Running IR in an isolated AppDomain

Ruby IronRuby
1

Hello,

I’m trying to add scripting capability to a wiki type web application
with
IronRuby. I want to run IR in a low trust environment with only access
to
variables provided in the scope. Those variables are helper objects
that
have access to local resources i.e. FS.

I’m able to create the AppDomain with restricted security, run IR in
that
AppDomain and use the helper objet from IR but I have a problem when
invoking a method of the helper object that has access to the file
system.

When I call my helper.GetFileContent() method (see below) from the IR
AppDomain I receive the following exception

Request for the permission of type
‘System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed

At some point I thought that maybe the code is being executed from the
IR
AppDomain so I added a check on the AppDomain Name and it is executing
in
the Main AppDomain not the IR AppDomain.

Does anyone have an idea why it is behaving like that?

Is this the expected behaviour?

Or do you have any tip to help me troubleshoot and find the root of
this?

Thank you;

Pascal Normandin

Here is my Helper class

public class Helper : MarshalByRefObject {

    public string GetFileContent() {

        var appDomainName = AppDomain.CurrentDomain.FriendlyName;

        StreamReader rdr = File.OpenText("C:\\test\\test.txt");

        return rdr.ReadToEnd();

    }

}

Here is How I create the ScriptRuntime in the AppDomain

    protected static ScriptRuntime CreateIronRubyRuntime()

    {

        // Setup the ruby engine in a Sandbox

        var rubySetup = Ruby.CreateRubySetup();



        rubySetup.Options["InterpretedMode"] = true;



        var runtimeSetup = new ScriptRuntimeSetup();

        runtimeSetup.LanguageSetups.Add(rubySetup);

        runtimeSetup.DebugMode = false;



        AppDomainSetup info = new AppDomainSetup();

        info.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory

“\bin”;

        info.ApplicationName = "Wiki";



        PermissionSet ps1 = new PermissionSet(PermissionState.None);

        SecurityPermissionFlag flag =

SecurityPermissionFlag.SkipVerification |
SecurityPermissionFlag.Execution |
SecurityPermissionFlag.ControlAppDomain;

        ps1.AddPermission(new SecurityPermission(flag));



        AppDomain newDomain = AppDomain.CreateDomain("IR", null,

info,
ps1);

        ScriptRuntime runtime =

ScriptRuntime.CreateRemote(newDomain,
runtimeSetup);

        return runtime;

    }

Here is how I execute the IR script

            var rubyEngine = Ruby.GetEngine(runtime);

            ScriptScope scope = runtime.CreateScope();



            StringBuilder sb = new StringBuilder();

            scope.SetVariable("output", sb);

            Helper helper = new Helper();

            scope.SetVariable("helper", helper);



            ScriptSource source =

rubyEngine.CreateScriptSourceFromString(“output.append(helper.GetFileContent
())”);

            source.Execute(scope);
2

Adding this:

FileIOPermission f = new FileIOPermission(PermissionState.Unrestricted);
f.AllLocalFiles = FileIOPermissionAccess.Read;
f.Assert();

to GetFileContent method should make the SecurityException go away.

However, passing data out of the sandbox via StringBuilder won’t work.
StringBuilder is serializable and not MarshalByRefObject (MBRO). The
instance of StringBuilder created by the host is copied to the sandboxed
app domain, where it is filled with data. The instance the host created
will stay empty though. You need to use some MBRO, like StringWriter:

var sb = new StringBuilder();
var output = new StringWriter(sb);

ScriptSource source =
rubyEngine.CreateScriptSourceFromString(“output.write(helper.GetFileContent())”);

Console.WriteLine(sb);

Tomas

From: [email protected]
[mailto:[email protected]] On Behalf Of Pascal
Normandin
Sent: Saturday, October 03, 2009 8:57 AM
To: [email protected]
Subject: [Ironruby-core] Running IR in an isolated AppDomain

Hello,

I’m trying to add scripting capability to a wiki type web application
with IronRuby. I want to run IR in a low trust environment with only
access to variables provided in the scope. Those variables are helper
objects that have access to local resources i.e. FS.

I’m able to create the AppDomain with restricted security, run IR in
that AppDomain and use the helper objet from IR but I have a problem
when invoking a method of the helper object that has access to the file
system.

When I call my helper.GetFileContent() method (see below) from the IR
AppDomain I receive the following exception

Request for the permission of type
‘System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’
failed

At some point I thought that maybe the code is being executed from the
IR AppDomain so I added a check on the AppDomain Name and it is
executing in the Main AppDomain not the IR AppDomain.

Does anyone have an idea why it is behaving like that?
Is this the expected behaviour?
Or do you have any tip to help me troubleshoot and find the root of
this?

Thank you;
Pascal Normandin

Here is my Helper class

public class Helper : MarshalByRefObject {
    public string GetFileContent() {
        var appDomainName = AppDomain.CurrentDomain.FriendlyName;
        StreamReader rdr = File.OpenText("C:\\test\\test.txt");
        return rdr.ReadToEnd();
    }
}

Here is How I create the ScriptRuntime in the AppDomain

    protected static ScriptRuntime CreateIronRubyRuntime()
    {
        // Setup the ruby engine in a Sandbox
        var rubySetup = Ruby.CreateRubySetup();

        rubySetup.Options["InterpretedMode"] = true;

        var runtimeSetup = new ScriptRuntimeSetup();
        runtimeSetup.LanguageSetups.Add(rubySetup);
        runtimeSetup.DebugMode = false;

        AppDomainSetup info = new AppDomainSetup();
        info.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory

  • “\bin<file:///\bin>”;
    info.ApplicationName = “Wiki”;

          PermissionSet ps1 = new PermissionSet(PermissionState.None);
      SecurityPermissionFlag flag =

SecurityPermissionFlag.SkipVerification |
SecurityPermissionFlag.Execution |
SecurityPermissionFlag.ControlAppDomain;
ps1.AddPermission(new SecurityPermission(flag));

        AppDomain newDomain = AppDomain.CreateDomain("IR", null,

info, ps1);

        ScriptRuntime runtime =

ScriptRuntime.CreateRemote(newDomain, runtimeSetup);

        return runtime;
    }

Here is how I execute the IR script

            var rubyEngine = Ruby.GetEngine(runtime);
            ScriptScope scope = runtime.CreateScope();

            StringBuilder sb = new StringBuilder();
            scope.SetVariable("output", sb);
            Helper helper = new Helper();
            scope.SetVariable("helper", helper);

            ScriptSource source =

rubyEngine.CreateScriptSourceFromString(“output.append(helper.GetFileContent())”);
source.Execute(scope);

3

Hello Tomas,

Thanks you for your quick response. The permission assert works very
well!

Regarding the StringBuilder you are right the host created instance
stays
empty so I had to do a scope.GetVariable(“output”);

To get another copy of the StringBuilder. I also felt this wasn’t so
neat
but didn’t know how to work around that. The StringWriter approach is
better but I always get a SEHException when using it.

Did you have any clue why?

Anyways I’ll work more on that later.

Thanks again

Pascal

From: [email protected]
[mailto:[email protected]] On Behalf Of Tomas M.
Sent: October-03-09 3:36 PM
To: [email protected]
Subject: Re: [Ironruby-core] Running IR in an isolated AppDomain

Adding this:

FileIOPermission f = new FileIOPermission(PermissionState.Unrestricted);

f.AllLocalFiles = FileIOPermissionAccess.Read;

f.Assert();

to GetFileContent method should make the SecurityException go away.

However, passing data out of the sandbox via StringBuilder won’t work.
StringBuilder is serializable and not MarshalByRefObject (MBRO). The
instance of StringBuilder created by the host is copied to the sandboxed
app
domain, where it is filled with data. The instance the host created will
stay empty though. You need to use some MBRO, like StringWriter:

var sb = new StringBuilder();

var output = new StringWriter(sb);

.

ScriptSource source =
rubyEngine.CreateScriptSourceFromString(“output.write(helper.GetFileContent(
))”);

.

