Ruby 1.9.2 Hash Syntax Changes

Symbol is greatly used in Ruby programs. It is an object of Symbol class. It represents some strings inside the Ruby interpreter. When you think that the string you are going to create would probably going to be reused somewhere again, then you should consider using symbols. The benefit of Symbol is really performance. During a Ruby program’s execution, as long as the symbol contents are the same, they are actually the same object, so it will refer to the same object in memory. e.g. 

user1 = {:name => "Shanison"}
user2 = {:name => "Lin"}

Above codes actually only creates 1 symbol object, 2 strings object and 2 hash objects. Imagine that you are creating a lot of hash, the :name symbol would save a lot of object creation. You can even query all the symbols in your program:

Symbol.all_symbols # return an array of symbols

Enough about the introduction to symbols. What I want to talk about is actually about Hash. When constructing a hash, you would use symbol as the keys quite often. Probably due to this reason, in Ruby 1.9 it introduced a new Syntax for Hash.

user1 = {name: "Shanison"}
user2 = {name:  "Lin"}

At first glance, this looks pretty much like syntax for defining javascript object. Looks great. However, take note that the colon must be right after the key without any space. So it is not exactly the same as javascript object syntax.

user1 = {name : "Shanison"} # This will cause syntax error

This shorten syntax sometimes looks short and sweet when you pass it as a parameters.

server = Server.new(
addr: "192.167.123.1",
user: 'id_'
)
# Compares to Below
server = Server.new(
:addr => "192.167.123.1",
:user => 'id_'
)

However, do note that this syntax only works for symbol keys. So if you want to use strings or numbers as the hash keys, you can’t write the syntax in this way. e.g. Below code would return you error:

user1 = {"name": "Shanison"}  # Give Syntax error
user2 = {1:  "Lin"} # Give Syntax error

You can even mix the syntax when your hash has both symbol and numbers as keys, although the combination looks funny.

user1 = {name: "Shanison", 1 => "one"}

However, when your value is also a symbol, this syntax looks really funny:

user1 = {name: :source}

Due to above reasons, I still prefer the old syntax. It is just an options and personal preference, so there is no right or wrong in which syntax you adopt.

May 19, 2013 | shanison | Tags: | Comments Closed

Nokogiri with open-uri returns blank file

I met one very strange problem today.

Below code is working fine on my local machine under ruby 1.8.7 with nokogiri version 1.5.9:

require 'nokogiri'
require 'open-uri'
require 'net/http'

doc = Nokogiri::HTML(open('http://shareinvestor.com'))
puts doc.text

However above code is giving me problems on production servers with ruby 1.8.7 and nokogiri version 1.5.9. The last line returns empty string instead of the whole html. The only difference between the two servers is the ruby patch levels:

my local machine: ruby 1.8.7 (2011-02-18 patchlevel 334) [i686-darwin10.6.0]
production server: ruby 1.8.7 (2009-3-1 mbari 8B/0×8770 on patchlevel 72) [i686-linux]


So I thought the open-uri.rb might be different, checking the open-uri.rb found out that they are exactly the same. So I can’t think of any cause that is causing this problem.

Anyway below is the fix if you met this issue. You have to use File.read to read the html opened by open-uri.

require 'nokogiri'
require 'open-uri'
require 'net/http'

doc = Nokogiri::HTML(File.read(open('http://shareinvestor.com').path))
puts doc.text # this one now returns the correct html
March 25, 2013 | shanison | Comments Closed

Upgrade Ruby on Rails Application from 2.2.2 to 3.2.12

Ruby on Rails has changed a lot these few years. There are some security issues found recently. One of them is regarding the vulnerability in the JSON parser that comes with Active Support. You can read more here. However, the patch provided is only available for Rails 2.3.x and 3.0.x. I checked the code for Rails 2.2.2 and found that this version is affected as well. Without the official patch, I have to come up with my own patch for that. This is a serious problem if your application is not up to date with Rails. I developed a Ruby on Rails website that provides stocks information about three years ago with a small team, which stayed with Rails 2.2.2. Now it is time to upgrade it to the latest Rails 3.2.12. Below is how I did it and some of the major changes that has to be made in the code.

 

The whole project structure has changed quite a lot between Rails 2 and Rails 3 especially with the introduction of asset pipeline and bundlers. The easier way to upgrade your apps is to create a blank new Rails 3 apps and move in all the new folders into your old Rails 2 apps. For the files with the same names under same directories e.g. config/environments.rb, config/environments/production.rb, there are some API/format changes, so you need to compare the contents and see how to merge them. After you have done that, you can try to start your rails applications, which I believe the server can’t even be started. You should check every single error messages shows up in the console and fix them one by one until everything is fine. Below are some major changes that I met with.

 

  1. For the app/controllers/application.rb, it should be named as application_controller.rb now. Otherwise ‘uninitialized constant ApplicationController’ would be thrown.
  2. ENV['RAILS_ENV'] is now deprecated, use Rails.env instead.
  3. Rails.root class used to be String. Now it is changed to PathName. So you can’t do things like below: 
    File.read(Rails.root + "/config/streaming_config.yml")
  4. lib folders are not auto loaded. So you will see some missing constant errors. To auto load the lib folders add below two lines to the config/application.rb. 
    config.autoload_paths += %W(#{config.root}/lib)
config.autoload_paths += Dir["#{config.root}/lib/**/"]
  5. filter_parameter_logging is no longer available. To filter out the parameters you can do it in the config/application.rb. 
    config.filter_parameters += [:password]
  6. You cannot access controller methods in the view with @controller anymore. You have to use controller instead.
  7. For action view rendering, you no longer need to call h(string) to escape HTML output, it is on by default in all view templates. In Rails 2 you need to do below to escape the parameters, if not, you are vulnerable for XSS attacks. 
    <%= h @params[:user_name] %>

    In Rails 3, this html escape is on by default. However if the variable or contents you are trying to render contains html, and you want to render the html you have to explicitly call raw methods or html_safe method.

    <%= raw @page.content %>
    <%= @page.content.html_safe %>

    I forget to put raw or html_safe in some of the views, and it renders escaped html instead. So you may want to check across the whole site to make sure everything is alright.

  8. For form_tag and form_for, you need to use <%= %> instead of <% %>, otherwise the form won’t be rendered at all.
  9. will_paginate 2 won’t work with Rails 3. Have to upgrade to will_paginate 3 otherwise uninitialized constant ActiveRecord::Associations::AssociationCollection error will be thrown.
  10. Array.paginate will throw error.The Array#paginate method still exists, too, but is not loaded by default. If you need to paginate static arrays, first require it in your code: require ‘will_paginate/array’
  11. For active record, save(false) changed to 
    save(:validate => false)
  12. request.request_uri changed to request.url
  13. REXML::Document is not auto loaded, need to explicitly require it before using. 
    require 'rexml/document'
  14. rake API changes. The :needs => :environments is deprecated. In Rails 2 : 
    task :task_name, :argument_name, :needs => :environment do |t,args|
    # ...
 end

    In Rails 3, you have to do the following: 

    task :task_name, [:argument_name] => :environment do |t,args|
    # ...
 end
  15. params[:path] used to be an array of the path split by slash. e.g. you might see the value as ['user', 'details.html'], now it is a string /user/details. Note that params[:path] doesn’t contains the format.
  16. interpreate_status is not in use any more. You can use Rack::Utils::HTTP_STATUS_CODES[status_code] to do the same thing.
  17. Mailer API changes. In Rails 2, you would call deliver_welcome_email or create_welcome_email. This has been deprecated in Rails 3.0 in favour of just calling the method name itself. So you can call Mailer.welcome_email.
  18. Mail API changes. In Rails 2 you define a mailer like below (this example is copied from rails guide) 
    class UserMailer < ActionMailer::Base
  def welcome_email(user)
    recipients    user.email
    from          "notifications@example.com"
    subject       "Welcome to My Awesome Site"
    sent_on       Time.now
    body          {:user => user, :url => "http://example.com/login"}
  end
end

    However in Rails 3 above codes has to be changed to below:

    class UserMailer < ActionMailer::Base
  def welcome_email(user)
    @user = user
    @url =  "http://example.com/login"
    mail(
        :to            => user.email
        :from       =>    "notifications@example.com"
        :subject    =>   "Welcome to My Awesome Site"
        :date        =>       Time.now
    )
  end
end
  19. If a action name is not defined in the controller but the corresponding views file exists, in Rails 2, it will call method_missing. However in Rails 3, it won’t call method_missings. Thus in the help controller we can’t use the method_missing to dynamic rendering the views.

 

March 18, 2013 | shanison | Tags: | Comments Closed

How to Invest in Gold in Singapore

I still remember the day that I could buy a can of coca cola at 80cents from a vending machine 3 years ago. Now you need to pay S$1.2 for that. 40 cents increase looks small from the absolute amount, but that is actually 50% increase in price! This is how terrible the inflation is for these few years. At this high inflation environment, the interest rate is as low as equal to zero. Your money in the bank is slowly dwindling away if you don’t do anything to it. Among the various choice of investment, Gold is a popular choice for hedging against inflation.

If you are thinking of investing in gold or buying gold, here are a few things you can do in Singapore.

 

Buying Physical Gold

If you are thinking of buying physical gold, the easiest way is buying jewelry, where you can easily find those jewelry shops in Singapore especially in Little India as Indian loves buying gold. The other way is buying gold coins or gold bar. There are some trading companies doing this e.g. GoldPrice You can either keep the gold at home or some bank. DBS provides Safe Deposit Boxes service, where you can store your golds there without worrying about being stolen.

Trading gold in this way is troublesome and inefficient. There are some company that allow you buy gold bullion online at live gold prices. You may want to check out gold at BullionVault.

 

Gold ETFs

Exchange-Traded Fund (ETF) is an investment fund that can be traded like stocks on stock exchange. There are many physically backed gold ETF in the world. One of the most popular ones is SPDR Gold ETF Trust. SPDR® Gold Shares is the first gold-backed exchange-traded fund to be listed in Asia. Sponsored by the World Gold Trust Services LLC, the SPDR® Gold Shares are designed to track the price of gold and trade like any stock on the exchange. Below is the share price for SPDR Gold Shares, from the charts you can tell that it follows the actual Gold price.

SPDR Gold Shares Price

SPDR Gold Shares Price

 

Gold Miner Stocks

Invest in Gold miner stocks can be an alternative way to invest in Gold. However, do note that Gold Miner Stocks’ share price won’t follow Gold price exactly. If gold price go up 10%, the share price could go up possibly 20%. If gold price drop 10%, the share price could drop more than that. So in another word, investing in gold miner stocks is more risky. High risk comes with higher returns. If you expect gold to be as bullish as previous few years, then investing in gold miner stocks may be a good options.

 

LionGold Corp is an SGX-listed investment holding company focussing on gold mining, mine development and exploration. The company changed its name from Think Environmental to LionGold after adopting its gold-focused strategy in 2011. From the chart below, you can also tell that it is much more volatile than gold. So trade with caution.

Lion Gold TA Chart

Lion Gold TA Chart

 

This article is not meant to give you suggestion on what ETF or stock to trade but some general information on how to buy gold in Singapore. So trade at your own risk. Interesting thing is that Warrant Buffet said that he will never invest in Gold.

 

“When we took over Berkshire, it was selling at $15 a share and gold was selling at $20 an ounce. Gold is now $1600 and Berkshire is $120,000. Or you can take a broader example. If you buy an ounce of gold today and you hold it at hundred years, you can go to it every day and you could coo to it and fondle it and a hundred years from now, you’ll have one ounce of gold and it won’t have done anything for you in between. You buy 100 acres of farm land and it will produce for you every year. You can buy more farmland, and all kinds of things, and you still have 100 acres of farmland at the end of 100 years. You could you buy the Dow Jones Industrial Average for 66 at the start of 1900. Gold was then $20. At the end of the century, it was 11,400, and you would also have gotten dividends for a hundred years.” – Warrant Buffet

 

From investing perspective, I agree with that invest on stocks may give you better return, however, stock market comes with much higher risk. So diversify your investment in stocks, gold, bonds and property is much more ideal for me personally. The weight to invest in each, of course, depends on your risk appetite.

October 7, 2012 | shanison | Tags: , | No Comments »

Unset/Remove Apache Response Header – Protect your server information

When a browser submit a request for a page to the apache web server, it will send back the response data as well as response headers. The response headers usually contains important information like response Status, Content Type, Date and Time of Response etc. However, sometimes if you don’t configure the web server properly, it will expose some important information about the server in the response header. The below screenshot shows a poor configured server:

Poor Configured Response Headers

Poor Configured Response Headers

 

You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.

 

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

 

Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:

httpd -M

Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.

Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:

httpd -V

It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:

-D HTTPD_ROOT=”/usr/local/httpd”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module

LoadModule headers_module modules/mod_headers.so

Now, do httpd -M again, you should see the loaded modules include headers_module.

After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.

ServerSignature Off
ServerTokens Prod

Normally apache would display a trailing footer line, which includes information like server name, version etc,  under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number.  For details explanation, refer to this apache documentation.

 

Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.

# If mod_headers module is included, we will disable the Server response header totally
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

With the above changes, you should have already unset or removed those apache response headers that expose important security informations.

July 5, 2012 | shanison | Tags: | 7 Comments »
« Older Entries