Even Expert Rubyists Can be Fooled by Misleading Heredoc Syntax.
What do you expect the following code to produce?
If you’re familiar with Ruby’s Heredoc syntax you’ll recognize this syntax as an easy way to capture a string of arbitrary length, but when you execute the file above, you’ll see the syntax is invalid.
Why is this?
Well, as it turns out, ruby doesn’t see this as a heredoc at all. Instead, it sees it as string.«(EOF) which is invalid because EOF is undefined.
That’s pretty confusing and it’s easy for expert coders to miss in a code review.
Since constants in the global context will evaluate, what if we had another innocent looking file included in the project somewhere?
Sure, that’s a little strange looking, but a file like that isn’t beyond the realm of possibility in a large project. What happens if that file somehow found its way into the project?
Suddenly, the invalid syntax from the first file becomes valid with a new and very dangerous meaning. This is subtle enough that it could present a real threat against your projects, especially if its a large project in constant flux.
Keep your eyes peeled for things like this. This one would be very easy to overlook.