On 10/02/2013, at 10:45 AM, Nicholas Jefferson <[email protected]> wrote:
>> That's not true of a language like Haskell, where you have to explicitly >> turn on cowboy mode before anything unsafe can happen. > > ISTM you are equivocating on the meaning of "unsafe" here. In Haskell > "unsafe" means "not checked by the compiler", but you don't need to do > anything unsafe to introduce a vulnerability. > > Take the Yesod web framework mentioned earlier. An application handler in > Yesod can perform IO operations, like reading a file at a path given by the > user. That's just one line of code: > > content <- liftIO (readFile path) > > There are no compiler errors, no compiler warnings, just one Rails-scale > vulnerability. > > The recent YAML attack in Rails was possible not because Ruby does not have > static typing, but because Ruby supports creating instances of any class by > name, calling any method by name, etc. > > You could remove those "features" from Ruby and you would still have a > dynamically typed langauge, but the YAML attack would not be possible. > I agree with you, you could definitely create vulnerabilities in Yesod - but you would do it explicitly. In the above code, you're not creating a Rails sized vulnerability you're creating an IO sized one (and only for that call). To create a Rails sized vulnerability in Yesod you'd have to allow any type class to refer to any column in any table. You'd have to allow it to use SQL commands and URLs interchangeably. You would have to give each function access to logging, the file system, unrestricted database access and classes so generic that you could only tell what they did by calling them. The idea behind a scalable web language seems to me something that quickly dips into untrusted realms like parsing and quickly retreats - not one that grows in size and complexity and retains that for its entire runtime - just because you want to make it easy to deserialize objects. -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
