Allow custom script in Ruby / Rails application
A predefined set of objects must be aggregated into a new object. However, I want users to ask a custom function for this.
Now the naive approach would be
def foo; end
objects = [1,2,3]
# result = eval(user_script)
result = eval("objects.inject {|sum, n| sum + n }")
Which I clearly don't want to do! I've read about $SAFE = 4
(see here ) but I'm not sure if this is enough. Especially since a custom script will still be able to call other functions like foo
. I only want to allow access to basic non-hazardous core Ruby functionality.
Is there any way for Ruby to safely execute custom scripts? I don't need Ruby syntax. It would be nice though.
Have you seen the Sven Fuch safemode plugin ( review here )? Here's a page on GitHub.
Instead of the blacklist of dangerous methods that SAFE does, it parses the incoming code and removes any non-whitelisted method. The plugin comes with a predefined whitelist that can be seen in this file .
I personally have never used this plugin, but the author is active in the Ruby community and I am sure he will answer all your questions.
The best lock in the world won't stop you from robbing the blind if you decide to give everyone in the world a key.