开发者

Is there a safe way to run eval in Ruby?

We're working on a product that has similar a requirement to Tropo (see https://github.com/tropo/tropo-samples/tree/master/ruby), where the user is allowed to write a ruby script that can access a few functio开发者_开发技巧ns and variables that are passed in. However, we would want to avoid the user having access to global calls deleting all users or terminating the program. Is there a way to accomplish this with eval?


It would depend a great deal on how you implement it, but look into the use of bindings with eval. By creating your own binding and preloading it with "safe" objects, you can limit what the user could do with his code.

http://rdoc.info/stdlib/core/1.9.2/Binding


set $SAFE parameter ? That should ensure that you don't eval untrusted strings, anyway...


Ruby provides a model of security based on "tainted" objects.

You might wanna check that. Anyway note that creating a DSL is safer (and more fun!) than eval

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