Last active
February 15, 2020 18:54
-
-
Save daveio/4d4ea479e7047f015ca36c003282ae23 to your computer and use it in GitHub Desktop.
ruby 'in' keyword abuse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # hi | |
| # let's imagine we have this kind of structure for a website user. the user can add arbitrary websites, | |
| # which are stored in the userdata[:websites] hash as { :user_selected_name => 'https://example.com' }. | |
| userdata = { | |
| username: 'dave', | |
| websites: { | |
| homepage: 'https://dave.io', | |
| twitter: 'https://twitter.com/syn' | |
| }, | |
| password: 'jampants' | |
| } | |
| # this is currently fine, so we can successfully do | |
| check_password(userdata[:password]) # => check_password('jampants') | |
| # or using the new `in` keyword | |
| in userdata | |
| check_password(password) | |
| end # => check_password('jampants') | |
| # however what if a user adds a website, and chooses 'password' as its title? | |
| userdata = { | |
| username: 'dave', | |
| websites: { | |
| homepage: 'https://dave.io', | |
| twitter: 'https://twitter.com', | |
| password: 'https://evil.com' | |
| }, | |
| password: 'jampants' | |
| } | |
| # the old way still works fine | |
| check_password(userdata[:password]) # => check_password('jampants') | |
| # but depending on how it traverses the `userdata` hash, Ruby might encounter the :password key at one of two places | |
| in userdata | |
| check_password(password) | |
| end # => depending on `in` behaviour, may do check_password('jampants') or check_password('https://evil.com') | |
| # welp. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment