jruby_sandbox 0.1.1-java → 0.1.2-java

data/Gemfile.lock

@@ -7,7 +7,7 @@ GIT
 PATH
   remote: .
   specs:
-    jruby_sandbox (0.1.0-java)
+    jruby_sandbox (0.1.1-java)
       fakefs
 
 GEM

data/README.md

@@ -56,10 +56,24 @@ Sandbox::Safe exposes an `#activate!` method which will lock down the sandbox, r
 
 Sandbox::Safe works by whitelisting methods to keep, and removing the rest.  Checkout sandbox.rb for which methods are kept.
 
+Sandbox::Safe.activate! will also isolate the sandbox environment from the filesystem using FakeFS. 
+
+     >> require 'sandbox'
+     => true 
+     >> s = Sandbox.safe
+     => #<Sandbox::Safe:0x3fdb8a73> 
+     >> s.eval('Dir["/"]')
+     => ["/"] 
+     >> s.eval('Dir["/*"]')
+     => ["/Applications", "/bin", "/cores", "/dev", etc.] 
+     > s.activate!
+     >> s.eval('Dir["/*"]')
+     => [] 
+     > Dir['/*']
+     => ["/Applications", "/bin", "/cores", "/dev", etc.] 
+
 ## Known Issues / TODOs
 
-  * It would be a good idea to integrate something like FakeFS to stub
-    out the filesystem in the sandbox.
   * There is currently no timeout support, so it's possible for a
     sandbox to loop indefinitely and block the host interpreter.
 

data/lib/sandbox/version.rb

@@ -1,3 +1,3 @@
 module Sandbox
-  VERSION = '0.1.1'
+  VERSION = '0.1.2'
 end

data/lib/sandbox.rb

@@ -1,6 +1,7 @@
 require 'sandbox/sandbox'
 require 'sandbox/version'
 require 'fakefs/safe'
+require 'timeout'
 
 module Sandbox
   PRELUDE = File.expand_path('../sandbox/prelude.rb', __FILE__).freeze # :nodoc:
@@ -22,6 +23,7 @@ module Sandbox
       keep_singleton_methods(:Kernel, KERNEL_S_METHODS)
       keep_singleton_methods(:Symbol, SYMBOL_S_METHODS)
       keep_singleton_methods(:String, STRING_S_METHODS)
+      keep_singleton_methods(:IO, IO_S_METHODS)
 
       keep_methods(:Kernel, KERNEL_METHODS)
       keep_methods(:NilClass, NILCLASS_METHODS)
@@ -63,6 +65,24 @@ module Sandbox
       
       FakeFS::FileSystem.clear
     end
+    
+    def eval_with_timeout(code, timeout=10)
+      require 'timeout'
+      
+      timeout_code = <<-RUBY
+        Timeout.timeout(#{timeout}) do
+          #{code}
+        end
+      RUBY
+      
+      eval timeout_code
+    end
+    
+    IO_S_METHODS = %w[
+      new
+      foreach
+      open
+    ]
 
     KERNEL_S_METHODS = %w[
       Array

data/spec/exploits_spec.rb

@@ -0,0 +1,123 @@
+require 'rspec'
+require 'sandbox'
+
+class OutsideFoo
+  def self.bar; 'bar'; end
+end
+
+describe "Sandbox exploits" do
+  subject { Sandbox.safe }
+  
+  before(:each) do
+    subject.activate!
+  end
+  
+  it "should not allow running any commands or reading files using IO" do
+    expect {
+      subject.eval 'f=IO.popen("uname"); f.readlines; f.close'
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+    
+    expect {
+      subject.eval 'IO.binread("/etc/passwd")'
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+    
+    expect {
+      subject.eval 'IO.read("/etc/passwd")'
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+  
+  it "should not pass through methods added to Kernel" do
+    k = subject.eval("Kernel")
+    def k.crack
+      open("/etc/passwd")
+    end
+    
+    Kernel.should respond_to(:crack)
+    subject.eval("Kernel.respond_to?(:crack)").should == false
+  end
+  
+  it "should not allow calling fork on Kernel, even through eval" do
+    subject.eval("eval('Kernel').respond_to?(:fork)").should == false
+  end
+  
+  it "should not get access to outside the box objects by using eval and TOPLEVEL_BINDING" do
+    expect {
+      subject.eval(%{eval('OutsideFoo.bar', TOPLEVEL_BINDING)})
+    }.to raise_error(Sandbox::SandboxException, /NameError/)
+  end
+  
+  it "should not get access to the outside eval through a ref'd object" do
+    subject.ref OutsideFoo
+    subject.eval "obj = OutsideFoo.new"
+    subject.eval("(obj.methods.grep /^eval/).empty?").should == true
+    subject.eval("obj.respond_to?(:eval)").should == false
+  end
+  
+  it "should not allow file access, even through a ref hack" do
+    unsafe_open = %{File.open('/etc/passwd').read}
+    
+    expect {
+      subject.eval(unsafe_open) 
+    }.to raise_error(Sandbox::SandboxException)
+    
+    subject.ref OutsideFoo
+    subject.eval "obj = OutsideFoo.new"
+    
+    unsafe_open_hack = %{obj.eval "#{unsafe_open}"}
+    
+    pending "gotta figure out how to lock down ref'd objects eval" do
+      expect {
+        subject.eval(unsafe_open_hack)
+      }.to raise_error(Sandbox::SandboxException)
+    end
+  end
+  
+  it "should have safe globals" do
+    subject.eval('$0').should == '(sandbox)'
+    /(.)(.)(.)/.match("abc")
+    subject.eval("$TEST = 'TEST'; $TEST").should == "TEST"
+    subject.eval("/(.)(.)(.)/.match('def'); $2").should == "e"
+    $2.should == "b"
+    subject.eval("$TEST").should == "TEST"
+    subject.eval("$2").should == "e"
+  end
+  
+  it "should not keep Kernel.fork" do
+    expect {
+      subject.eval("Kernel.fork")
+    }.to raise_error(Sandbox::SandboxException)
+    
+    expect {
+      subject.eval("fork")
+    }.to raise_error(Sandbox::SandboxException)
+  end
+  
+  it "should not allow the sandbox to get back to Kernel through ancestors" do
+    subject.eval('$0.class.ancestors[3].respond_to?(:fork)').should == false
+  end
+  
+  it "should not pass through block scope" do
+    1.times do |i|
+      subject.eval('local_variables').should == []
+    end
+  end
+  
+  it "should not allow exploits through match data" do
+    subject.eval("begin; /(.+)/.match('FreakyFreaky').instance_eval { open('/etc/passwd') }; rescue NameError; :NameError; end").should == :NameError
+    
+    subject.eval("begin;(begin;Regexp.new('(');rescue e;e;end).instance_eval{ open('/etc/passwd') }; rescue NameError; :NameError; end").should == :NameError
+  end
+  
+  it "should not be able to access outside box Kernel through exceptions" do
+    exception_code = <<-RUBY
+      begin
+        raise
+      rescue => e
+        obj = e
+      end
+    RUBY
+    subject.eval(exception_code)
+    
+    subject.eval('obj.class.ancestors[4].respond_to?(:fork)').should == false
+  end
+end

