Wednesday, October 3, 2012

Even Expert Rubyists Can be Fooled by Misleading Heredoc Syntax.

What do you expect the following code to produce?

https://gist.github.com/3826929#file_string_heredoc.rb

If you’re familiar with Ruby’s Heredoc syntax you’ll recognize this syntax as an easy way to capture a string of arbitrary length, but when you execute the file above, you’ll see the syntax is invalid.

https://gist.github.com/3826929#file_syntax_error.txt

Why is this?

Well, as it turns out, ruby doesn’t see this as a heredoc at all. Instead, it sees it as string.«(EOF) which is invalid because EOF is undefined.

That’s pretty confusing and it’s easy for expert coders to miss in a code review.

Since constants in the global context will evaluate, what if we had another innocent looking file included in the project somewhere?

https://gist.github.com/3826929#file_innocent_looking_file.rb

Sure, that’s a little strange looking, but a file like that isn’t beyond the realm of possibility in a large project. What happens if that file somehow found its way into the project?

https://gist.github.com/3826929#file_string_heredoc_output.txt

Suddenly, the invalid syntax from the first file becomes valid with a new and very dangerous meaning. This is subtle enough that it could present a real threat against your projects, especially if its a large project in constant flux.

Keep your eyes peeled for things like this. This one would be very easy to overlook.

Posted at 10:46 AM