Reputation: 40107
Is there a safe way to run eval in Ruby?
We're working on a product that has similar a requirement to Tropo (see https://github.com/tropo/tropo-samples/tree/master/ruby), where the user is allowed to write a ruby script that can access a few functions and variables that are passed in. However, we would want to avoid the user having access to global calls deleting all users or terminating the program. Is there a way to accomplish this with eval?
Upvotes: 8
Views: 4081
Answers (3)
Reputation: 105220
Ruby provides a model of security based on "tainted" objects.
You might wanna check that. Anyway note that creating a DSL is safer (and more fun!) than eval
Upvotes: 0
Reputation: 66751
set $SAFE parameter ? That should ensure that you don't eval untrusted strings, anyway...
Upvotes: 0
Reputation: 4113
It would depend a great deal on how you implement it, but look into the use of bindings with eval. By creating your own binding and preloading it with "safe" objects, you can limit what the user could do with his code.
http://rdoc.info/stdlib/core/1.9.2/Binding
Upvotes: 3
Related Questions
- Is 'eval' supposed to be nasty?
- Is this use of a Ruby eval method really dangerous, and if so what's the alternative? (Rails)
- What are the alternatives to eval in Ruby?
- Run ruby code with eval and it's gems, rails
- Need alternative for eval
- Is usage of eval is necessary here?
- Is there a safe way to Eval In ruby? Or a better way to do this?
- Ruby: creating a sandboxed eval?
- Executing arbitrary functions in Ruby without the security problems of eval
- Alternative to eval()