---
title: 'This week in #dev (Jan 24, 2025)'
teaser: 'Avoiding ReDoS attacks, using Active Resource in modern Rails, and how to
  improve flaky tests with Playwright.

  '
tags: this week in dev,til,security,testing,rails
author: thoughtbot
published_on: 2025-02-03
---

Welcome to another edition of [This Week in #dev](https://thoughtbot.com/blog/tags/this-week-in-dev), a series of posts
where we bring some of our most interesting Slack conversations to the public.

## Regular Expression Denial of Service (ReDoS)

[Fer Perales][fer] learned about ReDoS (Regular Expression Denial of Service): a
type of security vulnerability that exploits inefficient regular expressions to
cause a denial of service. It happens when a regular expression is written in
such a way that it requires an excessive amount of time to process certain
inputs.

He also shares [a website to test regular expressions] for ReDoS. [Matheus
Richard][matheus] adds that Ruby introduced [Regex timeouts] to avoid this kind
of attack.

[fer]: https://github.com/ferperales
[a website to test regular expressions]:  https://devina.io/redos-checker
[Regex timeouts]: https://docs.ruby-lang.org/en/3.4/Regexp.html#method-c-timeout-3D

## Reviving Active Resource: Integrating with modern Rails for API communication

[Sean Doyle][sean] shares his experience using [Active
Resource](https://github.com/rails/activeresource) for API communication in a
project. Despite its age and lack of recent updates, Active Resource remains
valuable, especially with new Rails features like the
[serialize](https://edgeapi.rubyonrails.org/classes/ActiveRecord/AttributeMethods/Serialization/ClassMethods.html#method-i-serialize)
Active Record method. This method, combined with String and JSON(B) database
columns, allows for efficient serialization and deserialization of object
instances. Below is a code example demonstrating how to store an Active Resource
representation of an API response directly in a database:

```ruby
ActiveRecord::Schema.define do
  create_table :posts, force: true do |t|
    t.json :api_post, null: false
    t.virtual :api_post_id, type: :string, stored: true, null: false, as: <<~SQL
      api_post->>'id'
    SQL

    t.index :api_post_id, unique: true
  end
end

module Api
  class ApplicationResource < ActiveResource::Base
    def self.dump(resource) = resource.try(:serializable_hash)
    def self.load(attributes) = attributes.nil? ? nil : new(attributes, attributes[primary_key])
  end

  class Api::Post < ApplicationResource
    self.site = "<https://api.dev>"

    schema do
      attribute :name, :string
      attribute :body, :string
    end
  end
end

class Post < ActiveRecord::Base
  serialize :api_post, coder: Api::Post

  delegate_missing_to :api_post
end
```

[sean]: https://thoughtbot.com/blog/authors/sean-doyle

## Flaky tests? Try Playwright!

[Matheus Richard][matheus] suggests replacing Selenium with Playwright to
address flaky system specs. This has significantly improved the reliability of a
client's test suite. Here's [a tuturial on how to do it].

[a tuturial on how to do it]: https://justin.searls.co/posts/running-rails-system-tests-with-playwright-instead-of-selenium/

## Thanks

This edition was brought to you by [Fer Perales][fer], [Matheus Richard][matheus], and [Sean Doyle][sean].
Thanks to all contributors! 🎉

[matheus]: https://thoughtbot.com/blog/authors/matheus-richard