How to run untrusted Ruby code inside a safe sandbox?

Question

I want to be able to run unstrusted ruby code. I want to be able to pass variables to said untrusted code that it may use. I also want said code to return a result to me. Here is a conceptual example of what I am thinking

input = "sweet"
output = nil
Thread.start {
   $SAFE = 4
   #... untrusted code goes here, it uses the input variable(s)
   #to calculate some result that it places in the output variable
}
#parse the output variable as a string.

Just to clarify, I am basically using the untrusted code as a function. I want to provide its some inputs, and then allow it to write to the output. That is all I really want, I don't care how it is done, I just want the ability to use untrusted Ruby code as a sort of function. The solution does not have to look anything like the code I wrote above, I am just using it to illustrate what I want.

Now, I can currently think of 3 ways to do this:

1. Use the $SAFE level construct above.
2. whytheluckystiff has a Sandbox plugin for ruby
3. I could run each function in its own virtual machine, using some sort of os virtualization software like vmware or Xen or something.

I am wondering if anyone has any recommendations for running untrusted ruby code in a functional way? What option would you recomend? How would you go about it? Thanks.

Answer 1

I created a gem called 'trusted-sandbox' that runs Ruby code within a fully controlled Docker container. You can disable network, set disk quotas, limit execution time, balance CPU with other running containers, set memory limits, etc. And the overhead is quite low.

You can read more about it here: https://github.com/vaharoni/trusted-sandbox

Let me know what you think!

Answer 2

$SAFE doesn't protect you from everything a malicious hacker could do.

Having gone down this path (see Ruby: creating a sandboxed eval?), I followed commenters' sage advice and embedded an application-specific interpreter that gave me complete control over what could and couldn't be done (see Ruby: looking for ruby-embeddable interpreter or scripting language).

It turned out to be incredibly easy using stickup (like less than an hour from downloading the gem to a customized interpreter) -- see https://github.com/jcoglan/stickup

Answer 3

I'd strongly recommend just using JRuby.

The JVM has had a very strong security model built in from the beginning, and JRuby piggy-backs off that. You can restrict access to files, restrict loading of code, and much more. It's far better than anything that exists in native Ruby impls, and there are a number of sites that run sandboxed, user-accessible sites atop JRuby for exactly this purpose.

Answer 4

$SAFE is not enough; you need to be at least at the level of Why's freaky sandbox. However, I don't know if that sandbox code is actively maintained or if he/they ever solved the holes such as infinite loops, etc.

Unsafe generally means hostile. If you can relax from hostile to, say, 'naive', and depending upon the requirements of your app, you might get away with sandboxing in Ruby. It's not really a first-class scenario in the language design.

Even with that, though, you probably don't need to go to the machine level of separation. I'd feel pretty safe using a sandbox in a separately spawned process, with your app functioning as a process manager to kill off any that manage to hang/flame. Now, that is a few orders of magnitude more work than your simple block above.

But remember and keep repeating, "SAFE can't deal with hostile".