jruby-safe 0.2.2-java

data/lib/sandbox/version.rb

@@ -0,0 +1,3 @@
+module Sandbox
+  VERSION = "0.2.2"
+end

data/spec/exploits_spec.rb

@@ -0,0 +1,185 @@
+require "rspec"
+require "sandbox"
+
+class OutsideFoo
+  def self.bar; "bar"; end
+end
+
+describe "Sandbox exploits" do
+  subject { Sandbox.safe }
+
+  before(:each) do
+    subject.activate!
+  end
+
+  it "should not allow access to the filesystem using backticks" do
+    expect {
+      subject.eval(%|`cat spec/support/foo.txt`|)
+    }.to raise_error(Sandbox::SandboxException)
+  end
+
+  it "should not allow running system commands using system" do
+    expect {
+      subject.eval(%|system("ls")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.class_eval" do
+    expect {
+      subject.eval(%|File.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.eval" do
+    expect {
+      subject.eval(%|File.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.instance_eval" do
+    expect {
+      subject.eval(%|File.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running any commands or reading files using IO" do
+    expect {
+      subject.eval(%|f=IO.popen("uname"); f.readlines; f.close|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|IO.binread("/etc/passwd")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|IO.read("/etc/passwd")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not pass through methods added to Kernel" do
+    k = subject.eval(%|Kernel|)
+    def k.crack
+      open("/etc/passwd")
+    end
+
+    Kernel.should respond_to(:crack)
+    subject.eval(%|Kernel.respond_to?(:crack)|).should == false
+  end
+
+  it "should not allow calling fork on Kernel, even through eval" do
+    subject.eval(%|eval("Kernel").respond_to?(:fork)|).should == false
+  end
+
+  it "should not get access to outside the box objects by using eval and TOPLEVEL_BINDING" do
+    expect {
+      subject.eval(%{eval("OutsideFoo.bar", TOPLEVEL_BINDING)})
+    }.to raise_error(Sandbox::SandboxException, /NameError/)
+  end
+
+  it "should not get access to the outside eval through a ref'd object" do
+    subject.ref(OutsideFoo)
+    subject.eval(%|obj = OutsideFoo.new|)
+    subject.eval(%|(obj.methods.grep /^eval/).empty?|).should == true
+    subject.eval(%|obj.respond_to?(:eval)|).should == false
+  end
+
+  it "should not allow file access, even through a ref hack" do
+    expect {
+      subject.eval(%|File.open("/etc/passwd").read|)
+    }.to raise_error(Sandbox::SandboxException)
+
+    subject.ref(OutsideFoo)
+    subject.eval(%|obj = OutsideFoo.new|)
+
+    pending "gotta figure out how to lock down ref'd objects eval" do
+      expect {
+        subject.eval(%|obj.eval("File.open(\\"/etc/passwd\\").read")|)
+      }.to raise_error(Sandbox::SandboxException)
+    end
+  end
+
+  it "should have safe globals" do
+    subject.eval(%|$0|).should == "(sandbox)"
+    /(.)(.)(.)/.match("abc")
+    subject.eval(%|$TEST = "TEST"; $TEST|).should == "TEST"
+    subject.eval(%|/(.)(.)(.)/.match("def"); $2|).should == "e"
+    $2.should == "b"
+    subject.eval(%|$TEST|).should == "TEST"
+    subject.eval(%|$2|).should == "e"
+  end
+
+  it "should not keep Kernel.fork" do
+    expect {
+      subject.eval(%|Kernel.fork|)
+    }.to raise_error(Sandbox::SandboxException)
+
+    expect {
+      subject.eval(%|fork|)
+    }.to raise_error(Sandbox::SandboxException)
+  end
+
+  it "should not allow the sandbox to get back to Kernel through ancestors" do
+    subject.eval(%|$0.class.ancestors[3].respond_to?(:fork)|).should == false
+  end
+
+  it "should not pass through block scope" do
+    1.times do |i|
+      subject.eval(%|local_variables|).should == []
+    end
+  end
+
+  it "should not allow exploits through match data" do
+    subject.eval(%|begin; /(.+)/.match("FreakyFreaky").instance_eval { open("/etc/passwd") }; rescue NameError; :NameError; end|).should == :NameError
+
+    subject.eval(%|begin;(begin;Regexp.new("(");rescue e;e;end).instance_eval{ open("/etc/passwd") }; rescue NameError; :NameError; end|).should == :NameError
+  end
+
+  it "should not be able to access outside box Kernel through exceptions" do
+    exception_code = <<-RUBY
+      begin
+        raise
+      rescue => e
+        obj = e
+      end
+    RUBY
+    subject.eval(exception_code)
+
+    subject.eval(%|obj.class.ancestors[4].respond_to?(:fork)|).should == false
+  end
+end

