The class just finished the 3rd week of gSchool and now I know why they call this course an “intensive”. We’ve been learning something new everyday since week 2 and it seems like the pace is only picking up. The instructors like to teach us the hard way of doing things first only then to show us how it’s done easily so that we understand the “magic under the hood”, a tough but great way to learn. It’s been difficult to study anything after class because my brain feels like mush after digesting so much new information and hopefully it doesn’t push out anything useful. Because of this, it’s been important for me to exercise daily with lots of running and some T25.

Arrays and Hashes — A big thanks to the linguist Larry Wall and his Practical Extraction and Reporting Language (Perl). It gave me a head start into these concepts so there wasn’t much learning overhead other than seeing the OO version of them.

Objects, Classes and Methods — Finally, I get to see the power of OO programming. It only makes sense to program this way since I’m coming from a more procedural language. It’s definitely refreshing to be able to simulate real life with abstract blue prints.

HTML5, CSS3 and Wire Framing — I need a lot of work here. I’ve worked with parsing HTML before but I’ve never really built anything with it so ideas are slow to rise to the top. I like the dynamic styling that CSS provides but apparently it’s difficult to master in a short period of time. Fortunately, Matt Leach was able to provide wire framing concepts and templates which has been super helpful in organizing and visualizing layouts.

Rspec — We’ve started to learn systematic testing of our code with Rspec. I’m enjoying it so far, although, I can tell it may get very tedious (and hopefully not boring!) coming up with our own tests. Having working code is important and the rigorous testing is much needed as it saves a lot of time verifying each test case.

Sinatra and ERB — Sinatra is the first framework I’ve ever programmed in and I’m impressed with how the creators of it have streamlined the flow of deploying working websites. ERB is equally amazing in how it can glue Ruby and HTML code together to build websites dynamically. We’re going to be using Sinatra daily until we’re comfortable enough with it and then move on to Rails.

Assessments — My assessment went well and I was able pass each programming test. However, I learned something huge in one of them. The test was basic, create a method to sum all of elements of an array and return that number. Reaching from my Perl memory I used the eval function (instead of an array method like inject or an enumerable like reduce) to get my result:

def sum(arr)
  eval(arr.join(“+”))
end

I was feeling clever using this function but my instructor elaborated on how dangerous the eval function is. Below is an example on how this can be exploited to execute other commands:

[~][jude]$ irb
2.1.1 :001 > numbers = [1,2,3]
 => [1, 2, 3] 
2.1.1 :002 > eval(numbers.join(“+”))
 => 6 
2.1.1 :003 > numbers.push(“(puts ‘hello’)”)
 => [1, 2, 3, “(puts ‘hello’)”] 
2.1.1 :004 > eval(numbers.join(“+”))
hello
TypeError: nil can’t be coerced into Fixnum
 from (irb):4:in `eval’
 from (eval):1
 from (irb):4:in `eval’
 from (irb):4
 from /Users/judequintana/.rvm/rubies/ruby-2.1.1/bin/irb:11:in `<main>’
2.1.1 :005 > 

As you can see before the error is thrown it actually ran the puts command! I did not realize that the eval function not only evaluates string expressions, it also evaluates ruby code. Here is another example of executing system commands with eval:

2.1.1 :009 > numbers.push(“(exec ‘ls -al’)”)
 => [1, 2, 3, “(exec ‘ls -al’)”] 
2.1.1 :010 > eval(numbers.join(“+”))
total 16
drwxr-xr-x 3 judequintana staff 102 Jun 28 13:52 .
drwxr-xr-x 11 judequintana staff 374 Jun 23 11:38 ..
-rw-r—r— 1 judequintana staff 4156 Jun 25 17:02 test.rb

Woah! Kind of scary how dangerous this command really is! Go here for an explanation on the dangers of using eval. It really blew my mind how basic of an exploit this is due to bad code, now it has my mind is racing!

Social Networking — I’ve been reluctant to sign up to social networks but the instructors expressed how important it is to Tweet, Blog and be LinkedIn. Since I’ve signed up I’ve been able to connect to several important people in the infosec community so I’m hoping it will turn out well getting involved with the tech elite!