Class: Shikashi::Privileges

Inherits:

Object

• Object
• Shikashi::Privileges

Defined in:

lib/shikashi/privileges.rb,
lib/shikashi/privileges/classes.rb,
lib/shikashi/privileges/exceptions.rb,
lib/shikashi/privileges/singleton_methods.rb

Overview

The Privileges class represent permissions about methods and objects

Defined Under Namespace

Classes: AllowedMethods

Instance Method Summary

• #allow?(klass, recv, method_name, method_id) ⇒ Boolean
• #allow_class_definitions ⇒ Object

  Defines the permissions needed to declare classes within the sandbox.

• #allow_const_read(*varnames) ⇒ Object

  Enables the permissions needed to read one or more constants.

• #allow_const_write(*varnames) ⇒ Object

  Enables the permissions needed to create or change one or more constants.

• #allow_exceptions ⇒ Object

  Define the permissions needed to raise exceptions within the sandbox.

• #allow_global_read(*varnames) ⇒ Object

  Enables the permissions needed to read one or more global variables.

• #allow_global_write(*varnames) ⇒ Object

  Enables the permissions needed to create or change one or more global variables.

• #allow_method(method_name) ⇒ Object

  allow the execution of method named method_name whereever.

• #allow_singleton_methods ⇒ Object

  Define the permissions needed to define singleton methods within the sandbox.

• #allow_xstr ⇒ Object

  Enables the permissions needed to execute system calls from the script.

• #const_read_allowed?(varname) ⇒ Boolean
• #const_write_allowed?(varname) ⇒ Boolean
• #global_read_allowed?(varname) ⇒ Boolean
• #global_write_allowed?(varname) ⇒ Boolean
• #initialize ⇒ Privileges constructor

  A new instance of Privileges.

• #instances_of(klass) ⇒ Object

  Specifies the methods allowed for the instances of a class.

• #methods_of(klass) ⇒ Object

  Specifies the methods allowed for an implementation in specific class.

• #object(obj) ⇒ Object

  Specifies the methods allowed for an specific object.

• #xstr_allowed? ⇒ Boolean

Constructor Details

#initialize ⇒ Privileges

Returns a new instance of Privileges.

# File 'lib/shikashi/privileges.rb', line 95

def initialize
  @allowed_objects = Hash.new
  @allowed_kinds = Hash.new
  @allowed_classes = Hash.new
  @allowed_instances = Hash.new
  @allowed_methods = Array.new
  @allowed_klass_methods = Hash.new
  @allowed_read_globals = Array.new
  @allowed_read_consts = Array.new
  @allowed_write_globals = Array.new
  @allowed_write_consts = Array.new
end

Instance Method Details

#allow?(klass, recv, method_name, method_id) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 182

def allow?(klass, recv, method_name, method_id)

  m = nil
  m = klass.instance_method(method_name) if method_name

  begin
    return true if @allowed_methods.include?(method_name)

    tmp = @allowed_objects[recv.object_id]
    if tmp
      if tmp.allowed?(method_name)
        @last_allowed = tmp
        return true
      end
    end

    if m
      tmp = @allowed_klass_methods[m.owner.object_id]
      if tmp
        if tmp.allowed?(method_name)
          @last_allowed = tmp
          return true
        end
      end
    end

    if recv.instance_of? Class
      last_class = recv

      while true
        tmp = @allowed_classes[last_class.object_id]
        if tmp
          if tmp.allowed?(method_name)
            @last_allowed = tmp
            return true
          end
        end
        if last_class
          break if last_class == Object
          last_class = last_class.superclass
        else
          break
        end
      end
    end

    last_class = recv.class
    while true
      tmp = @allowed_kinds[last_class.object_id]
      if tmp
        if tmp.allowed?(method_name)
          @last_allowed = tmp
          return true
        end
      end
      if last_class
        break if last_class == Object
        last_class = last_class.superclass
      else
        break
      end
    end

    tmp = @allowed_instances[recv.class.object_id]
    if tmp
      if tmp.allowed?(method_name)
      @last_allowed = tmp
      return true
      end
    end

    false
  rescue Exception => e
    print "ERROR: #{e}\n"
  print e.backtrace.join("\n")
    false
  end
end

#allow_class_definitions ⇒ Object

Defines the permissions needed to declare classes within the sandbox

# File 'lib/shikashi/privileges/classes.rb', line 24

def allow_class_definitions
  instances_of(Class).allow nil, :inherited, :method_added
  allow_method "core#define_method".to_sym
end

#allow_const_read(*varnames) ⇒ Object

Enables the permissions needed to read one or more constants

Example:

s = Sandbox.new
priv = Privileges.new

priv.allow_method :print
priv.allow_const_read "Object::A"

A = 8
s.run(priv, '
print "assigned Object::A:", A,"\n"
')