data/spec/sandbox_spec.rb

@@ -0,0 +1,319 @@
+require "rspec"
+require "sandbox"
+require "timeout"
+
+describe Sandbox do
+  after(:each) do
+    Object.class_eval { remove_const(:Foo) } if defined?(Foo)
+  end
+
+  describe ".new" do
+    subject { Sandbox.new }
+
+    it { should_not be_nil }
+    it { should be_an_instance_of(Sandbox::Full) }
+  end
+
+  describe ".safe" do
+
+    subject { Sandbox.safe }
+
+    it { should be_an_instance_of(Sandbox::Safe) }
+
+    it "should not lock down until calling activate!" do
+      subject.eval(%|`echo hello`|).should == "hello\n"
+
+      subject.activate!
+
+      expect {
+        subject.eval(%|`echo hello`|)
+      }.to raise_error(Sandbox::SandboxException)
+    end
+
+    it "should activate FakeFS inside the sandbox (and not allow it to be deactivated)" do
+      subject.eval(%|File|).should == ::File
+
+      subject.activate!
+
+      foo = File.join(File.dirname(__FILE__), "support", "foo.txt")
+
+      expect {
+        subject.eval(%{File.read("#{foo}")})
+      }.to raise_error(Sandbox::SandboxException, /Errno::ENOENT: No such file or directory/)
+
+      subject.eval(%|File|).should == FakeFS::File
+      subject.eval(%|Dir|).should == FakeFS::Dir
+      subject.eval(%|FileUtils|).should == FakeFS::FileUtils
+      subject.eval(%|FileTest|).should == FakeFS::FileTest
+
+      subject.eval(%{FakeFS.deactivate!})
+
+      expect {
+        subject.eval(%{File.read("#{foo}")})
+      }.to raise_error(Sandbox::SandboxException, /Errno::ENOENT: No such file or directory/)
+
+      subject.eval(%{File.open("/bar.txt", "w") {|file| file << "bar" }})
+
+      expect {
+        subject.eval(%{FileUtils.cp("/bar.txt", "/baz.txt")})
+      }.to_not raise_error(Sandbox::SandboxException, /NoMethodError/)
+    end
+
+    context "eval_with_binding" do
+      let(:b) { binding }
+
+      it "should not lock down until calling activate!" do
+        subject.eval(%|`echo hello`|, b).should == "hello\n"
+
+        subject.activate!
+
+        expect {
+          subject.eval(%|`echo hello`|, b)
+        }.to raise_error(Sandbox::SandboxException)
+      end
+
+      it "should activate FakeFS inside the sandbox (and not allow it to be deactivated)" do
+        subject.eval(%|File|, b).should == ::File
+
+        subject.activate!
+
+        foo = File.join(File.dirname(__FILE__), "support", "foo.txt")
+
+        expect {
+          subject.eval(%{File.read("#{foo}")}, b)
+        }.to raise_error(Sandbox::SandboxException, /Errno::ENOENT: No such file or directory/)
+
+        subject.eval(%|File|, b).should == FakeFS::File
+        subject.eval(%|Dir|, b).should == FakeFS::Dir
+        subject.eval(%|FileUtils|, b).should == FakeFS::FileUtils
+        subject.eval(%|FileTest|, b).should == FakeFS::FileTest
+
+        subject.eval(%{FakeFS.deactivate!}, b)
+
+        expect {
+          subject.eval(%{File.read("#{foo}")}, b)
+        }.to raise_error(Sandbox::SandboxException, /Errno::ENOENT: No such file or directory/)
+
+        subject.eval(%{File.open("/bar.txt", "w") {|file| file << "bar" }}, b)
+
+        expect {
+          subject.eval(%{FileUtils.cp("/bar.txt", "/baz.txt")}, b)
+        }.to_not raise_error(Sandbox::SandboxException, /NoMethodError/)
+      end
+
+      it "can set and use local variable" do
+        b["x"] = 4
+        subject.eval("x", b).should == 4
+      end
+    end
+  end
+
+  describe ".current" do
+    it "should not return a current sandbox outside a sandbox" do
+      Sandbox.current.should be_nil
+    end
+
+    it "should return the current sandbox inside a sandbox" do
+      pending do
+        sandbox = Sandbox.new
+        sandbox.ref(Sandbox)
+        sandbox.eval(%|Sandbox.current|).should == sandbox
+      end
+    end
+  end
+
+  describe "#eval with timeout" do
+    subject { Sandbox.safe }
+
+    context "before it's been activated" do
+      it "should protect against long running code" do
+        long_code = <<-RUBY
+          sleep(5)
+        RUBY
+
+        expect {
+          subject.eval(long_code, timeout: 1)
+        }.to raise_error(Sandbox::TimeoutError)
+      end
+
+      it "should not raise a timeout error if the code runs in under the passed in time" do
+        short_code = <<-RUBY
+          1+1
+        RUBY
+
+        expect {
+          subject.eval(short_code, timeout: 1)
+        }.to_not raise_error(Sandbox::TimeoutError)
+      end
+    end
+
+    context "after it's been activated" do
+      before(:each) { subject.activate! }
+
+      it "should protect against long running code" do
+        long_code = <<-RUBY
+          while true; end
