Hi, I'm currently hosting IronRuby within a C# Application. Is there any way to validate the IronRuby scripts that will be invoked by the DLR? For example I'd like to prevent users from executing scripts that include the "require" statement or an impersonation statement... Any ideas? thx Thorsten
on 2010-08-12 12:14
on 2010-08-12 17:59
I just recently had the same question in mind - how could one sandbox IronRuby? I'd imagine that .NET's built-in security model could be used to prevent the app from accessing the file system, P/Invoking, etc; however, I don't know if the security model is fine grained enough to apply to just a particular AppDomain. If it it is, then you could probably use IronRuby's built-in method for running scripts in another AppDomain - one that's locked down. I'm sort of ignorant in this area though, so I can't really help that much. Hopefully someone smarter than myself will chime in. -Charles
on 2010-08-12 18:05
We have a sandboxing mechanism - we rely on CLR's AppDomains:
http://blogs.msdn.com/b/shawnfa/archive/2005/08/08/449050.aspx
You can use this API in conjunction with
ScriptRuntime.CreateRemote(appDomain, setup) DLR Hosting API.
I wouldn't even try to do any source code analysis to ensure security
rules if I were you. You'd be doomed to failure. For example, consider
this script
string my_script = @"x, y = 'u', 'b'; eval(\"req#{x}uire
#{y}ad_script\")"
how do you analyze that? (Not that it would be completely impossible to
do so in this particular case, but you get the point.)
Tomas
From: ironruby-core-bounces@rubyforge.org
[mailto:ironruby-core-bounces@rubyforge.org] On Behalf Of Dody
Gunawinata
Sent: Thursday, August 12, 2010 3:17 AM
To: ironruby-core@rubyforge.org
Subject: Re: [Ironruby-core] Script Validation
Regex and filter it. I don't think the DLR has a sandbox mechanism for
this.
On Thu, Aug 12, 2010 at 12:57 PM, Thorsten Hans
<thorsten.hans@gmail.com<mailto:thorsten.hans@gmail.com>> wrote:
Hi,
I'm currently hosting IronRuby within a C# Application. Is there any way
to validate the IronRuby scripts that will be invoked by the DLR?
For example I'd like to prevent users from executing scripts that
include the "require" statement or an impersonation statement...
Any ideas?
thx
Thorsten
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.