Here's a great example of a problem: Classifier graphics break Rails .
** Original Question: **
One thing that concerns me as a security professional is that Ruby has no parallel to the privacy of the Java package. That is, this is not valid Ruby:
public module Foo public module Bar # factory method for new Bar implementations def self.new(...) SimpleBarImplementation.new(...) end def baz raise NotImplementedError.new('Implementing Classes MUST redefine #baz') end end private class SimpleBarImplementation include Bar def baz ... end end end
, Foo:: BarImpl. , , , , . , - MD5 SHA1 ! freeze , " ", , , .
freeze
Java , Ruby. (. .) ? Ruby " " ?
( , Ruby. . :)
require 'md5' # => true MD5.frozen? # => false
Immutable .
.
, .
, "-" MD5 - . . , Java , , - MD5. .
: , :
require 'awesome' # Do something awesome.
, - :
require 'evil_cracker_lib_from_russian_pr0n_site' # Overrides crypto functions and sends all data to mafia require 'awesome' # Now everything is insecure because awesome lib uses # cracker lib instead of builtin
: ! , , . , , , .
Java: , Java private final, . , - ! , - : Java OpenSSL . , , , , Debian , OpenSSL . , Java-, Debian , !
private
final
Java
, , , ( ) ., .
, , " ".
-, , , , dll injection .
, . .
, , ruby - . Monkeypatching , .
, Ruby , , . .. Ruby String, .
" " , , Google Amazon. , .
, , , , , , . ? , . , . . , .
:
require 'evil_cracker_lib_from_russian_pr0n_site' require 'awesome'
awesome, foobar fazbot, foobar, has_gumption, ... , .
awesome
foobar
fazbot
has_gumption
" " - . ; . .
- , Immutable ( ).
, Lucky Stiff "", , . http://code.whytheluckystiff.net/sandbox/
( TicTacToe): http://www.elctech.com/blog/safely-exposing-your-app-to-a-ruby-sandbox
Raganwald . :
class Module def anonymous_module(&block) self.send :include, Module.new(&block) end end class Acronym anonymous_module do fu = lambda { 'fu' } bar = lambda { 'bar' } define_method :fubar do fu.call + bar.call end end end
fubar Acronym s, (fu bar) .
fubar
Acronym
fu
bar
- , 2 : . , ( ), . , , .
, , . - - ? , monkeypatch - , .
, , . - .