Execute ruby entered in view in controller


#1

HI,
I have a requirement where a user could enter ruby scripts in the view(
typically a text area) and the controller should pick this text on
submit and execute the script(content of text area) line by line.

How should I do it in rails?

Thanks,
Sudhi


#2

On 21 Feb 2009, at 12:37, Sudhi K. wrote:

HI,
I have a requirement where a user could enter ruby scripts in the
view(
typically a text area) and the controller should pick this text on
submit and execute the script(content of text area) line by line.

How should I do it in rails?

Well you could just use eval, but that sounds like an incredibly bad
idea security wise.

Fred


#3

Frederick C. wrote:

On 21 Feb 2009, at 12:37, Sudhi K. wrote:

HI,
I have a requirement where a user could enter ruby scripts in the
view(
typically a text area) and the controller should pick this text on
submit and execute the script(content of text area) line by line.

How should I do it in rails?

Well you could just use eval, but that sounds like an incredibly bad
idea security wise.

Fred

I did try ‘eval @test.script’ where the script was filled in the
@test.script but that does not work. Is there a safe way of handling
execution errors that can occur when executing scripts


#4

On Feb 21, 6:51 pm, Matt J. removed_email_address@domain.invalid wrote:

+1 to Fred’s comment about security - there are some solutions that
can mitigate
the security problems, but eval’ing code sent from the web is a BAD
IDEA. If you
have any user access control in your system, this can get around it.

There are a couple things you might be interested in:

One thing I’ve been thinking recently is that jruby might be neat for
this, assuming you can just lean on Java’s security stuff (no idea if
you can).

Fred


#5

Frederick C. wrote:

On Feb 21, 6:51�pm, Matt J. removed_email_address@domain.invalid wrote:

+1 to Fred’s comment about security - there are some solutions that
can mitigate
the security problems, but eval’ing code sent from the web is a BAD
IDEA. If you
have any user access control in your system, this can get around it.

There are a couple things you might be interested in:

One thing I’ve been thinking recently is that jruby might be neat for
this, assuming you can just lean on Java’s security stuff (no idea if
you can).

Fred

Thanks for the inputs. Yes, there could be some security implications
with this but is there a neat way of say providing a tool which povides
the user a way to control script execution on the server? Also the
flexibility of ordering scripts is important, that is why a full fledged
ruby editor is required on the browser. Is there any view plugin which
can accept ruby scripts?


#6

On Feb 21, 8:31 am, Sudhi K. removed_email_address@domain.invalid
wrote:

Well you could just use eval, but that sounds like an incredibly bad
idea security wise.

Fred

I did try ‘eval @test.script’ where the script was filled in the
@test.script but that does not work. Is there a safe way of handling
execution errors that can occur when executing scripts

+1 to Fred’s comment about security - there are some solutions that
can mitigate
the security problems, but eval’ing code sent from the web is a BAD
IDEA. If you
have any user access control in your system, this can get around it.

There are a couple things you might be interested in:

  • _why’s Sandbox class. It’s mostly a proof of concept, but it might
    have some ideas.
    Note that while it can keep some bad things from happening, you’ll
    still need to give
    the sandboxed code access to the DB (that is why you’re evaling Ruby
    from the web, right?)

  • at the very least, some kind of usage of $SAFE, which could protect
    your environment
    a little. But then you’ve got threading problems…

  • if you just want a console-like environment, Kawaii (http://
    github.com/eviltrout/kawaii) might
    save you from re-inventing the wheel.

Finally, to answer your actual question, you’d use a rescue clause to
catch execution errors.
Check your favorite Ruby reference for more details.

–Matt J.