On 09/02/2013, at 7:51 AM, Mark Wotton <[email protected]> wrote: > On Fri, Feb 8, 2013 at 9:32 PM, Andrew Grimm <[email protected]> wrote: >> >> Would I be correct in interpreting him as saying that the recent YAML >> exploits with Rails indicate a problem with Ruby, rather than just >> Rails? That in a more secure programming language, even if the web >> development framework stuffed up, the hackers wouldn't be able to >> execute arbitrary shell code? > > This might not be what he's saying, but this is true. In a > Hindley-Milner typed language, your parsing function would have a type > String -> Maybe StructuredInput: it would either fail and return > Nothing, or succeed and return a value of the correct type. It would > not be able to read your database, install malware or print to the > screen, because they all require an IO annotation. > > mark >
I think you're right about having a type system. Frameworks like Yesod guarantee things Ruby never can: http://www.yesodweb.com/page/about The idea that a database has typing and your throw it away - leading to things like SQL injection. Everything as a string is a problem I think. The YAML exploit seems much more like a design or cultural problem to me. You write Haskell to interpret YAML to run code but you are correct that it'd be more limited and easier to reason about than Ruby. You would have to add IO in order to read a file or delete it. The problem is Ruby is too powerful to be used in web development. You need something with less power - if not all through your stack at least in the front door. You need a scalable language [1] - the best I've seen is Haskell but my experience isn't great - you can make Ruby safer but I think it would be a lot of work. [1] http://www.w3.org/2001/tag/doc/leastPower#scalableLanguages -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
