Forum: Ruby Embedding ruby

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Da9892cf5a3bfd96a8d3563d72033fec?d=identicon&s=25 Peter Triller (Guest)
on 2006-04-06 18:23
(Received via mailing list)
Hi.

I am right now considering which Scripting Language to embed into my
Server
application and ruby seems to be a very good choice. But I have a small
problem. I need to limit the functions which are allowed to be called
from
the scripts. For example no system() calls and no IO calls, no sockets
and
things like that. Is there already something possible with the standart
ruby
or would I have to remove unwanted packages manualy from the ruby
installation I would use with the application


Thanks


Peter
A0ed1bbfe42f4f87e6db0a16706246e2?d=identicon&s=25 Michael Greenly (mgreenly)
on 2006-04-06 19:21
Da9892cf5a3bfd96a8d3563d72033fec?d=identicon&s=25 Peter Triller (Guest)
on 2006-04-06 22:44
(Received via mailing list)
Michael Greenly wrote:

>check out http://www.rubycentral.com/book/taint.html
>
>
>
Thanks a lot. This seems to be what I need.

But ..

I did a few tests and the results where not exactly what I expected.

I want to have the code I get in a parsed form and not in a string form,
so I need to 'compile' it into functions.

something along the lines:


eval "$SAFE=4;
class Foo
            def bar()
" << userCode <<  "
             end
end
";


this wasnt working. so I read around in the docu:
"Can't define, redefine, remove, or undef a method in a nontainted class
or module."


so I figured this would work:
userCode ="a = 3 + 4;";
class Foo
end
Foo.taint;
eval "$SAFE=4;
class Foo
            def bar()
" << userCode <<  "
             end
end
";

but it wasn't either.
I got a:
test.rb:11: (eval):2: extending class prohibited (SecurityError)


So is the docu wrong, or am I just reading it wrong ?

Thanks


Peter
956f185be9eac1760a2a54e287c4c844?d=identicon&s=25 ts (Guest)
on 2006-04-07 09:39
(Received via mailing list)
>>>>> "P" == Peter Triller <p.triller@virtual-solution.de> writes:

P> this wasnt working. so I read around in the docu:
P> "Can't define, redefine, remove, or undef a method in a nontainted
class
P> or module."

moulon% cat b.rb
#!/usr/bin/ruby
module A
end
A.taint

$SAFE = 4

user_code = '1 + 1'

eval <<-EOT
   def A.a
      #{user_code}
   end
EOT
A.a
#
# it will give an error : unsecure write
#
p A.a
moulon%

moulon% ./b.rb
./b.rb:19:in `write': Insecure operation `write' at level 4
(SecurityError)
	from ./b.rb:19
moulon%


Guy Decoux
This topic is locked and can not be replied to.