github-safegem 0.1.2

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+:major: 0
+:minor: 1
+:patch: 2

data/bin/safegem

@@ -0,0 +1,85 @@
+#!/usr/bin/env ruby
+
+$:.unshift File.join(File.dirname(__FILE__), *%w[.. lib])
+
+require 'rubygems'
+require 'rubygems/specification'
+require 'sinatra'
+require 'timeout'
+require 'yaml'
+
+post '/' do
+  r, w = IO.pipe
+
+  pid = nil
+  begin
+    repo   = params[:repo]
+    data   = params[:data]
+    tmpdir = "tmp/#{repo}"
+    spec = nil
+
+    Timeout::timeout(15) do
+      `git clone --depth 1 git://github.com/#{repo} #{tmpdir}`
+
+      pid = fork do
+        begin
+          r.close
+
+          require 'safegem/security'
+          require 'safegem/lazy_dir'
+          Dir.chdir(tmpdir) do
+            thread = Thread.new do
+              eval <<-EOE
+                BEGIN { # First in first out. Get this one exec'ed before the code below.
+                  Object.class_eval do
+                    remove_const :OrigDir rescue nil
+                    OrigDir = Dir
+                    remove_const :Dir
+                    Dir = LazyDir
+                  end
+                  $SAFE = 3
+                  OrigDir.set_safe_level
+                }
+                BEGIN { # This forces Ruby to ignore nested END {} blocks
+                  begin
+                    params = tmpdir = data = spec = repo = nil
+                    # Pass data out using TLS
+                    Thread.current[:spec] = (#{data})
+                  ensure
+                    Object.class_eval do
+                      remove_const :Dir
+                      Dir = OrigDir
+                    end
+                  end
+                }
+              EOE
+            end.join
+            Dir.set_safe_level
+            spec = thread[:spec]
+            spec.rubygems_version = Gem::RubyGemsVersion # make sure validation passes
+            spec.validate
+          end
+
+          w.write YAML.dump(spec)
+        rescue Object
+          puts $!,$@
+
+          w.write "ERROR: #$!"
+        end
+      end
+      w.close
+
+      Process.wait pid
+      r.read
+    end
+  rescue Exception
+    Process.kill 9, pid
+    puts $!,$@
+
+    "ERROR: #$!"
+  ensure
+    `rm -rf #{tmpdir}`  if tmpdir
+  end
+end
+
+Sinatra::Application.run!

data/lib/safegem/lazy_dir.rb

@@ -0,0 +1,39 @@
+class LazyDir < Array
+  OrigDir = Dir
+
+  def initialize(method, args, block = nil)
+    @method, @args, @block = method, args, block
+  end
+
+  # this method is meant to be called lazily after the $SAFE has reverted to 0
+  def to_a
+    raise SecurityError  unless %w([] glob).include? @method
+    files = OrigDir.send(@method, *@args, &@block)
+
+    # only return files within the current directory
+    cur_dir = File.expand_path('.') + File::SEPARATOR
+    files.reject do |f|
+      File.expand_path(f) !~ %r{^#{cur_dir}}
+    end
+  end
+  alias_method :to_ary, :to_a
+
+  def to_yaml(opts = {})
+    to_a.to_yaml(opts)
+  end
+
+  class << self
+    # these methods are meant to be called with tainted data in a $SAFE >= 3
+    %w(glob []).each do |method_name|
+      define_method method_name do |*a|
+        LazyDir.new method_name, a
+      end
+    end
+
+    def method_missing m, *a, &b
+      OrigDir.send m, *a, &b
+    end
+  end
+end
+
+LazyDir.freeze

