build_box 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f8916fe0f7eddb619d61671068806e61f696fa1
-  data.tar.gz: 0b6f84b6bce70a390a7888fff8ee0714a99af635
+  metadata.gz: 7ee932e6eaa693236f9ee28629c286aa91dd3788
+  data.tar.gz: 68f0e6cffe4e763d55a59a5406eee999e618654f
 SHA512:
-  metadata.gz: c9bf87e8142525f5bd05de7b3dfbf659f37e4fb582b5d734d547ab98ffa919bceff801ac6bec883e82637feb1b58b662d8c233f15e5aa99ea98d0ce8cf993a81
-  data.tar.gz: 89babefa1438bc4af2f5a8fbf9ba46674c945430046ad4eb5843e14b8be3bcc709950c995df432d436c6afbfc3e85d3ed70c032165390f40594da3149a2ca450
+  metadata.gz: f4327242827f1cd0e1c0d18643061133fdcc05b7275764ad9d737919df649ae8004cddce6535eb6cb85ef128217d9cbd65980f6619a131c7e93727a440eb0c81
+  data.tar.gz: c2d3889254677bfa8870ec4635a773d34bd7da2a089c58052971c725fe8f04f14b008aae8444a6ab97e612c4f9459c43c20662d346d6f5a05bacb7aee4245b25

data/Gemfile

@@ -7,4 +7,5 @@ group :development, :test do
   gem 'rspec'
   gem 'simplecov', :require => false
   gem 'pry'
+  gem 'rake-notes'
 end

data/Rakefile

@@ -1 +1,2 @@
 require "bundler/gem_tasks"
+require 'rake/notes/rake_task'

data/lib/build_box/config.rb

@@ -9,24 +9,24 @@ module BuildBox
     option :bad_methods, :default => [
       [:Object, :abort],
       [:Kernel, :abort],
-      [:Object, :autoload],
-      [:Kernel, :autoload],
-      [:Object, :autoload?],
-      [:Kernel, :autoload?],
+      # [:Object, :autoload],
+      # [:Kernel, :autoload],
+      # [:Object, :autoload?],
+      # [:Kernel, :autoload?],
       [:Object, :callcc],
       [:Kernel, :callcc],
-      [:Object, :exit],
-      [:Kernel, :exit],
-      [:Object, :exit!],
-      [:Kernel, :exit!],
-      [:Object, :at_exit],
-      [:Kernel, :at_exit],
+      # [:Object, :exit],
+      # [:Kernel, :exit],
+      # [:Object, :exit!],
+      # [:Kernel, :exit!],
+      # [:Object, :at_exit],
+      # [:Kernel, :at_exit],
       [:Object, :exec],
       [:Kernel, :exec],
       [:Object, :fork],
       [:Kernel, :fork],
-      [:Object, :load],
-      [:Kernel, :load],
+      # [:Object, :load],
+      # [:Kernel, :load],
       [:Object, :open],
       [:Kernel, :open],
       [:Object, :set_trace_func],
@@ -37,22 +37,24 @@ module BuildBox
       [:Kernel, :syscall],
       [:Object, :system],
       [:Kernel, :system],
-      [:Object, :test],
-      [:Kernel, :test],
+      # [:Object, :test],
+      # [:Kernel, :test],
       [:Object, :remove_method],
       [:Kernel, :remove_method],
-      [:Object, :require],
-      [:Kernel, :require],
-      [:Object, :require_relative],
-      [:Kernel, :require_relative],
+      # [:Object, :require],
+      # [:Kernel, :require],
+      # [:Object, :require_relative],
+      # [:Kernel, :require_relative],
       [:Object, :undef_method],
       [:Kernel, :undef_method],
       [:Object, "`".to_sym],
       [:Kernel, "`".to_sym],
       [:Class, "`".to_sym]
     ]
-    option :bad_constants, :default => [:Continuation, :Open3, :File, :Dir, :IO, :BuildBox, :Process, :Thread, :Fiber, :Gem, :Net, :ThreadGroup, :SystemExit, :SignalException, :Interrupt, :FileTest, :Signal]
+
+    option :bad_constants, :default =>   [:Continuation, :Open3, :File, :Dir, :IO, :BuildBox, :Process, :Thread, :Fiber, :Gem, :Net, :ThreadGroup]
    
     option :timeout, :default => 3 
+    option :security_level, :default => 3 # (0..3)
   end
 end

data/lib/build_box/perform.rb

@@ -2,10 +2,11 @@ class BuildBox::Perform
 
   attr_accessor :output, :error, :code, :unbound_methods, :unbound_constants
 
-  def initialize(code)
+  def initialize(code, binding_context=TOPLEVEL_BINDING)
     self.unbound_methods   = []
     self.unbound_constants = []
-    self.code = code
+    self.code              = code
+    @binding_context       = binding_context 
     evaluate
   end
 
