Class: Rubel::Runtime::Sandbox

Inherits:
BasicObject
Includes:
Core
Defined in:
lib/rubel/runtime/sandbox.rb

Overview

Sandbox is the default runtime for production environments. It has some basic protection against ruby code injection.

Sandbox is a BasicObject so it lives outside the default namespace. To access outside classes and modules you are forced to use “::” as namespace.

Examples:

Extending Runtime::Sandbox


class MySandbox < Rubel::Runtime::Sandbox
  include ::MyModule::MyClass

  def hello_world
    ::Kernel.puts "hello world"
  end

  def create_blog_post
     ::BlogPost.create(:title => 'hello world')
  end
end

Protection against ruby injection:


r = Rubel::Runtime::Sandbox.new
r.execute lambda { system('say hello') }              # NoMethodError 'system'
r.execute lambda { Object.new.system('say hello') }   # Constant Object not found

Protection against ruby injection does not work in this case:

r.execute lambda { ::Object.new.system('say hello') }
# However, passing query as String does basic string sanitizing
r.execute "::Object.new.system('say hello')"
# This can be circumvented:
r.execute "#{(':'+':'+'Object').constantize.new.system('say hello')"

# If you have rubel functions that use instance_eval for objects.
r.execute lambda { MAP([0.1234, 2.12], "round(1) * 3.0; system('say hello);") }

Instance Method Summary collapse

Methods included from Core

#execute, #method_missing, #sanitized_proc

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rubel::Core

Instance Method Details

#lambda(&block) ⇒ Object

make -> {} and lambda {} work when included as BasicObject



47
48
49
 
# File 'lib/rubel/runtime/sandbox.rb', line 47

def lambda(&block)
  ::Kernel.lambda(&block)
end

#puts(str) ⇒ Object 



51
52
53
 
# File 'lib/rubel/runtime/sandbox.rb', line 51

def puts(str)
  ::Kernel.puts(str)
end

#sanitize!(string) ⇒ Object 



55
56
57
 
# File 'lib/rubel/runtime/sandbox.rb', line 55

def sanitize!(string)
  string.gsub!('::', '')
end