+        RUBY
+
+        expect {
+          subject.eval(long_code, timeout: 1)
+        }.to raise_error(Sandbox::TimeoutError)
+      end
+
+      it "should persist state between evaluations" do
+        subject.eval(%|o = Object.new|, timeout: 1)
+
+        expect {
+          subject.eval(%|o|, timeout: 1)
+        }.to_not raise_error(Sandbox::SandboxException)
+      end
+    end
+  end
+
+  describe "#eval" do
+    subject { Sandbox.new }
+
+    it "should allow a range of common operations" do
+      operations = <<-OPS
+        1 + 1
+        "foo".chomp
+        "foo"
+      OPS
+      subject.eval(operations).should == "foo"
+    end
+
+    it "should have an empty ENV" do
+      pending do
+        subject.eval(%{ENV.to_a}).should be_empty
+      end
+    end
+
+    it "should persist state between evaluations" do
+      subject.eval(%|o = Object.new|)
+      subject.eval(%|o|).should_not be_nil
+    end
+
+    it "should be able to define a new class in the sandbox" do
+      result = subject.eval(%|Foo = Struct.new(:foo); struct = Foo.new("baz"); struct.foo|)
+      result.should == "baz"
+    end
+
+    it "should be able to use a class across invocations" do
+      # Return nil, because the environment doesn't know "Foo"
+      subject.eval(%|Foo = Struct.new(:foo); nil|)
+      subject.eval(%|struct = Foo.new("baz"); nil|)
+      subject.eval(%|struct.foo|).should == "baz"
+    end
+
+    describe "communication between sandbox and environment" do
+      it "should be possible to pass data from the box to the environment" do
+        Foo = Struct.new(:foo)
+        subject.ref(Foo)
+        struct = subject.eval(%|struct = Foo.new|)
+        subject.eval(%|struct.foo = "baz"|)
+        struct.foo.should == "baz"
+      end
+
+      it "should be possible to pass data from the environment to the box" do
+        Foo = Struct.new(:foo)
+        subject.ref(Foo)
+        struct = subject.eval(%|struct = Foo.new|)
+        struct.foo = "baz"
+        subject.eval(%|struct.foo|).should == "baz"
+      end
+
+      it "should be able to pass large object data from the box to the environment" do
+        expect {
+          subject.eval %{
+            (0..1000).to_a.inject({}) {|h,i| h[i] = "HELLO WORLD"; h }
+          }
+        }.to_not raise_error(Sandbox::SandboxException)
+
+        expect {
+          subject.eval %{"RUBY"*100}
+        }.to_not raise_error(Sandbox::SandboxException)
+      end
+    end
+  end
+
+  describe "#import" do
+    subject { Sandbox.new }
+
+    it "should be able to call a referenced namespaced module method" do
+      Foo = Class.new
+      Foo::Bar = Module.new do
+        def baz
+          "baz"
+        end
+        module_function :baz
+      end
+
+      subject.import(Foo::Bar)
+      subject.eval(%|Foo::Bar.baz|).should == "baz"
+    end
+
+    it "should be able to include a module from the environment" do
+      Foo = Module.new do
+        def baz
+          "baz"
+        end
+      end
+
+      subject.import(Foo)
+      subject.eval(%|class Bar; include Foo; end; nil|)
+      subject.eval(%|Bar.new.baz|).should == "baz"
+    end
+
+    it "should be able to copy instance methods from a module that uses module_function" do
+      Foo = Module.new do
+        def baz; "baz"; end
+
+        module_function :baz
+      end
+
+      subject.import Foo
+      subject.eval(%|Foo.baz|).should == "baz"
+    end
+  end
+
+  describe "#ref" do
+    subject { Sandbox.new }
+
+    it "should be possible to reference a class defined outside the box" do
+      Foo = Class.new
+      subject.ref(Foo)
+      subject.eval(%|Foo.new|).should be_an_instance_of(Foo)
+    end
+
+    it "should be possible to change the class after the ref" do
+      Foo = Class.new
+      subject.ref(Foo)
+      def Foo.foo; "baz"; end
+      subject.eval(%|Foo.foo|).should == "baz"
+    end
+
+    it "should be possible to dynamically add a class method after the ref" do
+      Foo = Class.new
+      subject.ref(Foo)
+      Foo.class_eval(%|def Foo.foo; "baz"; end|)
+      subject.eval(%|Foo.foo|).should == "baz"
+    end
+
+    it "should be possible to dynamically add a class method after the ref" do
+      Foo = Class.new
+      subject.ref(Foo)
+      Foo.instance_eval(%|def Foo.foo; "baz"; end|)
+      subject.eval(%|Foo.foo|).should == "baz"
+    end
+
+    it "should be possible to call a method on the class that receives a block" do
+      Foo = Class.new do
+        def self.bar
+          yield
+        end
+      end
+      subject.ref(Foo)
+      subject.eval(%|Foo.bar { "baz" }|).should == "baz"
+    end
+  end
+end