Forum: Ruby on Rails Force ERB templates to prevent making changes to models?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Jesse P. (Guest)
on 2008-11-06 02:48
I want to build a system where I can let users write templates that
allow read access to Rails objects within and then send these templates
out to customers via email.  The problem I'm having is that through my
tests, it's become obvious that this can create a security risk.

Example: A customer could put text into their template such as:

@customers = Customer.find(:all)
@customers.each do |c|
  c.destroy
end

inside the ERB template and when I call it to render the results like
this:

# Render Template
@text = ERB.new(lbt.body_content).result(binding)

It will execute the above command and erase all the customers from the
database.

All I really want people to be able to do is parse variables I hand into
the template, not actually load Rails objects and make changes.  That
way I can specify and pre-populate what they have access to and plug
that security issue.

Does any one know the best way to do this?  I'm assuming there are other
ERB command I can use to render, but I can't seem to find it.

Thanks

- Jesse
Frederick C. (Guest)
on 2008-11-06 12:25
(Received via mailing list)
On 6 Nov 2008, at 00:48, Jesse P. wrote:

>
> I want to build a system where I can let users write templates that
> allow read access to Rails objects within and then send these
> templates
> out to customers via email.  The problem I'm having is that through my
> tests, it's become obvious that this can create a security risk.

Have a look at liquid templates (http://www.liquidmarkup.org/) , they
were designed with that in mind.

Fred
This topic is locked and can not be replied to.