

Ruby delegate.rb secrets - saturnflyer
http://www.saturnflyer.com/blog/jim/2013/03/21/ruby-delegate-rb-secrets/

======
void-star
Not trying to bring up a language war or jump on the wagon berating ruby
"magic" (so tired of those conversations. I love the dynamic nature of ruby.

That said... the code examples in this article are exactly the patterns that
were leveraged (and are still being leveraged) to exploit the recent wave of
object serialization vulnerabilities via YAML/JSON/XML (including the one that
popped rubygems.org recently)

see:
[https://groups.google.com/forum/?fromgroups=#!topic/rubyonra...](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-
security/61bkgvnSGTQ)

Just be super careful when using code like this, it can have very unintended
consequences when you bring object remoteing into the mix.

------
joshowens
This is handy stuff, thanks for writing it up and sharing it!

