Allow user-defined script in Ruby/Rails application -
To collect a predefined set of objects in a new object. However I want the user to specify a custom function for it.
Now there will be naïve views
def foo; End objects = [1,2,3] # result = eval (user_script) result = eval ("objects.inject {| sum, n | sum + n}")
obviously do not want to! I have read about the $ SAFE = 4
(see), but I'm not sure that it is sufficient especially because the user-defined script still works on other functions like foo
Will be able to call. I only want to allow access to basic non-hazardous Ruby Core-Functions
Is Secure Execution of User-Defined Scripts allowed for Ruby? There is no need to be Ruby Syntax. It would be nice, though.
Have you seen the Sweepflow Safemode plugin? Here's here in Geethab.
Rather than blacklisting dangerous methods, which makes SAFE, it parses the incoming code and removes any method not in the whitelist. The plugin comes with a predefined whitelist which can be seen inside.
I have never used this plugin personally but the author is active in the Ruby community and I am confident that he will answer any questions you may have asked.
Comments
Post a Comment