Search overlay panel for performing site-wide searches

Boost Performance & Scale with Postgres Advanced. Join Pilot Now!

Engineering

Debugging in Ruby—Busting a Year-old Bug in Sprockets

Debugging is an important skill to develop as you work your way up to more complex projects. Seasoned engineers have a sixth sense for squashing bugs and have built up an impressive collection of tools that help them diagnose and fix bugs.

I’m a member of Heroku’s Ruby team and creator of CodeTriage and today we’ll look at the tools that I used on a journey to fix a gnarly bug in Sprockets . Sprockets is an asset packaging system written in Ruby that lies at the heart of Rails’ asset processing pipeline.

At the end of the post, you will know…

Ten Ways to Secure your Applications

This blog post is adapted from a talk given by Joe Kutner at Devoxx 2018 titled " 10 Mistakes Hackers Want You to Make ."

Building self-defending applications and services is no longer aspirational–it’s required. Applying security patches, handling passwords correctly, sanitizing inputs, and properly encoding output is now table stakes. Our attackers keep getting better, and so must we.

In this blog post, we'll take a look at several commonly overlooked ways to secure your web apps. Many of the examples provided will be specific to Java , but any modern programming language…

Building a Service-oriented Architecture with Rails and Kafka

This blog post is adapted from a talk given by Stella Cotton at RailsConf 2018 titled “ So You’ve Got Yourself a Kafka .”

https://www.youtube.com/embed/Rzl4O1oaVy8

In recent years, designing software as a collection of services, rather than a single, monolithic codebase, has become a popular way to build applications. In this post, we’ll learn the basics of Kafka and how its event-driven process can be used to power your Rails services. We’ll also talk about practical considerations and operational challenges that your event-driven Rails services might face around monitoring and scaling.

What is Kafka?

Ruby 2.6 Released: Just-In-Time Compilation Is Here

The Ruby committers have again continued their annual holiday tradition of gifting us a new Ruby version: Ruby 2.6 was released today, including the long awaited Just-In-Time (JIT) compiler that the Ruby team has been working on for more than a year.

Just-In-Time compilation requires Ruby to spin up a compiler process on startup, and we’re proud to say that this feature is supported today on Heroku thanks to the diligent efforts of our very own Richard Schneeman . We’d also like to thank fellow Herokai Nobuyoshi Nakada for his effort making sure the new JIT works well with all of…

Manage Real-time Event Streams and SQL Analytics with Apache Kafka on Heroku

Building a SaaS product, a system to handle sensor data from an internet-connected thermostat or car, or an e-commerce store often requires handling a large stream of product usage data, or events. Managing event streams lets you view, in near real-time, how users are interacting with your SaaS app or the products on your e-commerce store; this is interesting because it lets you spot anomalies and get immediate data-driven feedback on new features. While this type of stream visualization is useful to a point, pushing events into a data warehouse lets you ask deeper questions using SQL.

In this post, we’ll…

Cache Invalidation Complexity: Rails 5.2 and Dalli Cache Store

Rails applications that use ActiveRecord objects in their cache may experience an issue where the entries cannot be invalidated if all of these conditions are true:

They are using Rails 5.2+
They have configured config.active_record.cache_versioning = true
They are using a cache that is not maintained by Rails, such as dalli_store (2.7.8 or prior)

In this post, we discuss the background to a change in the way that cache keys work with Rails, why this change introduced an API incompatibility with 3rd party cache stores, and finally how you can find out if your app is at risk and how to…

Applying Seccomp Filters at Runtime for Go Binaries

Seccomp (short for security computing mode) is a useful feature provided by the Linux kernel since 2.6.12 and is used to control the syscalls made by a process. Seccomp has been implemented by numerous projects such as Docker, Android, OpenSSH and Firefox to name a few.

In this blog post, I am going to show you how you can implement your own seccomp filters, at runtime, for a Go binary on your Dyno.

Why Use Seccomp Filters?

By default, when you run a process on your Dyno, it is limited by which syscalls…

Beyond Web and Worker: Evolution of the Modern Web App on Heroku

This is the first in a series of blog posts examining the evolution of web app architecture over the past 10 years. This post examines the forces that have driven the architectural changes and a high-level view of a new architecture. In future posts, we’ll zoom in to details of specific parts of the system. The standard web application architecture suitable for many organizations has changed drastically in the past 10 years. Back in Heroku’s early days in 2008, a standard web application architecture consisted of a web process type to respond to HTTP requests, a database to persist…

Rolling the Heroku Redis Fleet

Over the past few weeks, Heroku proactively updated our entire Redis fleet with a version of Redis not vulnerable to CVE-2018-11218 . This was an embargoed vulnerability, so we did this work without notifying our customers about the underlying cause. As always, our goal was to update all Heroku Redis instances well before the embargo expired.

As a Data Infrastructure Engineer at Heroku, I wanted to share how we manage large fleet operations such as this one. The most important aspect of our job is keeping customers safe from security vulnerabilities, while also minimizing disruption and…

Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760)

All previously released versions of Sprockets , the software that powers the Rails asset pipeline, contain a directory traversal vulnerability . This vulnerability has been assigned CVE-2018-3760 .

How do I know if I'm affected?

Rails applications are vulnerable if they have this setting enabled in their application:

# config/environments/production.rb
config.assets.compile = true # setting to true makes your app vulnerable

Note: The default value of this setting that ships with Rails in production.rb is false. By default, Rails apps running in production mode are not vulnerable to this exploit.

How do…

Subscribe to the full-text RSS feed for Engineering.