I”m a newish Ruby/Rails developer with years of Java experience. This “security” question is specific to ruby – not rails – which is why it was hard to find an answer as most rails security questions deal with web stuff.
As a Java developer I’ve read Effective Java several times. One of the key points made in that book is to protect your data and methods in your classes from malicious users. By that I mean : make as much of your code private as possible, use immutable classes and use defensive copying when returning references to immutable objects. You can use the final keyword too.
But in Ruby, everything is open. Sure you can make a method / data private, but but as a consumer of a Ruby API, is there anything stopping me from writing my own version of the method then simply (dynamically at run time or in code) attaching it to a class in the API? Seems like all the security discussed in Effective Java doesn’t apply to Ruby at all. Is this just a mindset shift from Java? Isn’t this a “flaw” in Ruby or other similar languages?
The defense is against bad design, not intruders
Encapsulation, class-private functionality, and other recommended OO design patterns are not there to defend again malicious foreign functions and enemy classes.
Rather, the idea is simply to structure the program in a way that makes it less fragile and easier to modify.
Think of each class as a separate building. We could build a new office so that it’s leaning on the next building to the north and perhaps extend some steel from the building to the west to help hold up our new structure.
The obvious result would be damage to the structural integrity of the N and W neighbors, and questionable support for the new construction. With software, bad ideas like these are not always so obvious, so we read books full of principles and recommendations to remind us.