0





74

Advertisement

1

Here's a perfect example of the problem: Classifier gem breaks Rails.

** Original question: **

One thing that concerns me as a security professional is that Ruby doesn't have a parallel of Java's package-privacy. That is, this isn't valid Ruby:

public module Foo
  public module Bar
    # factory method for new Bar implementations
    def self.new(...)
      SimpleBarImplementation.new(...)
    end
    def baz
      raise NotImplementedError.new('Implementing Classes MUST redefine #baz')
    end
  end  private class SimpleBarImplementation
    include Bar
    def baz
      ...
    end
  end
end

It'd be really nice to be able to prevent monkey-patching of Foo::BarImpl. That way, people who rely on the library know that nobody has messed with it. Imagine if somebody changed the implementation of MD5 or SHA1 on you! I can call freeze on these classes, but I have to do it on a class-by-class basis, and other scripts might modify them before I finish securing my application if I'm not very careful about load order.

Java provides lots of other tools for defensive programming, many of which are not possible in Ruby. (See Josh Bloch's book for a good list.) Is this really a concern? Should I just stop complaining and use Ruby for lightweight things and not hope for "enterprise-ready" solutions?

(And no, core classes are not frozen by default in Ruby. See below:)

require 'md5'
# => true
MD5.frozen?
# => false
Question author James-a-rosen | Source

Advertisement


0


1

Check out Immutable by Garry Dolley.

You can prevent redefinition of individual methods.

Answer author Nertzy