Safe Ruby
Safe Ruby provides a way to run untrusted ruby code outside of the current process in a safe environment. Creating this environment is largery based on jruby sandbox, allowlisting the methods one can use on potentially dangerous classes. Constants are also allowlisted, eliminating some core ruby functionality such as spawning another process.
Getting Started
Run gem install safe_ruby
in your terminal, then require 'safe_ruby'
in your app and you're ready to go.
Examples
Evaluating ruby code
SafeRuby.eval('[1,2,3].map{ |n| n + 1 }') #=> [2, 3, 4]
SafeRuby.eval('system("rm *")') #=> system is unavailable
SafeRuby.eval('Kernel.abort') #=> undefined method `abort' for Kernel:Module
Default timeout for evaluating is 5 seconds, but this can be specified.
SafeRuby.eval('loop{}') #<ChildProcess::TimeoutError: process still alive after 5 seconds>
SafeRuby.eval('loop{}', timeout: 1) #<ChildProcess::TimeoutError: process still alive after 1 seconds>
This library was built for a codeacademy-style tutoring app, so checking answers is built into the SafeRuby class
SafeRuby.check('[1,2,3].map{ |n| n + 1 }', '[2,3,4]') #=> true
In this example, the second argument(expected answer) can also be untrusted, it will be run safely.