boxcars 0.2.4 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a9d94c026cf616e590d293d4ef2b0c655ddc6e3ae40115b36ebbfbbee1cb9a4
-  data.tar.gz: 549a877fdf1b329f402f3a159420bc6599677bcd40f2776c8bea57fade099b14
+  metadata.gz: a3593a9df2d9d8a867729e0b6081b300125933566923ca905e2eefb16a933394
+  data.tar.gz: 90c03ea9b328b8cff10f828f8b9bf4375cce0fd574dd8a26c690776e58a58c1b
 SHA512:
-  metadata.gz: '082a569848bf46276dadf9e2461e1bded9e107a2ba344fed06382c98548aa78b5012c63cdeeb27f394783b25bb6dea6d6bd10382d1f0113b8de548a366ca2b4e'
-  data.tar.gz: 25452562685c57ba7ded3de67a4c27f7d15e9373f5370f061d75d9d4f32e4e1836e9ea6947bfef19d7a32fe6c130d4f816fe5d9529ea1db5f38f7b0bb2837ccb
+  metadata.gz: 5de41be1f154b2c21fcd6602159a6428d8702dc318904e6e03db9de1b0ed1788b03aa10365203557b39fe268f04b4594cf6915faa941b2c64e475cd6cbb55d09
+  data.tar.gz: 2ad84e5f416b19759807d658d739d1abb8405ba6ded3b38bdf5ce9406efeadccbc2102b7b477a90df67beaa287a9810b09e59b5843090fbe4619b03500d0a4f4

data/CHANGELOG.md

@@ -1,8 +1,20 @@
 # Changelog
 
-## [Unreleased](https://github.com/BoxcarsAI/boxcars/tree/HEAD)
+## [v0.2.4](https://github.com/BoxcarsAI/boxcars/tree/v0.2.4) (2023-03-28)
 
-[Full Changelog](https://github.com/BoxcarsAI/boxcars/compare/v0.2.2...HEAD)
+[Full Changelog](https://github.com/BoxcarsAI/boxcars/compare/v0.2.3...v0.2.4)
+
+**Closed issues:**
+
+- security [\#40](https://github.com/BoxcarsAI/boxcars/issues/40)
+
+**Merged pull requests:**
+
+- Fix regex action input [\#41](https://github.com/BoxcarsAI/boxcars/pull/41) ([makevoid](https://github.com/makevoid))
+
+## [v0.2.3](https://github.com/BoxcarsAI/boxcars/tree/v0.2.3) (2023-03-20)
+
+[Full Changelog](https://github.com/BoxcarsAI/boxcars/compare/v0.2.2...v0.2.3)
 
