Embedding ruby


#1

Hi.

I am right now considering which Scripting Language to embed into my
Server
application and ruby seems to be a very good choice. But I have a small
problem. I need to limit the functions which are allowed to be called
from
the scripts. For example no system() calls and no IO calls, no sockets
and
things like that. Is there already something possible with the standart
ruby
or would I have to remove unwanted packages manualy from the ruby
installation I would use with the application

Thanks

Peter


#2

check out http://www.rubycentral.com/book/taint.html


#3

Michael G. wrote:

check out http://www.rubycentral.com/book/taint.html

Thanks a lot. This seems to be what I need.

But …

I did a few tests and the results where not exactly what I expected.

I want to have the code I get in a parsed form and not in a string form,
so I need to ‘compile’ it into functions.

something along the lines:

eval "$SAFE=4;
class Foo
def bar()
" << userCode << "
end
end
";

this wasnt working. so I read around in the docu:
“Can’t define, redefine, remove, or undef a method in a nontainted class
or module.”

so I figured this would work:
userCode =“a = 3 + 4;”;
class Foo
end
Foo.taint;
eval "$SAFE=4;
class Foo
def bar()
" << userCode << "
end
end
";

but it wasn’t either.
I got a:
test.rb:11: (eval):2: extending class prohibited (SecurityError)

So is the docu wrong, or am I just reading it wrong ?

Thanks

Peter


#4

“P” == Peter T. removed_email_address@domain.invalid writes:

P> this wasnt working. so I read around in the docu:
P> “Can’t define, redefine, remove, or undef a method in a nontainted
class
P> or module.”

moulon% cat b.rb
#!/usr/bin/ruby
module A
end
A.taint

$SAFE = 4

user_code = ‘1 + 1’

eval <<-EOT
def A.a
#{user_code}
end
EOT
A.a

it will give an error : unsecure write

p A.a
moulon%

moulon% ./b.rb
./b.rb:19:in write': Insecure operationwrite’ at level 4
(SecurityError)
from ./b.rb:19
moulon%

Guy Decoux