data/spec/sandbox_spec.rb

@@ -1,5 +1,6 @@
 require 'rspec'
 require 'sandbox'
+require 'timeout'
 
 describe Sandbox do
   after(:each) do
@@ -56,17 +57,6 @@ describe Sandbox do
         subject.eval(%{FileUtils.cp('/bar.txt', '/baz.txt')})
       }.to_not raise_error(Sandbox::SandboxException, /NoMethodError/)
     end
-
-    it "sandboxes global variables" do
-      subject.eval('$0').should == '(sandbox)'
-      /(.)(.)(.)/.match('abc')
-      subject.eval('$TEST = "TEST"; $TEST').should == 'TEST'
-      subject.eval('/(.)(.)(.)/.match("def"); $2').should == 'e'
-      $2.should == 'b'
-      subject.eval('$TEST').should == 'TEST'
-      subject.eval('$2').should == 'e'
-      /(.)(.)(.)/.match('ghi')
-    end
   end
 
   describe ".current" do
@@ -82,6 +72,38 @@ describe Sandbox do
       end
     end
   end
+  
+  describe "#eval_with_timeout" do
+    subject { Sandbox.safe }
+    
+    context "before it's been activated" do
+      it "should protect against long running code" do
+        long_code = <<-RUBY
+          sleep(5)
+        RUBY
+
+        expect {
+          subject.eval_with_timeout(long_code, 1)
+        }.to raise_error(Sandbox::SandboxException, /Timeout/)
+      end
+    end
+    
+    context "after it's been activated" do
+      before(:each) { subject.activate! }
+      
+      it "should protect against long running code" do
+        long_code = <<-RUBY
+          while true; end
+        RUBY
+
+        expect {
+          Timeout.timeout(3) do
+            subject.eval_with_timeout(long_code, 1)
+          end
+        }.to raise_error(Sandbox::SandboxException, /Timeout/)
+      end
+    end
+  end
 
   describe "#eval" do
     subject { Sandbox.new }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jruby_sandbox
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
   prerelease: 
 platform: java
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-09-20 00:00:00.000000000Z
+date: 2011-09-22 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fakefs
-  requirement: &70184226086860 !ruby/object:Gem::Requirement
+  requirement: &70213141993840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70184226086860
+  version_requirements: *70213141993840
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70184226086440 !ruby/object:Gem::Requirement
+  requirement: &70213141992860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,10 +33,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70184226086440
+  version_requirements: *70213141992860
 - !ruby/object:Gem::Dependency
   name: rake-compiler
-  requirement: &70184226086020 !ruby/object:Gem::Requirement
+  requirement: &70213141991920 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +44,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70184226086020
+  version_requirements: *70213141991920
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70184226085600 !ruby/object:Gem::Requirement
+  requirement: &70213141991120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,10 +55,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70184226085600
+  version_requirements: *70213141991120
 - !ruby/object:Gem::Dependency
   name: yard
-  requirement: &70184226085180 !ruby/object:Gem::Requirement
+  requirement: &70213141989820 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -66,7 +66,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70184226085180
+  version_requirements: *70213141989820
 description: A version of _why's Freaky Freaky Sandbox for JRuby.
 email:
 - dray@envylabs.com
@@ -90,6 +90,7 @@ files:
 - lib/sandbox.rb
 - lib/sandbox/prelude.rb
 - lib/sandbox/version.rb
+- spec/exploits_spec.rb
 - spec/sandbox_spec.rb
 - spec/support/foo.txt
 - lib/sandbox/sandbox.jar
@@ -118,5 +119,6 @@ signing_key:
 specification_version: 3
 summary: Sandbox support for JRuby
 test_files:
+- spec/exploits_spec.rb
 - spec/sandbox_spec.rb
 - spec/support/foo.txt