Console.WriteLine(sb);

Tomas

From: [email protected]
[mailto:[email protected]] On Behalf Of Pascal
Normandin
Sent: Saturday, October 03, 2009 8:57 AM
To: [email protected]
Subject: [Ironruby-core] Running IR in an isolated AppDomain

Hello,

I’m trying to add scripting capability to a wiki type web application
with
IronRuby. I want to run IR in a low trust environment with only access
to
variables provided in the scope. Those variables are helper objects
that
have access to local resources i.e. FS.

I’m able to create the AppDomain with restricted security, run IR in
that
AppDomain and use the helper objet from IR but I have a problem when
invoking a method of the helper object that has access to the file
system.

When I call my helper.GetFileContent() method (see below) from the IR
AppDomain I receive the following exception

Request for the permission of type
‘System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed

At some point I thought that maybe the code is being executed from the
IR
AppDomain so I added a check on the AppDomain Name and it is executing
in
the Main AppDomain not the IR AppDomain.

Does anyone have an idea why it is behaving like that?

Is this the expected behaviour?

Or do you have any tip to help me troubleshoot and find the root of
this?

Thank you;

Pascal Normandin

Here is my Helper class

public class Helper : MarshalByRefObject {

    public string GetFileContent() {

        var appDomainName = AppDomain.CurrentDomain.FriendlyName;

        StreamReader rdr = File.OpenText("C:\\test\\test.txt");

        return rdr.ReadToEnd();

    }

}

Here is How I create the ScriptRuntime in the AppDomain

    protected static ScriptRuntime CreateIronRubyRuntime()

    {

        // Setup the ruby engine in a Sandbox

        var rubySetup = Ruby.CreateRubySetup();



        rubySetup.Options["InterpretedMode"] = true;



        var runtimeSetup = new ScriptRuntimeSetup();

        runtimeSetup.LanguageSetups.Add(rubySetup);

        runtimeSetup.DebugMode = false;



        AppDomainSetup info = new AppDomainSetup();

        info.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory

"\bin <file:///\bin> ";

        info.ApplicationName = "Wiki";



        PermissionSet ps1 = new PermissionSet(PermissionState.None);

        SecurityPermissionFlag flag =

SecurityPermissionFlag.SkipVerification |
SecurityPermissionFlag.Execution |
SecurityPermissionFlag.ControlAppDomain;

        ps1.AddPermission(new SecurityPermission(flag));



        AppDomain newDomain = AppDomain.CreateDomain("IR", null,

info,
ps1);

        ScriptRuntime runtime =

ScriptRuntime.CreateRemote(newDomain,
runtimeSetup);

        return runtime;

    }

Here is how I execute the IR script

            var rubyEngine = Ruby.GetEngine(runtime);

            ScriptScope scope = runtime.CreateScope();



            StringBuilder sb = new StringBuilder();

            scope.SetVariable("output", sb);

            Helper helper = new Helper();

            scope.SetVariable("helper", helper);



            ScriptSource source =

rubyEngine.CreateScriptSourceFromString(“output.append(helper.GetFileContent
())”);

            source.Execute(scope);
4

You can write to standard output stream (just call Kernel#puts/print)
and redirect it. See Runtime.IO object.
Or you can provide method Write on your Helper class.

Tomas

From: [email protected]
[mailto:[email protected]] On Behalf Of Pascal
Normandin
Sent: Saturday, October 03, 2009 10:06 PM
To: [email protected]
Subject: Re: [Ironruby-core] Running IR in an isolated AppDomain

Hello Tomas,

Thanks you for your quick response. The permission assert works very
well!

Regarding the StringBuilder you are right the host created instance
stays empty so I had to do a scope.GetVariable(“output”);
To get another copy of the StringBuilder. I also felt this wasn’t so
neat but didn’t know how to work around that. The StringWriter approach
is better but I always get a SEHException when using it.

Did you have any clue why?

