Tuesday, February 12, 2013

Why is Ruby bad security?

More: Ruby’s Principle of Too Much Power

Another week, another Ruby on Rails exploitAgain it attacks derserialisation libraries that can, it turns out, instantiate complex objects.  Not all the flaws can be blamed on over-ambition of the serialisation libraries like YAML and now JSON, though.  There was a spate of mass-assignment vulnerabilities and others and doubtless some I’ve forgotten.

update: I spoke too soon: there’s yet another assignment vulnerability right now, again….

Why, deep down, does Ruby have whack-a-mole security problems?  I don’t by the popularity argument at all; its not because Rails has suddenly become a big enough target to encourage attackers.

I think its much deeper in the Ruby psyche.

Why doesn’t the Python JSON serialiser try and instantiate non-standard data-types?

Ruby delights in spooky action at a distance.  Rubyists and Railites delights in an perverse, extreme object-orientation.  In Convention-over-configuration and Don’t-Repeat-Yourself mantras.

The aim is to be so declarative, so high-level as to no longer see nor understand what is happening beneath and before.

Even Python apps are much shallower than Ruby apps.  Ruby is the queen of indirection and nesting.

I just can’t see Go and Python frameworks suffering in the same way and to such a large endemic extent.


  1. anthonybishopric said: Hey there, I’ve been following you for a while. I understand where your intuition is taking you but I don’t totally follow the argument. If you provide an API that has some conventional behavior, I don’t see how that directly causes issues.
  2. williamedwardscoder posted this

 ↓ click the "share" button below!