[prophetjohn]

It's not like this is a little known pitfall with Rails. Anyone who has read Hartl's Rails tutorial knows about it[1]. It's very commonly mentioned in basics for Rails security.

And I say all this someone who has never professionally developed for Rails. My experience with Rails consists of a couple half-done toy projects. I find it pretty surprising that Github makes this mistake. But I don't think they should be burned at the stake for this. The bigger problem was how they were initially handling the issue, which they're trying to rectify now.

[1] However, Hartl recommends using attr_accessible at the model level and DHH says this preventative measure should be implemented in the controller, ie:

    class PostsController < ActionController::Base
        def create
            Post.create(post_params)
        end
  
        def update
            Post.find(params[:id]).update_attributes!(post_params)
        end

    private
        def post_params
          params[:post].slice(:title, :content)
        end
    end

[nknight]

I'm frankly amazed at how optimistic HN seems to be about "professional" coding practices. To this day I find "professional" developers writing fresh SQL injection vulnerabilities with some frequency.

[celer]

People who read HN tend to be better coders than those who don't. Fizzbuzz exists because it is needed.

[javascriptlol]

I don't find it in any way surprising that this has happened any more than I would find it surprising that if you put a big hole in a footpath that someone would fall into it.