data/lib/safegem/security.rb

@@ -0,0 +1,83 @@
+# remove dangerous methods
+%w(` system exec trap fork callcc binding).each do |method|
+  (class << Kernel; self; end).class_eval do
+    remove_method method rescue nil
+    undef_method method rescue nil
+    define_method(method) {|*a| raise SecurityError }
+  end
+  Object.class_eval do
+    remove_method method rescue nil
+    undef_method method rescue nil
+    define_method(method) {|*a| raise SecurityError }
+  end
+end
+Kernel.freeze
+
+# make sure all string methods which modify self also taint the string
+class String
+  %w(swapcase! strip! squeeze! reverse! downcase! upcase! delete! slice! replace []= <<).each do |method_name|
+    m = instance_method(method_name)
+    define_method method_name do |*args|
+      begin
+        m.bind(self).call *args
+      ensure
+        self.taint
+      end
+    end
+  end
+ 
+  %w(sub! gsub!).each do |method_name|
+    m = instance_method(method_name)
+ 
+    define_method "__real__#{method_name}" do |b, *a|
+      begin
+        m.bind(self).call(*a, &b)
+      ensure
+        self.taint
+      end
+    end
+ 
+    eval <<-EOF
+      def #{method_name} *a, &b
+        __real__#{method_name}(b, *a)
+      end
+    EOF
+  end
+end
+
+
+
+# Bug in ruby doesn't check taint when an array of globs is passed
+class << Dir
+  # we need to track $SAFE level manually because define_method captures the $SAFE level
+  # of the current scope, as it would a local varaible, and of course the current scope has a $SAFE of 0
+  @@safe_level = 0
+
+  # since this method is defined with def instead of define_method, $SAFE will be taken from
+  # the calling scope which is what we want
+  def set_safe_level
+    @@safe_level = $SAFE
+  end
+
+  %w([] glob).each do |method_name|
+    m = instance_method method_name
+    define_method method_name do |*args|
+      $SAFE = @@safe_level
+      raise SecurityError  if $SAFE >= 3 and args.flatten.any? {|a| a.tainted? }
+
+      m.bind(self).call(*args)
+    end
+  end
+end
+
+# freeze String so that the taint method can't be redefined
+String.freeze
+
+# freeze Dir so that no one can modify the @@safe_level
+Dir.freeze
+
+# freeze method classes so someone cant modify them to catch the original methods
+[Method, UnboundMethod].each {|klass| klass.freeze }
+
+# disable ObjectSpace so people cant access the original method objects
+Object.send :remove_const, :ObjectSpace

data/lib/safegem.rb

@@ -0,0 +1,2 @@
+require 'safegem/lazy_dir'
+require 'safegem/security'

data/test/git_mock

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+`mkdir -p #{ARGV.last}`

data/test/lazy_dir_test.rb

@@ -0,0 +1,71 @@
+$:.unshift File.join(File.dirname(__FILE__), *%w[.. lib])
+require 'safegem/lazy_dir'
+
+require 'test/unit'
+require 'fileutils'
+
+class LazyDirTest < Test::Unit::TestCase
+  def setup
+    FileUtils.mkdir('test_glob_dir')
+    eval %{
+      Object.class_eval do
+        remove_const :Dir
+        remove_const :OrigDir rescue nil
+      end
+      ::Dir = LazyDir
+      ::OrigDir = LazyDir::OrigDir
+    }
+    %w(a b c d).each {|n| File.open("test_glob_dir/#{n}", 'w'){}}
+  end
+
+  def teardown
+    eval %{
+      Object.class_eval { remove_const :Dir }
+      ::Dir = OrigDir
+    }
+    FileUtils.rm_r('test_glob_dir')
+  end
+
+  def test_lazy_glob
+    assert_raises(SecurityError) do
+      Thread.new do
+        $SAFE=4
+        OrigDir['test_glob_dir/*']
+      end.join
+    end
+
+    lazy = Thread.new do
+      $SAFE=4
+      Dir['test_glob_dir/*']
+    end.value
+
+    assert_equal OrigDir['test_glob_dir/*'], lazy.to_a
+    assert_equal OrigDir['test_glob_dir/*'], lazy.to_ary
+  end
+
+  def test_lazy_glob_flags
+    if PLATFORM !~ /darwin/
+      # this will fail on osx because of fs case insensitivity, so don't run in there
+      assert LazyDir.glob('*/A').to_a.empty?
+    end
+    assert_equal ['test_glob_dir/a'], LazyDir.glob('*/A', File::FNM_CASEFOLD).to_a
+  end
+
+  def test_lazy_glob_secure
+    assert LazyDir['/etc/passwd'].to_a.empty?
+    assert LazyDir['../../*'].to_a.empty?
+
+    orig = OrigDir['./**/*'].map {|f| File.expand_path(f) }
+    lazy = LazyDir['../**/*'].to_a.map {|f| File.expand_path(f) }
+    assert_equal orig, lazy
+  end
+
+  def test_lazy_dir_delegates_original_dir_methods
+    assert Dir.pwd
+    dir = 'asfasdfsaf' 
+    assert Dir.mkdir(dir)
+    assert File.exist?(dir)
+    assert Dir.rmdir(dir)
+    assert ! File.exist?(dir)
+  end
+end