 **Merged pull requests:**
 

data/Gemfile.lock

@@ -1,19 +1,19 @@
 PATH
   remote: .
   specs:
-    boxcars (0.2.4)
+    boxcars (0.2.5)
       google_search_results (~> 2.2)
       ruby-openai (~> 3.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activerecord (7.0.4.2)
-      activemodel (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activesupport (7.0.4.2)
+    activemodel (7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activerecord (7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -21,7 +21,7 @@ GEM
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
-    async (1.30.3)
+    async (1.31.0)
       console (~> 1.10)
       nio4r (~> 2.3)
       timers (~> 4.1)
@@ -38,14 +38,14 @@ GEM
       faraday
     async-io (1.34.3)
       async
-    async-pool (0.3.12)
+    async-pool (0.4.0)
       async (>= 1.25)
-    concurrent-ruby (1.2.0)
+    concurrent-ruby (1.2.2)
     console (1.16.2)
       fiber-local
     crack (0.4.5)
       rexml
-    debug (1.7.1)
+    debug (1.7.2)
       irb (>= 1.5.0)
       reline (>= 0.3.1)
     diff-lcs (1.5.0)
@@ -56,7 +56,7 @@ GEM
     faraday-http-cache (2.4.1)
       faraday (>= 0.8)
     faraday-net_http (3.0.2)
-    faraday-retry (2.0.0)
+    faraday-retry (2.1.0)
       faraday (~> 2.0)
     fiber-local (1.0.0)
     github_changelog_generator (1.16.4)
@@ -77,13 +77,13 @@ GEM
       concurrent-ruby (~> 1.0)
     io-console (0.6.0)
     io-console (0.6.0-java)
-    irb (1.6.2)
+    irb (1.6.3)
       reline (>= 0.3.0)
     json (2.6.3)
     json (2.6.3-java)
     mini_mime (1.1.2)
     mini_portile2 (2.8.1)
-    minitest (5.17.0)
+    minitest (5.18.0)
     multi_json (1.15.0)
     multi_xml (0.6.0)
     nio4r (2.5.8)
@@ -92,7 +92,7 @@ GEM
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     parallel (1.22.1)
-    parser (3.2.1.0)
+    parser (3.2.1.1)
       ast (~> 2.4.1)
     protocol-hpack (1.4.2)
     protocol-http (0.24.1)
@@ -105,7 +105,7 @@ GEM
     rainbow (3.1.1)
     rake (13.0.6)
     regexp_parser (2.7.0)
-    reline (0.3.2)
+    reline (0.3.3)
       io-console (~> 0.5)
     rexml (3.2.5)
     rspec (3.12.0)
@@ -117,42 +117,42 @@ GEM
     rspec-expectations (3.12.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.3)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
-    rubocop (1.45.1)
+    rubocop (1.48.1)
       json (~> 2.3)
       parallel (~> 1.10)
       parser (>= 3.2.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.26.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.26.0)
+    rubocop-ast (1.28.0)
       parser (>= 3.2.1.0)
     rubocop-capybara (2.17.1)
       rubocop (~> 1.41)
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-    rubocop-rspec (2.18.1)
+    rubocop-rspec (2.19.0)
       rubocop (~> 1.33)
       rubocop-capybara (~> 2.17)
-    ruby-openai (3.5.0)
+    ruby-openai (3.7.0)
       httparty (>= 0.18.1)
-    ruby-progressbar (1.11.0)
+    ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    sqlite3 (1.6.0)
+    sqlite3 (1.6.2)
       mini_portile2 (~> 2.8.0)
-    sqlite3 (1.6.0-x86_64-darwin)
-    sqlite3 (1.6.0-x86_64-linux)
+    sqlite3 (1.6.2-x86_64-darwin)
+    sqlite3 (1.6.2-x86_64-linux)
     timers (4.3.5)
-    traces (0.8.0)
+    traces (0.9.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.4.2)

data/lib/boxcars/boxcar/active_record.rb

@@ -102,9 +102,7 @@ module Boxcars
         return false
       end
 
-      word_list = without_strings.split(/[.,() :]/)
-
-      puts word_list.inspect
+      word_list = without_strings.split(/[.,() :\[\]]/)
 
       bad_words.each do |w|
         if word_list.include?(w)
@@ -116,12 +114,24 @@ module Boxcars
       true
     end
 
+    # run the code in a safe environment
+    # @param code [String] The code to run
+    # @return [Object] The result of the code
+    def eval_safe_wrapper(code)
+      # if the code used ActiveRecord, we need to add :: in front of it to escape the module
+      new_code = code.gsub(/(\W)ActiveRecord::/, '\1::ActiveRecord::')
+      proc do
+        $SAFE = 4
+        # rubocop:disable Security/Eval
+        eval new_code
+        # rubocop:enable Security/Eval
+      end.call
+    end
+
     def evaluate_input(code)
       raise SecurityError, "Found unsafe code while evaluating: #{code}" unless safe_to_run?(code)
 
-      # rubocop:disable Security/Eval
-      eval code
-      # rubocop:enable Security/Eval
+      eval_safe_wrapper code
     end
 
     def change_count(changes_code)
@@ -231,7 +241,8 @@ module Boxcars
            "Only use the following Active Record models: %<model_info>s\n",
            "Pay attention to use only the attribute names that you can see in the model description.\n",
            "Do not make up variable or attribute names, and do not share variables between the code in ARChanges and ARCode\n",
-           "Be careful to not query for attributes that do not exist, and to use the format specified above.\n"
+           "Be careful to not query for attributes that do not exist, and to use the format specified above.\n",
+           "Finally, do not use print or puts in your code."
           ),
       user("Question: %<question>s")
     ].freeze

data/lib/boxcars/version.rb

@@ -2,5 +2,5 @@
 
 module Boxcars
   # The current version of the gem.
-  VERSION = "0.2.4"
+  VERSION = "0.2.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: boxcars
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.5
 platform: ruby
 authors:
 - Francis Sullivan
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-28 00:00:00.000000000 Z
+date: 2023-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: debug