99 Bottles of OOP book review

Review of one of the most popular OOP books, written by a skilled coder 
28 July 2017   3797
Ruby

Dynamic, open source programming language with a focus on simplicity and productivity, it has an elegant syntax that is natural to read and easy to write.

“99 bottles of OOP” is the second Sandi Metz’s book, co-authoring Katrina Owen. I was interested in this book for several reasons: first of all, I like the authors and their activities, secondly, I like the topic and the name of the book is awesome. I believe that writing the solid book based on the discussions about one kata, especially the one about “99 bottles of beer” is an outstanding idea by itself.

99 bottles of OOP
99 bottles of OOP

The authors recommend spending a half an hour on solving the “99 bottles of beer” kata before reading the book.

In the beginning of the book, there are several solutions which are evaluated with the help of metrics and common sense. When the best solution (for now) is chosen, the new requirements appear. Now you have to adapt your code so that it would become open for the easy change. In the following chapters, you’ll find the refactoring steps with the detailed descriptions and rationales.

Make the change easy (warning: this may be hard), then make the easy change.
 

Kent Beck
Programming Coach, Facebook

This book was written as the alternative to visiting a workshop, so it’s important to reproduce all steps and imagine that you are at the event :)

The authors imply, that “99 bottles” may totally change your assumptions on TDD. The code is changed by very small steps, and after each change, you must run the tests and they should remain green. If not, revert and make another change.

If you are an experienced programmer and haven’t used such approach before, it may be hard for you to use it. It’s not easy to me to use all rules, especially when I work on large projects, that contain legacy code. But it’s useful to explore this approach: e.g. sometimes the right abstractions will “appear” after you make several small steps. It may be easier to try this approach while solving katas first.

According to the authors, the book has 2 goals:

  • supply you with the concrete refactoring techniques for everyday use
  • make you fall in love with polymorphism

I guess we shouldn’t think of “99 bottles” as finding the right solution for the specific task. It’s more of a demonstration of refactoring rules and oop principles, using this example.

Refactoring is one of my favorite topics, so I liked the book. It helped me to organize my knowledge, look at TDD from a different angle and use this approach more often.

My notes on the book

Backdoor to be Found in Bootstrap-sass Ruby Gem

Backdoor has been added to the 3.2.0.3, published March 26 in the RubyGems repository and issue is resolved in release 3.2.0.4, proposed on April 3rd
05 April 2019   450

Backdoor (CVE-2019-10842) was detected in the popular Ruby-library bootstrap-sass (Bootstrap 3 option with Sass support), which has about 28 million downloads, allowing attackers to execute their code on servers running projects using bootstrap-sass . The backdoor has been added to release 3.2.0.3, published March 26 in the RubyGems repository. The issue is resolved in release 3.2.0.4, proposed on April 3rd.

The backdoor was hiddenly added to the lib/active-controller/middleware.rb, in which the code for calling eval appeared with the value passed through the cookie"___ cfduid =". For an attack, it was enough to send a request to the server, setting thecookie "___cfduid" and pass as an argument the commands encoded in Base64 format. The name of the cookie "___cfduid" was chosen for camouflage under thecookie "__cfduid", set by CDN Cloudflare and characterized by the presence of two underscores instead of three.

It is noteworthy that the malicious code was published only in the final package published in the RubyGems repository, but was not included in the source code in the Git repository. The source code of the library remained correct and did not arouse suspicion among developers, which underscores the importance of using repeatable builds and implementing a process to verify the compliance of published packages with reference sources. Apparently, the attack was carried out through the seizure of the account parameters to RubyGems from one of the two library maintainers (officially the leakage of account data has not yet been confirmed).

The attackers showed prudence and built the backdoor not into the latest 3.4.x branch, the latest release of which has more than 217,000 downloads, but as an update for the previous 3.2.x branch, relying on the fact that corrective update of dependency will not cause suspicion. A rough estimate of the 1670 repositories on GitHub use bootstrap-sass as a dependency and applications associated with these repositories can potentially be compromised. Developers are advised to trace the use of the bootstrap-sass library among indirect dependencies and check whether the automatic upgrade to the backdoor version has been performed. Judging by the statistics of the RubyGems package, the backdoor package was downloaded about 1,500 times.

Information about a possible backdoor was published in the bug tracking system a few hours after placing the problematic release 3.2.0.3, after which the maintainers removed the problematic release from RubyGems about an hour later and changed their login passwords, but did not take into account that the removed versions could remain for several days on the mirrors. On April 3, an additional release 3.2.0.4 was created, completely analogous to version 3.2.0.2, which made it possible to get rid of the version with backdoor without switching to a new branch 3.4.