Last weekend (August 19-20, 2023), Ruby Conf China was successfully held in Shanghai. This was the first time since COVID-19 that Ruby Conf was held offline - we've been waiting for it for three years. It's amazing that the venue was the same one we booked for Ruby Conf 2021 three years ago (JW Marriott at Tomorrow Square); Due to the pandemic, that one had to be changed to an online conference. The hotel was generous enough not to raise the price of the venue or meals after three years. By the way, the buffet at the Marriott was really good.

I'm going to take two posts to briefly document what I learned on Ruby Conf.

Keynotes

by Matz

Ruby was a language created for fun.

Naming matters for a product because it reflects its essence.

Ruby became popular, thanks to benefit seekers and the community.

Marketing is important to let people know how good a software is.

Compatibility:

• Community split between Ruby 1.8 and 1.9 for around 5 years
• Such split can be even longer for other languages
• Performance improvement was great enough to encourage users to upgrade

Leadership & Vision: to predict the future by investing in it (for example, to use static type or not)

Play with AST and build your own code analysis and code rewriting tools

by Huang Zhimin

Ruby source code → AST

1. Tokenize: Ripper
2. Parse: Parser / RubyParser
3. Compile

Tools that utilize AST:

• Rubocop (via Parser)
• Prettier for Ruby (Ripper)
• Yard (Ripper)
• Brakeman (RubyParser)

Use cases:

• rails_best_practice
• https://synvert.net/ a tool to replace and refactor codes

An example of query and mutate AST nodes with Synvert

# convert 'email_and_active(email, true)' to 'email: email, active: true'
helper_method :dynamic_finder_to_hash do |prefix|
  # ...
end
if_gem 'rails', '>= 3.0'

within_files Synvert::ALL_RUBY_FILES + Synvert::ALL_RAKE_FILES do
  # find_all_by_email_and_active(email, true) => where(email: email, active: true)
  find_node '.send[message=~/^find_all_by_/]' do
  hash_params = dynamic_finder_to_hash('find_all_by_')
  if hash_params
    replace :message, with: 'where'
    replace :arguments, with: hash_params
  end
end

ActionCable pressure test and practical experience sharing

by Li Yafei (ShowMeBug)

Question: How many online users are supported?

ActionCable Components: WebSocket, Channel, Connection

Monitor toolkits:

• websocket: Jmeter, Artillery
• server: atop, netstat, puma state, nginx log，isostat
• alternative: AnyCable - it increases speed of Connection initiation, but not much in consumption

Performance: It handles 70 QPS with 4-Core and 8G Mem, namely 20k DAU

Common bottle necks:

• SSD: 3000 IOps
• Middle-leveled DB: 20k TPS
• Redis: 50k TPS
• IO latency: 0.1 ms(write) - 1ms (local DB) - 10ms (Redis R/W)

Rails and Rack app security

by Li Wei

How to scure your app security

• Improve safety consciousness by training to avoid phishing and social engineering
• Understanding the security of our cyber assets through Attack Surfaces (ASM)
• Continuous evaluation on effectiveness by BAS (Breach and Attack Simulation)
• Adopt suggestions

Security concerns from OWASP GitHub.com/OWASP/api-security

• Top 3 in 2021: Broken access control, Cryptographic Failure, Injection
• Injection was not the most severest (2017) because people paied attention to it
• New: SSRF (server-side request forgery)

Rails are good at:

• Anti-inject
• Avoid XSS
• credentials / encryption
• CoC

Weak:

• Third party gem
• RESTful - easy to traverse data and expose db structure
• render with object - unnecessary data

Tools:

• brakeman
• metasploit (a penetration testing framework, written by Ruby)
• Burp Suite (security testing software)

ReInforce Rails App

• Browser-side environment validation
• Bi-directional client-server authentication
• Dynamic obfuscation to prevent request forgery and eavesdropping
• Dynamic token
• Should be non-intrusive to existing apps (for example, to use Rack middlewares)

Domain-driven design in GitLab

by Yuan Xiaofeng (GitLab)

Typical Architecture for DDD:

1. Presentation
2. Application
3. Domain
4. Infra

Imposing DDD (Doctrinaires) on Rails causes:

1. Incompatible with official Rails, not easy to upgrade
2. Poor quality
3. Waste of human resources due to learning path

More practical way in Rails:

1. Don’t distinguish application and entity layers
2. Controller can access domain model directly
3. Service as domain model
4. Rich domain model, not fat model
   1. Use Concern
   2. delegate to PORO

Conversational Al empowers the next generation of Internet applications

by Wang Ruoyu (Workstream)

Background

• Conversational AI remodelled interaction between human and computers: from GUI to LUI (Natural Language UI)
• Bottlenecks of GPT: hallucianation, hard to test/QA, data Privacy

Landing for mid-sized company

• Start from one painpoint or specific scene
• AI Agent as Brain + API as limbs
• Chat: Recognize users intention and call exsiting APIs with extracted parameters

Challenges

• Permission - user may ask for info he doesn't have access

• Security - Prompt Injection/Hack