# File 'lib/shikashi/privileges.rb', line 399

def allow_const_read( *varnames )
  varnames.each do |varname|
    @allowed_read_consts << varname.to_s
  end

  self
end

#allow_const_write(*varnames) ⇒ Object

Enables the permissions needed to create or change one or more constants

Example:

s = Sandbox.new
priv = Privileges.new

priv.allow_method :print
priv.allow_const_write "Object::A"

s.run(priv, '
print "assigned 8 to Object::A\n"
A = 8
')

p A

# File 'lib/shikashi/privileges.rb', line 378

def allow_const_write( *varnames )
  varnames.each do |varname|
    @allowed_write_consts << varname.to_s
  end
  self
end

#allow_exceptions ⇒ Object

Define the permissions needed to raise exceptions within the sandbox

# File 'lib/shikashi/privileges/exceptions.rb', line 24

def allow_exceptions
  allow_method :raise
  methods_of(Exception).allow :backtrace, :set_backtrace, :exception
end

#allow_global_read(*varnames) ⇒ Object

Enables the permissions needed to read one or more global variables

Example:

s = Sandbox.new
priv = Privileges.new

priv.allow_method :print
priv.allow_global_read :$a

$a = 9

s.run(priv, '
print "$a value:", $a, "s\n"
')

Example 2

Sandbox.run('
print "$a value:", $a, "s\n"
print "$b value:", $b, "s\n"
', Privileges.allow_global_read(:$a,:$b) )

# File 'lib/shikashi/privileges.rb', line 328

def allow_global_read( *varnames )
  varnames.each do |varname|
    @allowed_read_globals << varname.to_sym
  end

  self
end

#allow_global_write(*varnames) ⇒ Object

Enables the permissions needed to create or change one or more global variables

Example:

s = Sandbox.new
priv = Privileges.new

priv.allow_method :print
priv.allow_global_write :$a

s.run(priv, '
$a = 9
print "assigned 9 to $a\n"
')

p $a

# File 'lib/shikashi/privileges.rb', line 353

def allow_global_write( *varnames )
  varnames.each do |varname|
    @allowed_write_globals << varname.to_sym
  end

  self
end

#allow_method(method_name) ⇒ Object

allow the execution of method named method_name whereever

Example: privileges.allow_method(:foo)

# File 'lib/shikashi/privileges.rb', line 177

def allow_method(method_name)
  @allowed_methods << method_name.to_sym
  self
end

#allow_singleton_methods ⇒ Object

Define the permissions needed to define singleton methods within the sandbox

# File 'lib/shikashi/privileges/singleton_methods.rb', line 24

def allow_singleton_methods
  allow_method :singleton_method_added
  allow_method "core#define_singleton_method".to_sym
end

#allow_xstr ⇒ Object

Enables the permissions needed to execute system calls from the script

Example:

s = Sandbox.new
priv = Privileges.new

priv.allow_xstr

s.run(priv, '
  %x[ls -l]
')

Example 2:

Sandbox.run('%x[ls -l]', Privileges.allow_xstr)

# File 'lib/shikashi/privileges.rb', line 299

def allow_xstr
  @xstr_allowed = true

  self
end

#const_read_allowed?(varname) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 273

def const_read_allowed?(varname)
  @allowed_read_consts.include? varname
end

#const_write_allowed?(varname) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 277

def const_write_allowed?(varname)
  @allowed_write_consts.include? varname
end

#global_read_allowed?(varname) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 265

def global_read_allowed?(varname)
  @allowed_read_globals.include? varname
end

#global_write_allowed?(varname) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 269

def global_write_allowed?(varname)
  @allowed_write_globals.include? varname
end

#instances_of(klass) ⇒ Object

Specifies the methods allowed for the instances of a class

Example 1: privileges.instances_of(Array).allow :each # allow calls of methods named “each” over instances of Array

Example 2: privileges.instances_of(Array).allow :select, map # allow calls of methods named “each” and “map” over instances of Array

Example 3: privileges.instances_of(Hash).allow_all # allow any method call over instances of Hash

# File 'lib/shikashi/privileges.rb', line 142

def instances_of(klass)
  hash_entry(@allowed_instances, klass.object_id)
end

#methods_of(klass) ⇒ Object

Specifies the methods allowed for an implementation in specific class

Example 1: privileges.methods_of(X).allow :foo

… class X

def foo # allowed :)
end

end

class Y < X

def foo # disallowed
end

end

X.new.foo # allowed Y.new.foo # disallowed: SecurityError …

# File 'lib/shikashi/privileges.rb', line 167

def methods_of(klass)
  hash_entry(@allowed_klass_methods, klass.object_id)
end

#object(obj) ⇒ Object

Specifies the methods allowed for an specific object

Example 1: privileges.object(Hash).allow :new

# File 'lib/shikashi/privileges.rb', line 126

def object(obj)
  hash_entry(@allowed_objects, obj.object_id)
end

#xstr_allowed? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/shikashi/privileges.rb', line 261

def xstr_allowed?
  @xstr_allowed
end