Be Careful with GIDs in Rails

(blog.julik.nl)

27 points by julik5 days ago

8 comments

  • hopeless3 hours ago
    A bit of a bizarre post since to_sgid has existed forever to generate signed global ids. Global IDs are probably one the most powerful and underrated features of Rails but regular global ids are only supposed to be used internally (e.g. job params) and never sent to the client.<p>If there’s a gotcha it’s that _signed_ global ids are only signed, not encrypted, and very few people seem to know about the optimised method (globalid::Locator.locate_many) for loading a batch of global ids
  • otikik1 hour ago
    If you don&#x27;t want invoice 22 to be shown by someone putting 22 on the url, you definetly need to enforce permissions on your app. The Global ID issue is tangential to that.
  • philipallstar3 hours ago
    This title is odd, given the actual identified problem seems to be LLMs writing code.
    • claudiug2 hours ago
      yeah, but if you say LLM is shit, and not rails... goodbye views :)
  • config_yml2 hours ago
    &gt; GIDs are not checked for authorization when doing the lookup - they are meant to be generated above the authorization layer, and to be consumed above the authorization layer<p>Then the problem with this post boils down to applying the authorization layer in any tool call, just like you do in controllers. Seems obvious?
    • jeremy_k53 minutes ago
      Agreed. Seems like the author tried to get fancy using GIDs with LLMs to cut down on the logic in their tool calls and opened a can of worms.
  • rco87861 hour ago
    So....LLMs can hallucinate GIDs. I hope that everyone is aware of that.
  • kayodelycaon2 hours ago
    Rails is a dangerous place to be throwing random data into APIs.
  • moondowner3 hours ago
    Any popular Rails apps that use to_global_id?
    • rco87861 hour ago
      Almost any modern rails apps that have a job queue will use this at some point
    • rmosolgo2 hours ago
      Shopify: <a href="https:&#x2F;&#x2F;shopify.dev&#x2F;docs&#x2F;api&#x2F;usage&#x2F;gids#global-id-structure" rel="nofollow">https:&#x2F;&#x2F;shopify.dev&#x2F;docs&#x2F;api&#x2F;usage&#x2F;gids#global-id-structure</a>
    • hahahacorn2 hours ago
      Shopify <a href="https:&#x2F;&#x2F;shopify.dev&#x2F;docs&#x2F;api&#x2F;usage&#x2F;gids" rel="nofollow">https:&#x2F;&#x2F;shopify.dev&#x2F;docs&#x2F;api&#x2F;usage&#x2F;gids</a>
    • kayodelycaon2 hours ago
      The built-in ActiveJob api uses them.
  • usernamed72 hours ago
    the AI hallucinated and somehow it&#x27;s rails fault?<p>GID&#x27;s are great - i think the issue is with how they leveraged rubyLLM for something they should inherently not be using LLMs for.<p>&gt; Remember that GIDs were made for facilitating ActiveJob serialization - they are a system-level facility, not a product-level facility.<p>I think this is somewhat obvious given the signature like gid:&#x2F;&#x2F;awesome-app&#x2F;Post&#x2F;32; there is no scoping to the user or account so it should be treated like a global lookup. If you need scoping to a user&#x2F;account you can build that.<p>Honestly I think this is a matter of the author using poor design decisions and over leveraging LLMs. But this is not the fault of Rails, it is working as expected.<p>Be careful with LLMs!