Allow custom script in Ruby / Rails application

Question

Allow custom script in Ruby / Rails application

A predefined set of objects must be aggregated into a new object. However, I want users to ask a custom function for this.

Now the naive approach would be

def foo; end

objects = [1,2,3]
# result = eval(user_script)
result = eval("objects.inject {|sum, n| sum + n }")

Which I clearly don't want to do! I've read about $SAFE = 4

(see here ) but I'm not sure if this is enough. Especially since a custom script will still be able to call other functions like foo

. I only want to allow access to basic non-hazardous core Ruby functionality.

Is there any way for Ruby to safely execute custom scripts? I don't need Ruby syntax. It would be nice though.

+2

security ruby scripting eval ruby-on-rails

Marcel jackwerth 18 oct. '09 at 12:49

source to share

2 answers

The best lock in the world won't stop you from robbing the blind if you decide to give everyone in the world a key.

0

Azeem.Butt 18 oct. 09 at 17:22

source to share

Mark westling · Accepted Answer · 2009-10-18T17:55:51+0000

Have you seen the Sven Fuch safemode plugin ( review here )? Here's a page on GitHub.

Instead of the blacklist of dangerous methods that SAFE does, it parses the incoming code and removes any non-whitelisted method. The plugin comes with a predefined whitelist that can be seen in this file .

I personally have never used this plugin, but the author is active in the Ruby community and I am sure he will answer all your questions.

Allow custom script in Ruby / Rails application

More articles: