Forum: Ruby Embedding ruby

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Peter T. (Guest)
on 2006-04-06 20:23
(Received via mailing list)
Hi.

I am right now considering which Scripting Language to embed into my
Server
application and ruby seems to be a very good choice. But I have a small
problem. I need to limit the functions which are allowed to be called
from
the scripts. For example no system() calls and no IO calls, no sockets
and
things like that. Is there already something possible with the standart
ruby
or would I have to remove unwanted packages manualy from the ruby
installation I would use with the application


Thanks


Peter
Michael G. (Guest)
on 2006-04-06 21:21
Peter T. (Guest)
on 2006-04-07 00:44
(Received via mailing list)
Michael G. wrote:

>check out http://www.rubycentral.com/book/taint.html
>
>
>
Thanks a lot. This seems to be what I need.

But ..

I did a few tests and the results where not exactly what I expected.

I want to have the code I get in a parsed form and not in a string form,
so I need to 'compile' it into functions.

something along the lines:


eval "$SAFE=4;
class Foo
            def bar()
" << userCode <<  "
             end
end
";


this wasnt working. so I read around in the docu:
"Can't define, redefine, remove, or undef a method in a nontainted class
or module."


so I figured this would work:
userCode ="a = 3 + 4;";
class Foo
end
Foo.taint;
eval "$SAFE=4;
class Foo
            def bar()
" << userCode <<  "
             end
end
";

but it wasn't either.
I got a:
test.rb:11: (eval):2: extending class prohibited (SecurityError)


So is the docu wrong, or am I just reading it wrong ?

Thanks


Peter
ts (Guest)
on 2006-04-07 11:39
(Received via mailing list)
>>>>> "P" == Peter T. <removed_email_address@domain.invalid> writes:

P> this wasnt working. so I read around in the docu:
P> "Can't define, redefine, remove, or undef a method in a nontainted
class
P> or module."

moulon% cat b.rb
#!/usr/bin/ruby
module A
end
A.taint

$SAFE = 4

user_code = '1 + 1'

eval <<-EOT
   def A.a
      #{user_code}
   end
EOT
A.a
#
# it will give an error : unsecure write
#
p A.a
moulon%

moulon% ./b.rb
./b.rb:19:in `write': Insecure operation `write' at level 4
(SecurityError)
	from ./b.rb:19
moulon%


Guy Decoux
This topic is locked and can not be replied to.