version of Method Finder would not only be useful to our students, but also rather easy to implement. So I got hacking, and about an hour later I had a first working prototype which I eventually released as a gem (source). …


Michael Kohl

Your friendly neighborhood anarcho-cynicalist. Taming bits and herding developers, aka CTO. ¯\_(ツ)_/¯ and (╯°□°)╯︵ ┻━┻) are my two natural states.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store