data/test/safegem_test.rb

@@ -0,0 +1,263 @@
+require 'rubygems'
+require 'test/unit'
+require 'net/http'
+require 'cgi'
+require 'fileutils'
+require 'open4'
+
+OUTPUT = !!ENV['SERVER_OUTPUT']
+puts "safegem server output disabled, set SERVER_OUTPUT=1 to enable" if ! OUTPUT
+
+def mv(a, b)
+  here = File.dirname(__FILE__)
+  FileUtils.mv(File.join(here, a), File.join(here, b))
+end
+
+# ensure git_mock is in place before running any of these tests
+mv('git', 'git_mock') rescue nil
+
+class SafeGemTest < Test::Unit::TestCase
+  def setup
+    here = File.dirname(__FILE__)
+
+    # put the mock git in place
+    mv('git_mock', 'git')
+
+    # construct the safegem command
+    cmd = "PATH=#{here}:$PATH ruby #{here}/../bin/safegem.rb"
+    cmd += " > /dev/null 2>&1" unless OUTPUT
+
+    # run safegem
+    @pid, _, _, _ = Open4::popen4(cmd)
+
+    # wait for server to start
+    Timeout::timeout(5) do
+      begin
+        TCPSocket.open('localhost', 4567) {}
+        server_started = true
+      rescue Errno::ECONNREFUSED
+        server_started = false
+        sleep 0.1
+        retry
+      end until server_started
+    end
+  end
+
+  def teardown
+    Process.kill("SIGHUP", @pid)
+    mv('git', 'git_mock')
+    sleep(0.5) # to let sinatra unbind the socket
+  end
+
+  def test_access_to_untainted_locals
+    %w(repo data spec params).each do |v|
+      assert_nil_error v
+    end
+  end
+
+  def test_timeout
+    puts "\ntesting 15s timeout"
+    begin
+      timeout(17) do
+        s = req <<-EOS
+          def forever
+            loop{}
+          ensure
+            forever
+          end
+          forever
+        EOS
+        assert_equal "ERROR: execution expired", s
+      end
+    rescue Timeout::Error
+      fail "timed out! no good!"
+    end
+  end
+
+  def test_legit_gemspec_works
+    gemspec = <<-EOS
+      Gem::Specification.new do |s|
+        s.name = "name"
+        s.description = 'description'
+        s.version = "0.0.9"
+        s.summary = ""
+        s.authors = ["coderrr"]
+        s.files = ['x']
+      end
+    EOS
+    expected_response = <<-EOS
+--- !ruby/object:Gem::Specification
+name: name
+version: !ruby/object:Gem::Version
+  version: 0.0.9
+platform: ruby
+authors:
+- coderrr
+autorequire:
+bindir: bin
+cert_chain: []
+
+date: 2008-10-31 00:00:00 +07:00
+default_executable:
+dependencies: []
+
+description: description
+email:
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files:
+- x
+has_rdoc: false
+homepage:
+post_install_message:
+rdoc_options: []
+
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+requirements: []
+
+rubyforge_project:
+rubygems_version: 1.3.0
+signing_key:
+specification_version: 2
+summary: ""
+test_files: []
+    EOS
+    assert_equal clean_yaml(expected_response), clean_yaml(req(gemspec))
+  end
+
+  def test_gemspec_with_glob_works
+    system("mkdir globdir && cd globdir && touch a.rb b.rb c.txt")
+    gemspec = <<-EOS
+      Gem::Specification.new do |s|
+        s.name = "name"
+        s.description = 'description'
+        s.version = "0.0.9"
+        s.summary = ""
+        s.authors = ["coderrr"]
+        s.files = Dir.glob("globdir/**.rb")
+        s.test_files = Dir["globdir/**"]
+        # make sure array globs work with .glob and make sure glob flags work
+        s.executables = Dir.glob(["globdir/*.TXT", "globdir/*.RB"], File::FNM_CASEFOLD)
+        # make sure array globs work with [] and make sure we cant access files in parent dirs
+        s.extra_rdoc_files = Dir["/etc/*", "globdir"]
+      end
+    EOS
+    expected_response = <<-EOS
+--- !ruby/object:Gem::Specification
+name: name
+version: !ruby/object:Gem::Version
+  version: 0.0.9
+platform: ruby
+authors:
+- coderrr
+autorequire:
+bindir: bin
+cert_chain: []
+
+
+default_executable:
+dependencies: []
+
+description: description
+email:
+executables:
+- globdir/c.txt
+- globdir/a.rb
+- globdir/b.rb
+extensions: []
+
+extra_rdoc_files:
+- globdir
+files:
+- globdir/a.rb
+- globdir/b.rb
+has_rdoc: false
+homepage:
+post_install_message:
+rdoc_options: []
+
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+requirements: []
+
+rubyforge_project:
+
+signing_key:
+specification_version: 2
+summary: ""
+test_files:
+- globdir/a.rb
+- globdir/b.rb
+- globdir/c.txt
+    EOS
+    assert_equal clean_yaml(expected_response), clean_yaml(req(gemspec))
+  ensure
+    system("rm -rf globdir")
+  end
+
+  def test_tmpdir_is_destroyed
+    Dir.mkdir('tmp/safegem_test')
+    assert File.exist?('tmp/safegem_test')
+    req('')
+    assert ! File.exist?('tmp/safegem_test')
+  end
+
+  def test_secure_parser_begin
+    resp = req <<-EOS
+      BEGIN {require 'bogus_file'}
+    EOS
+    assert resp.include?('Insecure operation')
+  end
+
+  def test_secure_parser_end
+    resp = req <<-EOS
+      END {fail 'secret exit'}
+    EOS
+    assert !resp.include?('secret exit')
+  end
+
+  private
+
+  def clean_yaml(y)
+    y.strip.gsub(/ *$/m, '').sub(/^date:.+$/,'').sub(/^rubygems_version:.+$/,'')
+  end
+
+  def assert_nil_error(v)
+    assert req("#{v}.abc").include?("undefined method `abc' for nil"), "#{v} was not nil"
+  end
+
+  def req(data)
+    Net::HTTP.start 'localhost', 4567 do |h|
+      h.post('/', "data=#{CGI.escape data}&repo=safegem_test").body
+    end
+  end
+end

data/test/security_test.rb

@@ -0,0 +1,58 @@
+# I dont use test/unit for this because the security measures screw with it
+$:.unshift File.join(File.dirname(__FILE__), *%w[.. lib])
+require 'safegem/security'
+
+def assert condition, message
+  raise message  if ! condition
+
+  print '.'; $stdout.flush
+end
+
+def assert_raises error, message, &block
+  begin
+    yield
+    raise message
+  rescue error
+    print '.'; $stdout.flush
+  end
+end
+
+['class Method', 'class UnboundMethod', 'module Kernel'].each do |klass|
+  assert_raises TypeError, "#{klass} didn't raise" do
+    eval("#{klass}; def x;end; end")
+  end
+end
+
+data = 'echo YOU SHOULDNT SEE THIS!!!!'
+['system(data)',
+ 'exec(data)',
+ 'Kernel.send(:exec,data)',
+ 'Object.new.exec(data)',
+ '`#{data}`',
+ 'Kernel.`(data)',
+ 'Kernel.send(:`,data)',
+ 'trap(1,lambda{})',
+ 'fork{}',
+ 'callcc{}',
+ 'binding'
+].each do |danger|
+  assert_raises SecurityError, "#{danger} worked!" do
+    eval danger
+  end
+end
+
+Thread.new do
+  $SAFE = 3
+  Dir.set_safe_level
+  assert_raises SecurityError, "snuck tainted string past glob" do
+    Dir['**','**']
+    Dir.glob(['**', '**'])
+  end
+end.join
+Dir.set_safe_level
+Dir['**'.taint]
+
+dirs = Dir['/**']
+assert(4 == (dirs & %w(/usr /bin /home /sbin)).size, 'glob doesnt work')
+
+puts

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification 
+name: github-safegem
+version: !ruby/object:Gem::Version 
+  version: 0.1.2
+platform: ruby
+authors: 
+- PJ Hyett
+- Tom Preston-Werner
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-02-10 00:00:00 -08:00
+default_executable: safegem
+dependencies: []
+
+description: GitHub's safe gem eval web service
+email: tom@mojombo.com
+executables: 
+- safegem
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- VERSION.yml
+- bin/safegem
+- lib/safegem
+- lib/safegem/lazy_dir.rb
+- lib/safegem/security.rb
+- lib/safegem.rb
+- test/git_mock
+- test/lazy_dir_test.rb
+- test/safegem_test.rb
+- test/security_test.rb
+has_rdoc: true
+homepage: http://github.com/github/safegem
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: GitHub's safe gem eval web service
+test_files: []
+