For folks who wanna see what led to this exploit in a Rails codebase, here’s the commit where it’s fixed:

https://gitlab.com/gitlab-org/gitlab/-/commit/c571840ba2f0e9...

This doesn't look like the actual fix but rather a follow-up refactor. I believe the fix is here: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec43798...

    - recoverable.send_reset_password_instructions(to: email) if recoverable&.persisted?
    + recoverable.send_reset_password_instructions if recoverable&.persisted?

on GitHub, the fix would be adding a regex to ensure there was no list on the user supplied email.

and making send_reset_password_instructions get the email addresses itself from the "recoverable" object.

Oh yeah, good pickup thanks!

    # Concern that overrides the Devise methods
    # to send reset password instructions to any verified user email
    module RecoverableByAnyEmail

So it was a feature??

Anyway, in the fixed version it's still called RecoverableByAnyEmail. Do people not read the code around what they are changing??

It does say any email doesn't it? Not verified, any.

> "RecoverableByAnyEmail"

Added 8 months ago [1]. And then one month later:

> "password_reset_any_verified_email"

Was removed. 7 months ago [2], *note* __verified__ word here.

No blaming or conspiracy intended in this post, just listing links to relevant commits.

1 - https://gitlab.com/gitlab-org/gitlab/-/commit/94069d38c9cd63...

2 - https://gitlab.com/gitlab-org/gitlab/-/commit/a935d28f3decf8...

haha the first thing i would've caught in the initial PR was the file name... and the default setting of `confirmed: true`... seems like a big oversight or possibly an inside job (if im being conspiratorial)

as a non-rubiest, can you point to the error?

Ruby. I kid, but also I don't.

Initially a single email could be passed into the API/form call and they would look it up. If found they would send a recovery to that email but it was the email the user supplied not what was in the DB.

Oh, no problem we looked it up so they are the same!

But then the ability to look up accounts from a list of emails was added. If any email matches the account lookup would succeed. Then they sent the reset link to that same user supplied value but OH NOEHS IT'S AN ARRAY NOW AND SOME MIGHT NOT HAVE MATCHED ACCOUNT EMAILS!

So they ended up sending out reset links to a tainted list of emails.

Rails "concerns" are the worst IMHO anyway, but looks like they aren't using strong params here either which is even worse. Also someone thought it was more elegant to reuse the tainted value which is par for the RoR course.

This is actually a follow-up refactor, the fix is here: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec43798...

Omg is this fix had to be this bloated?

I've been playing around with the Playdate SDK (https://sdk.play.date) over the holidays and it's awesome for small games like the author describes.

Working with a tiny 1-bit screen and ~150MHz CPU puts some serious constraints on what you can do, which I've found to be pretty freeing (less analysis paralysis, more doing...)

first i'm hearing about this platform. how poppular is it? seems so obscure.

A Playdate game, Yoyozo, actually made Ars Technica's best games of 2023 list. Looks to be a bit of a small game like this.

I have one, it's fun to play with, and I have one of my games working on it, although I don't think it's good enough to release yet.

https://arstechnica.com/gaming/2023/12/ars-technicas-best-vi...

They sold over 50,000 of them in the first year (by May 2023). Maybe we'll get another sales update this year.

Thanks! And thanks also for your work on ContEx, its Sparkline module [1] was a big inspiration for what I ended up implementing.

[1] https://github.com/mindok/contex/blob/master/lib/chart/spark...

This really resonates. It's so easy to get caught up in chasing trends and overlook delivering customer value/stability.

Good luck on the next 11 years :)

Congratulations on launching!

Some feedback: the first thing I wanted to see on your landing page is what a screenshot taken with the tool looks like. It adds a bit of friction that to do that I need to browse to reddit, find a post, copy it in, wait for it to generate, etc.

Makes total sense. Thanks for the feedback!

I try to direct as much news to RSS as possible, where I can group feeds by topic, and not get distracted by a constant compulsion to refresh the page (which I feel strongly on HN and Twitter). Some tools I use:

* https://www.freshrss.org/ for subscribing to feeds

* https://netnewswire.com/ for reading them

* https://hnrss.github.io/ to get Hacker News into RSS

* https://mailgrip.io/ (project I'm building) to get email newsletters into RSS

Awesome! I had some fun implementing a System 6 inspired theme on a recent toy project for creating custom Slack emojis - https://temoji.me (desktop only).

Wish I knew about this framework earlier - would have saved me some time :)

The global gitignore is super useful! I add a “.x” entry to it so that I can create scripts, drafts, etc in a “.x” folder in any of my projects.

Wrote more details about how I do this here: https://alexplescan.com/posts/2022/04/17/the-x-files/

You had me - before clicking - at the url-slug "the-x-files". Loved the content and learned something useful. Thanks for pointing it out. Will be another little tool in my belt.

just set this up on my machine! Thank you so much!

I'd just been bumping into this problem, but hadn't conceptualized such an elegant solution, so kept fumbling around, adding/moving things, futzing around with git way more than I wanted to.

Thank you!

Great presentation! Another short read that covers similar ground is "The Day You Became a Better Writer" by Scott Adams (creator of Dilbert):

https://dilbertblog.typepad.com/the_dilbert_blog/2007/06/the...