Allow user-defined script in Ruby/Rails application -


To collect a predefined set of objects in a new object. However I want the user to specify a custom function for it.

Now there will be naïve views

  def foo; End objects = [1,2,3] # result = eval (user_script) result = eval ("objects.inject {| sum, n | sum + n}")  

obviously do not want to! I have read about the $ SAFE = 4 (see), but I'm not sure that it is sufficient especially because the user-defined script still works on other functions like foo Will be able to call. I only want to allow access to basic non-hazardous Ruby Core-Functions

Is Secure Execution of User-Defined Scripts allowed for Ruby? There is no need to be Ruby Syntax. It would be nice, though.

Have you seen the Sweepflow Safemode plugin? Here's here in Geethab.

Rather than blacklisting dangerous methods, which makes SAFE, it parses the incoming code and removes any method not in the whitelist. The plugin comes with a predefined whitelist which can be seen inside.

I have never used this plugin personally but the author is active in the Ruby community and I am confident that he will answer any questions you may have asked.


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -