Sandbox options?

Ruby
1

I’m interesting in providing my clients the ability to upload
expressions that I can evaluate to determine the values of various
components of some business calculations. Eval’ing the expressions is
the simplest solution, but it’s of course unsafe. Can anyone help me
flesh out my list of options:

  1. Why’s sandbox, which has been forked on github but doesn’t seem to
    be undergoing ongoing maintenance:
    GitHub - Sophrinix/sandbox: freaky-freaky security and multiplicity of ruby interps, and thus will probably be a
    problem once ruby-1.9 rolls around

  2. Write my own parser and interpreter - any ruby libraries that would
    be particularly helpful in this regard?

  3. Marshal the binding and the expression out to a javascript or other
    safe interpreter for evaluation

  4. Require the expressions to be blessed by trustees before being
    evaluated

Any other suggestions?

  • donald
2

On Thu, Jan 28, 2010 at 3:15 PM, Donald B. [email protected]
wrote:

I wouldn’t call that production software yet. I will add that to the
readme to night.
Not that it is unstable, but rather that I haven’t tested it as much
as I need to.

  1. Write my own parser and interpreter - any ruby libraries that would
    be particularly helpful in this regard?

On TryRuby I am using FakeFS to handle any File related operations,
and there is a bit of a sandbox built into that code.

Infact, running a copy of try ruby wouldn’t be a bad idea.
As long as you know how load a ruby cgi file in apache/your favorite
web browser.

Another approach could be hotruby (which runs entirely client side in
javascript)

  • donald

Andrew McElroy
TryRuby.org