@@ -13,11 +14,11 @@ class BuildBox::Perform
 
   def evaluate
     t = Thread.new do
-      $SAFE = 2
+      $SAFE = BuildBox.config.security_level
       begin
         BuildBox.config.bad_methods.each {|meth| remove_method(meth.first, meth.last)}
         BuildBox.config.bad_constants.each {|const| remove_constant(const)}
-        @output = eval(@code, TOPLEVEL_BINDING, "build_box")
+        @output = eval(@code, @binding_context, "build_box")
         @error  = nil
       rescue Exception => e
         @error = "#{e.class}: #{e.to_s}"
@@ -39,46 +40,46 @@ class BuildBox::Perform
     if const.methods.include?(method) || const.instance_methods.include?(method)
       self.unbound_methods << [const, const.method(method).unbind]
       metaclass = class << const; self; end
+      message = ''
+      if const == Object
+        message = "undefined local variable or method `#{method}' for main:Object"
+      else
+        message = "undefined local variable or method `#{method}' for #{klass}:#{const.class}"
+      end
 
-      message = if const == Object
-      "undefined local variable or method `#{method}' for main:Object"
-    else
-      "undefined local variable or method `#{method}' for #{klass}:#{const.class}"
-    end
-
-    metaclass.send(:define_method, method) do |*args|
-      raise NameError, message
-    end
+      metaclass.send(:define_method, method) do |*args|
+        raise NameError, message
+      end
 
-    const.send(:define_method, method) do |*args|
-      raise NameError, message
+      const.send(:define_method, method) do |*args|
+        raise NameError, message
+      end
     end
   end
-end
 
-def restore_methods
-  self.unbound_methods.each do |unbound|
-    klass = unbound.first
-    method = unbound.last
+  def restore_methods
+    self.unbound_methods.each do |unbound|
+      klass = unbound.first
+      method = unbound.last
 
-    metaclass = class << klass; self; end
+      metaclass = class << klass; self; end
 
-    metaclass.send(:define_method, method.name) do |*args|
-      method.bind(klass).call(*args)
-    end
+      metaclass.send(:define_method, method.name) do |*args|
+        method.bind(klass).call(*args)
+      end
 
-    klass.send(:define_method, method.name) do |*args|
-      method.bind(klass).call(*args)
+      klass.send(:define_method, method.name) do |*args|
+        method.bind(klass).call(*args)
+      end
     end
   end
-end
 
-def remove_constant(constant)
-  self.unbound_constants << Object.send(:remove_const, constant) if Object.const_defined?(constant)
-end
+  def remove_constant(constant)
+    self.unbound_constants << Object.send(:remove_const, constant) if Object.const_defined?(constant)
+  end
 
-def restore_constants
-  self.unbound_constants.each {|const| Object.const_set(const.to_s.to_sym, const) unless Object.const_defined?(const.to_s.to_sym)}
-end
+  def restore_constants
+    self.unbound_constants.each {|const| Object.const_set(const.to_s.to_sym, const) unless Object.const_defined?(const.to_s.to_sym) rescue false}
+  end
 
 end # BuildBox::Perform

data/lib/build_box/response.rb

@@ -1,31 +1,33 @@
 class BuildBox::Response
 
-  attr_accessor :output, :error, :old_constants
+  attr_accessor :output, :error, :code # TODO: return de evaluated code
 
-  def initialize(code)
-    evaluate(code)
+  def initialize(code, binding_context)
+    evaluate(code, binding_context)
   end
 
   def error?
     !@error.nil?
   end
 
-  # private
+  private
 
-  def evaluate(code)
+  def evaluate(code, binding_context)
     preserve_namespace
-    result  = BuildBox::Perform.new(code)
+    result  = BuildBox::Perform.new(code, binding_context)
     @output = result.output
     @error  = result.error
+    @code   = result.code
     restore_namespace
+    self
   end
 
   def preserve_namespace
-    self.old_constants = Object.constants
+    @old_constants = Object.constants
   end
   
   def restore_namespace
-    (Object.constants - self.old_constants).each {|bad_constant| Object.send(:remove_const, bad_constant)}
+    (Object.constants - @old_constants).each {|bad_constant| Object.send(:remove_const, bad_constant)}
   end
 
 

data/lib/build_box/version.rb

@@ -1,3 +1,3 @@
 module BuildBox
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/lib/build_box.rb

