rails-security-checklist icon indicating copy to clipboard operation
rails-security-checklist copied to clipboard
verified publisher icon eliotsykes

Add guideline about template strings and specifying type?

Open eliotsykes opened this issue 8 years ago • 1 comments

This section on named format tokens was recently added to the Ruby style guide, repeated below:

When using named format string tokens, favor %s over %{name} because it encodes information about the type of the value.

# bad
format('Hello, %{name}', name: 'John')

# good
format('Hello, %<name>s', name: 'John')

If there is a security aspect to this, consider adding a guideline to the checklist.

(cc @backus - original author of change to Ruby Style Guide)

eliotsykes avatar Apr 13 '17 09:04 eliotsykes

Not really sure if there is a security aspect to this beyond like validating that something is a specific type. Everything responds to #to_s and %<foo>s is still going to call #to_s (which is usually #inspect) on most objects but in the cases where you have something like a number I guess it could help prevent some sensitive information leak if you specify the type. Marginally fewer things which can have their #inspect string interpolated into some output if something else goes wrong.

backus avatar Apr 13 '17 09:04 backus