Static Typing for Ruby on Rails

Ruby on Rails (or just "Rails") is a popular web application framework built on top of Ruby, an object-oriented scripting language. While Ruby’s powerful features such as dynamic typing help make Rails development extremely lightweight, this comes at a cost. Dynamic typing in particular means that type errors in Rails applications remain latent until run time, making debugging and maintenance harder. In this paper, we describe DRails, a novel tool that brings static typing to Rails applications to detect a range of run time errors. DRails works by translating Rails programs into pure Ruby code in which Rails’s numerous implicit conventions are made explicit. We then discover type errors by applying DRuby, a previously developed static type inference system, to the translated program. We ran DRails on a suite of applications and found that it was able to detect several previously unknown errors.

[1]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[2]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[3]  Dave Thomas,et al.  Agile Web Development with Rails , 2005 .

[4]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[5]  Sam Tobin-Hochstadt,et al.  The design and implementation of typed scheme , 2008, POPL '08.

[6]  Peter Thiemann,et al.  An embedded domain-specific language for type-safe server-side web scripting , 2005, TOIT.

[7]  Michael Bächle,et al.  Ruby on Rails , 2006, Softwaretechnik-Trends.

[8]  Jeffrey S. Foster,et al.  Profile-guided static typing for dynamic scripting languages , 2009, OOPSLA 2009.

[9]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[10]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[11]  Jan Vitek,et al.  Integrating typed and untyped code in a scripting language , 2010, POPL '10.

[12]  Ralph E. Johnson,et al.  A type system for Smalltalk , 1989, POPL '90.

[13]  Stephen N. Freund,et al.  Hybrid Types , Invariants , and Refinements For Imperative Objects , 2006 .

[14]  Jan Vitek,et al.  Thorn: robust, concurrent, extensible scripting on the JVM , 2009, OOPSLA '09.

[15]  David Flanagan,et al.  The Ruby Programming Language , 2007 .

[16]  Davide Ancona,et al.  RPython: a step towards reconciling dynamically and statically typed OO languages , 2007, DLS '07.

[17]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[18]  Christopher G. Lasater,et al.  Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[19]  Walid Taha,et al.  Gradual Typing for Objects , 2007, ECOOP.

[20]  Michael Hicks,et al.  The ruby intermediate language , 2009, DLS '09.

[21]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[22]  Cyril S. Ku,et al.  Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[23]  Dave Thomas,et al.  Agile Web Development with Rails, Third Edition , 2009 .

[24]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[25]  Jan Vitek,et al.  Thorn: robust, concurrent, extensible scripting on the JVM , 2009, OOPSLA 2009.

[26]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[27]  Jeffrey S. Foster,et al.  Static type inference for Ruby , 2009, SAC '09.

[28]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.