Menu
My Rails app has complicated rules about when a bit of content should be displayed on a page or not. I've decided to implement this by writing predicates (simple 'yes/no' functions) in Ruby and storing them in the db for subsequent eval'ing. It it pretty straightforward.
My main concern is security: if a malicious somebody figures out how to write to the db, they could stick arbitrary Ruby code in the db and then 'all your base are belong to us'.
So is it possible to create an 'sandboxed' eval, for example, which has all IO operations removed?
584
You might want to check the 'taint' method and related stuff. This is a good reference:
http://ruby-doc.com/docs/ProgrammingRuby/html/taint.html
Despite that, I can't advise you enough against storing code and evaluating it, it's a security risk that should be avoided and most times there's a simpler way of solving your problems.
If you need to evaluate complex rules and predicates I'd recommend a rule engine to create a nice DSL. Haven't used one in ruby but this one looks good to me:
http://treetop.rubyforge.org/index.html
Cheers
197
you can do that with a sandboxing gem, https://github.com/tario/shikashi, which allows you to whitelist methods.
credit to https://stackoverflow.com/a/8704768/188355
23
Assuming you're on at least ruby 1.8, you can run a proc at a different safe level.
def my_unsafe_function
# possible unsafe stuff
end
proc {
$SAFE = 4 # change level only inside this proc
my_unsafe_function
}.call
However, you should rethink whether you really need to store ruby code in the DB. Are users of the app going to be modifying this stored code, and why? If they aren't, why not put the code in the app's files instead? I don't know your setup, but it should be possible to move the logic out of the DB.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