@@ -11,8 +11,8 @@ module BuildBox
   end
   alias :config :configure
 
-  def perform(code)
-    BuildBox::Response.new(code)
+  def perform(code, binding_context=TOPLEVEL_BINDING)
+    BuildBox::Response.new(code, binding_context)
   end
 
 end

data/spec/build_box_spec.rb

@@ -33,15 +33,15 @@ describe "BuildBox" do
     it 'allows constants to be used after uninitializing them' do
       expect(BuildBox.config).to receive(:bad_methods).and_return([])
       expect(BuildBox.config).to receive(:bad_constants).and_return([:Net])
+      expect(Object.const_get(:Net)).to_not raise_error
       result = BuildBox.perform(' Net.methods')
       expect(result.error?).to be_true
-      expect(Object.const_get(:Net)).to_not raise_error
     end
 
     it 'allows methods to be called after removing them' do
-      expect(BuildBox.config).to receive(:bad_methods).and_return([[:Kernel, :exit]])
+      expect(BuildBox.config).to receive(:bad_methods).and_return([])
       expect(BuildBox.config).to receive(:bad_constants).and_return([])
-      BuildBox.perform(['a = 1 + 1'])
+      BuildBox.perform('a = 1 + 1; test;')
       Kernel.methods.should include(:exit)
     end
 
@@ -61,6 +61,11 @@ describe "BuildBox" do
       expect(BuildBox.perform('Foo.new.test').error).to  eql("NameError: uninitialized constant Foo")
     end
 
+    it "permit add context varables" do
+      ctx = OpenStruct.new(:params => {a: 1, b: 2})
+      expect(BuildBox.perform('params[:a] + params[:b]', ctx.__binding__).output).to eql(3)
+    end
+
     context 'unsafe commands' do
       it 'does not exit' do
         expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([])
@@ -75,21 +80,21 @@ describe "BuildBox" do
       end
 
       it 'does not exec' do
-        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([])
+        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([[:Object, :exec]])
         expect(BuildBox.config).to receive(:bad_constants).at_least(:once).and_return([])
-        expect(BuildBox.perform('exec("ps")').error).to eql("SecurityError: Insecure operation - exec")
+        expect(BuildBox.perform('exec("ps")').error).to include("NameError: undefined local variable or method `exec' for")
       end
 
       it 'does not exec for kernel' do
-        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([])
+        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([[:Kernel, :exec]])
         expect(BuildBox.config).to receive(:bad_constants).at_least(:once).and_return([])
-        expect(BuildBox.perform('Kernel.exec("ps")').error).to eql("SecurityError: Insecure operation - exec")
+        expect(BuildBox.perform('Kernel.exec("ps")').error).to include("NameError: undefined local variable or method `exec' ")
       end
 
       it 'does not `' do
-        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([])
+        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([[:Object, "`".to_sym], [:Kernel, "`".to_sym], [:Class, "`".to_sym]])
         expect(BuildBox.config).to receive(:bad_constants).at_least(:once).and_return([])
-        expect(BuildBox.perform('`ls`').error).to eql("SecurityError: Insecure operation - `")
+        expect(BuildBox.perform('`ls`').error).to include("NameError: undefined local variable or method ``' for")
       end
 
       it 'does not implement File' do
@@ -117,9 +122,8 @@ describe "BuildBox" do
       end
 
       it 'does not implement Open3 even after requiring it' do
-        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([])
-        expect(BuildBox.config).to receive(:bad_constants).at_least(:once).and_return([:Open3])
-        expect(BuildBox.perform('require "open3"; Open3').error).to eql("SecurityError: Insecure operation - require")
+        expect(BuildBox.config).to receive(:bad_methods).at_least(:once).and_return([[:Object,:require], [:kernel, :require]])
+        expect(BuildBox.perform('require "open3"; Open3').error?).to be_true #eql("SecurityError: Insecure operation - require")
       end
 
       it 'does not allow you to manually call protected BuildBox methods' do

data/spec/spec_helper.rb

@@ -5,7 +5,7 @@
 #
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 require 'pry'
-require 'simplecov'
+# require 'simplecov'
 # SimpleCov.start
 
 # ENV['BUILD_BOX_ENV'] = 'test'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: build_box
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Rafael Vettori
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-05-05 00:00:00.000000000 Z
+date: 2014-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -48,7 +48,6 @@ files:
 - ".gitignore"
 - ".rspec"
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile

data/Gemfile.lock

@@ -1,43 +0,0 @@
-PATH
-  remote: .
-  specs:
-    build_box (0.0.1)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    coderay (1.1.0)
-    diff-lcs (1.2.5)
-    docile (1.1.3)
-    method_source (0.8.2)
-    multi_json (1.9.3)
-    pry (0.9.12.6)
-      coderay (~> 1.0)
-      method_source (~> 0.8)
-      slop (~> 3.4)
-    rake (10.3.1)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
-    simplecov (0.8.2)
-      docile (~> 1.1.0)
-      multi_json
-      simplecov-html (~> 0.8.0)
-    simplecov-html (0.8.0)
-    slop (3.5.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  build_box!
-  bundler (~> 1.5)
-  pry
-  rake
-  rspec
-  simplecov