Safe way to execute submitted code?

Rails
1

Hey Rails folks–

I have a situation that would greatly benefit from allowing a user to
submit code (Ruby) that could be executed by the site during the
creation of new objects. Basically, it would allow the user the ability
to provide code used for naming the objects from various fields and
numbers.

Unfortunately, a simple substitution method will not work. There needs
to be some way to actually execute the code.

Is there a way to sufficiently “jail” some Ruby code so that I can
provide a hash to the user’s code and receive back some string?

Jake

2

Check out _why’s Sandbox:
http://redhanded.hobix.com/inspect/freakyfreakyNowResumesItsUsualSandlySelf.html

On 12/1/06, Jake J. [email protected] wrote:

Unfortunately, a simple substitution method will not work. There needs


Thanks,
-Steve
http://www.stevelongdo.com

3

Steve L. wrote:

Check out _why’s Sandbox:
http://redhanded.hobix.com/inspect/freakyfreakyNowResumesItsUsualSandlySelf.html

On 12/1/06, Jake J. [email protected] wrote:

Unfortunately, a simple substitution method will not work. There needs

Hm. That looks like the ticket. So, this is basically an extension
that runs the “eval” in a thread. I’m not quite sure I understand the
contribution. (Note, it made me aware of the ‘Thread’ SAFE levels which
can essentially sandbox an eval)

So, what is _why’s contribution here? Is it the “autokill” stuff that
is performed after a timeout? I’m just trying to understand the real
differences between _why’s sandbox and what I could already have done
with Thread, $SAFE, and eval.

Jake

4

Actually it is more complicated than just SAFE. Sandbox pushes the
level of
the interpreter ‘up’ into another namespace so that core objects(e.g.
Kernel) can’t be hacked. Allowing for cool stuff like running multiple
interpreters inside of a single Ruby process. Also it is written in C
that
extends/changes Ruby to make it happen. Sandbox is now bundled into the
Ruby distribution from 1.8.5+.

On 12/1/06, Jake J. [email protected] wrote:

Jake


Posted via http://www.ruby-forum.com/.


Thanks,
-Steve
http://www.stevelongdo.com