Anyways I’ll work more on that later.
Thanks again
Pascal

From: [email protected]
[mailto:[email protected]] On Behalf Of Tomas M.
Sent: October-03-09 3:36 PM
To: [email protected]
Subject: Re: [Ironruby-core] Running IR in an isolated AppDomain

Adding this:

FileIOPermission f = new FileIOPermission(PermissionState.Unrestricted);
f.AllLocalFiles = FileIOPermissionAccess.Read;
f.Assert();

to GetFileContent method should make the SecurityException go away.

However, passing data out of the sandbox via StringBuilder won’t work.
StringBuilder is serializable and not MarshalByRefObject (MBRO). The
instance of StringBuilder created by the host is copied to the sandboxed
app domain, where it is filled with data. The instance the host created
will stay empty though. You need to use some MBRO, like StringWriter:

var sb = new StringBuilder();
var output = new StringWriter(sb);

ScriptSource source =
rubyEngine.CreateScriptSourceFromString(“output.write(helper.GetFileContent())”);

Console.WriteLine(sb);

Tomas

From: [email protected]
[mailto:[email protected]] On Behalf Of Pascal
Normandin
Sent: Saturday, October 03, 2009 8:57 AM
To: [email protected]
Subject: [Ironruby-core] Running IR in an isolated AppDomain

Hello,

I’m trying to add scripting capability to a wiki type web application
with IronRuby. I want to run IR in a low trust environment with only
access to variables provided in the scope. Those variables are helper
objects that have access to local resources i.e. FS.

I’m able to create the AppDomain with restricted security, run IR in
that AppDomain and use the helper objet from IR but I have a problem
when invoking a method of the helper object that has access to the file
system.

When I call my helper.GetFileContent() method (see below) from the IR
AppDomain I receive the following exception

Request for the permission of type
‘System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’
failed

At some point I thought that maybe the code is being executed from the
IR AppDomain so I added a check on the AppDomain Name and it is
executing in the Main AppDomain not the IR AppDomain.

Does anyone have an idea why it is behaving like that?
Is this the expected behaviour?
Or do you have any tip to help me troubleshoot and find the root of
this?

Thank you;
Pascal Normandin

Here is my Helper class

public class Helper : MarshalByRefObject {
    public string GetFileContent() {
        var appDomainName = AppDomain.CurrentDomain.FriendlyName;
        StreamReader rdr = File.OpenText("C:\\test\\test.txt");
        return rdr.ReadToEnd();
    }
}

Here is How I create the ScriptRuntime in the AppDomain

    protected static ScriptRuntime CreateIronRubyRuntime()
    {
        // Setup the ruby engine in a Sandbox
        var rubySetup = Ruby.CreateRubySetup();

        rubySetup.Options["InterpretedMode"] = true;

        var runtimeSetup = new ScriptRuntimeSetup();
        runtimeSetup.LanguageSetups.Add(rubySetup);
        runtimeSetup.DebugMode = false;

        AppDomainSetup info = new AppDomainSetup();
        info.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory

  • “\bin<file:///\bin>”;
    info.ApplicationName = “Wiki”;

          PermissionSet ps1 = new PermissionSet(PermissionState.None);
      SecurityPermissionFlag flag =

SecurityPermissionFlag.SkipVerification |
SecurityPermissionFlag.Execution |
SecurityPermissionFlag.ControlAppDomain;
ps1.AddPermission(new SecurityPermission(flag));

        AppDomain newDomain = AppDomain.CreateDomain("IR", null,

info, ps1);

        ScriptRuntime runtime =

ScriptRuntime.CreateRemote(newDomain, runtimeSetup);

        return runtime;
    }

Here is how I execute the IR script

            var rubyEngine = Ruby.GetEngine(runtime);
            ScriptScope scope = runtime.CreateScope();

            StringBuilder sb = new StringBuilder();
            scope.SetVariable("output", sb);
            Helper helper = new Helper();
            scope.SetVariable("helper", helper);

            ScriptSource source =

rubyEngine.CreateScriptSourceFromString(“output.append(helper.GetFileContent())”);
source.Execute(scope);