I’m building a small Sinatra server which has one GET route called
/execute
. It accepts a code
parameter and runs the Ruby code from
that parameter using the sandboxed
gem, returning a result in JSON.
# /app.rb
class MistressBase < Sinatra::Base
get '/execute' do
content_type :json
Oj.dump( {
'result' => safe { eval(URI.unescape(params[:code])) }
} )
end
end
# /config.ru
require 'sinatra/base'
require 'sandboxed'
require 'uri'
require 'oj'
require './app'
run MistressBase
When I run shotgun config.ru
everything’s fine. If I go to and pass
something simple like http://localhost:9393/execute?code=70-1
I get
the expected JSON response of {"result":69}
. However if I pass a
file-like string like
require%20'benchmark'%0A%0ABenchmark.measure%20%7B%20'a'%20*%201_000_000%20%7D%0A%0A
which is basically, this but URI.escape
ed:
require 'benchmark'
Benchmark.measure { 'a' * 1_000_000 }
I get a ThreadError at /execute
with the description of current thread not owner
. I have attached the backtrace.
Also, setting code
the parameter to /execute
to something like 1 - 1
(encoded) gives me the same error while 1-1
doesn’t. What am I
missing? Why am I getting this error?