Forum: Ruby Server-side sandbox for running ruby scripts

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
35594c037eba2fa48f7129d5fded828b?d=identicon&s=25 Peter Szinek (Guest)
on 2006-04-17 01:48
(Received via mailing list)
Hello,

I would like to accomplish the following tasks:

The user writes some ruby code into a text field inside the browser,
clicks submit, the code travels to the server where it is evaluated and
the result is sent back and displayed.

The only problem with this can be on the server. E.g. if someone types
'format c:\' into the text field, well... you know what i mean. Maybe
dumb example, but i am quite sure some h4ck3rs out there can do better
than this.

Basically i do not care whether this stuff is a (f)CGI, Rails or
something else, AJAX or not, my question is simply the following: Is it
possible to put sufficiently large barricade around the evaluation code
on the server so that it is perfectly safe from attacks through
malicious code?
E.g. remove the 'require' keyword, I/O,... I really do not need much
there, basically some String ops, basic maths etc. Of course i can
specify the set of needed classes exactly (or the not needed ones,
whichever is easier to specify).

What do you think? Will it be ever really possible to say after some
modding that it will be 100% hackerproof?

Thanks,
Peter
C1bcb559f87f356698cfad9f6d630235?d=identicon&s=25 Hal Fulton (Guest)
on 2006-04-17 01:54
(Received via mailing list)
Peter Szinek wrote:
> Hello,
>
> I would like to accomplish the following tasks:

This may be easier than you think.

Are you familiar with the $SAFE variable? If not,
it is your best friend here...


Hal
35594c037eba2fa48f7129d5fded828b?d=identicon&s=25 Peter Szinek (Guest)
on 2006-04-17 02:03
(Received via mailing list)
Hal Fulton wrote:
> Peter Szinek wrote:
>> Hello,
>>
>> I would like to accomplish the following tasks:
>
> This may be easier than you think.
>
> Are you familiar with the $SAFE variable? If not,
> it is your best friend here...
Thanks, i was looking *exactly* for this!

Cheers,
Peter
This topic is locked and can not be replied to.