2

I'm working on a rails application that takes ruby code as input and executes it. Since the code submitted comes from an untrusted domain, I want to restrict access to certain methods and modules. For example, I don't want users to access File.read or open().

Also, is it possible to restrict access to only a few modules? Only modules from a whitelist can be required from user submitted code.

I can probably do a validation on the user code, but I wanted to check if ruby language or any modules already have this capability.

Codeschool.com has interactive tutorials. I am wondering if they restrict access to user code or do any validation at all.

4

2 回答 2

3

Ruby 有一个内置的功能,$SAFE

您可以在此处找到一些基本介绍http://edwinmeyer.com/Release_Integrated_RHG_09_10_2008/chapter07.html 然后您可以轻松地在 Google 上搜索更多内容(我只能推荐书籍)

也看看这里 http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html

据我所知,这里的解决方案是加载你的应用程序,然后$SAFE在一个线程中将级别提升到 4,在那里执行代码(以后不能降低,所以你首先需要让 Rails 加载到级别 0)

于 2013-07-28T09:53:00.813 回答
2

我一直很满意地使用shikashi来完成这类任务。

于 2013-07-28T09:51:01.017 回答