I’m building a small Sinatra server which has one GET route called
/execute. It accepts a code parameter and runs the Ruby code from
that parameter using the sandboxed gem, returning a result in JSON.
# /app.rb
class MistressBase < Sinatra::Base
get '/execute' do
content_type :json
Oj.dump( {
'result' => safe { eval(URI.unescape(params[:code])) }
} )
end
end
# /config.ru
require 'sinatra/base'
require 'sandboxed'
require 'uri'
require 'oj'
require './app'
run MistressBase
When I run shotgun config.ru everything’s fine. If I go to and pass
something simple like http://localhost:9393/execute?code=70-1 I get
the expected JSON response of {"result":69}. However if I pass a
file-like string like
require%20'benchmark'%0A%0ABenchmark.measure%20%7B%20'a'%20*%201_000_000%20%7D%0A%0A
which is basically, this but URI.escapeed:
require 'benchmark'
Benchmark.measure { 'a' * 1_000_000 }
I get a ThreadError at /execute with the description of current thread not owner. I have attached the backtrace.
Also, setting code the parameter to /execute to something like 1 - 1 (encoded) gives me the same error while 1-1 doesn’t. What am I
missing? Why am I getting this error?