Is there a safe way to run eval in Ruby?
We're working on a product that has similar a requirement to Tropo (see https://github.com/tropo/tropo-samples/tree/master/ruby), where the user is allowed to write a ruby script that can access a few functio开发者_开发技巧ns and variables that are passed in. However, we would want to avoid the user having access to global calls deleting all users or terminating the program. Is there a way to accomplish this with eval?
It would depend a great deal on how you implement it, but look into the use of bindings with eval. By creating your own binding and preloading it with "safe" objects, you can limit what the user could do with his code.
http://rdoc.info/stdlib/core/1.9.2/Binding
set $SAFE parameter ? That should ensure that you don't eval untrusted strings, anyway...
Ruby provides a model of security based on "tainted" objects.
You might wanna check that. Anyway note that creating a DSL is safer (and more fun!) than eval
精彩评论