mruby_sandbox 0.3.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e3cdeb5959e180dc64032103ef631251e1eeb4fd
+  data.tar.gz: 41e0be05ebcc4067260e7f402237168057aed3b0
+SHA512:
+  metadata.gz: 2e78223ebfdd2f0d74e37aa72316e5c2ba86e8d3d30d522c5281f6793400671fd0d8281a448be7cbf1f95cef4cd383af130deefa3b4186a6d7238cfe8bfe7a90
+  data.tar.gz: bb9011f3cd6413d47ba2d2141b9ccf60e763c5c2f0b550d13e045e932827e1c5d2c798ba5806d38bfda2a8435731426621b0a8af943bb2b4ca1117b1f4e27b18

data/.gitignore

@@ -0,0 +1,2 @@
+/tmp
+/bin/mruby_sandbox

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper.rb

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,45 @@
+PATH
+  remote: .
+  specs:
+    mruby_sandbox (0.3.1)
+      pipe_rpc (~> 0.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    json (1.8.3)
+    pipe_rpc (0.2.0)
+      json
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.1)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks-matchers-send_message (0.3.1)
+      rspec (~> 3.0)
+      rspec-mocks (~> 3.0)
+    rspec-support (3.4.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.8)
+  mruby_sandbox!
+  rspec (~> 3.4)
+  rspec-its
+  rspec-mocks-matchers-send_message (~> 0.2)
+
+BUNDLED WITH
+   1.11.2

data/README.md

@@ -0,0 +1,98 @@
+# A mruby sandbox for ruby
+
+A mruby sandbox whose job is to run untrusted ruby code in a safe environment.
+Untrusted code is loaded into an environment having no access to the outside
+world by default. Receivers can be registered so methods can be called on the
+outside of the sandbox.
+
+The sandbox runs as a subprocess of a managing parent process. To be able to
+communicate with its parent the sandbox also loads a restricted IO library
+that only allows reading and writing through STDIN and STDOUT. Besides STDERR
+no further IO Endpoints are passed down by the parent. The IO library does not
+implement any operations accessing files on the system or the like.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'mruby_sandbox'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install mruby_sandbox
+
+After the gem is installed the sandbox needs to be build for your system:
+
+    $ build_mruby_sandbox
+
+## Usage
+
+```ruby
+sandbox = MrubySandbox.new
+sandbox.eval("8+45") # => 53
+sandbox.eval("system 'rm -rf /'") # => NoMethodError
+```
+
+More complex untrusted code following the rules of mruby is possible:
+
+```ruby
+sandbox = MrubySandbox.new
+sandbox.eval(<<-CODE)
+  def meth
+    'result'
+  end
+
+  class Klass
+    def meth
+      'klass meth'
+    end
+  end
+CODE
+
+sandbox.eval('meth') # => 'result'
+sandbox.eval('Klass.new.meth') # => 'klass meth'
+```
+
+There are two methods available to communicate with the outside:
+
+* `#export`: Registers a receiver inside the sandbox to reach from the outside
+  ```ruby
+  sandbox = MrubySandbox.new
+  sandbox.eval(<<-CODE)
+    class Calc
+      def multiply(a, b)
+        a * b
+      end
+    end
+    export(math: Calc)
+  CODE
+
+  sandbox.client_for(:math).multiply(5, 9) # => 45
+  sandbox.client_for(:math).add(5, 9) # => NoMethodError
+  ```
+
+* `#client_for`: Reaches out to a receiver on the outside of the sandbox
+  ```ruby
+  class Calc < MrubySandbox::Receiver
+    def exp(a, b)
+      a ** b
+    end
+  end
+
+  sandbox = MrubySandbox.new
+  sandbox.add_receiver(math: Calc)
+
+  sandbox.eval 'client_for(:math).exp(2,8)' # => 256
+  sandbox.eval 'client_for(:math).exp' # => ArgumentError
+  ```
+
+To create Receivers outside the sandbox let them inherit from `MrubySandbox::Receiver`. This is
+basically a `BasicObject` without `#instance_{eval|exec}` so it does not respond to methods
+capable of executing potential malicious code. Inside the sandbox, in mruby land, nothing bad should
+be possible, if a receiver is an ordinary object. Otherwise we are screwed anyway.

data/bin/build_mruby_sandbox

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+
+require 'fileutils'
+
+def test?
+  ARGV.include? 'test'
+end
+
+def clean?
+  ARGV.include? 'clean'
+end
+
+def build?
+  not test? and not clean?
+end
+
+def clone_mruby_into(mruby_dir)
+  system "git clone https://github.com/cremno/mruby.git #{mruby_dir}"
+  Dir.chdir mruby_dir
+  system "git checkout fix-exception-backtrace"
+end
+
+def build_mruby(config:, args:)
+  system "#{test? ? 'TEST=test' : ''} MRUBY_CONFIG=#{config} ./minirake #{args.join(' ')}"
+end
+
+bin_dir = File.expand_path(File.dirname(__FILE__))
+root_dir = File.join(bin_dir, '..')
+mruby_dir = File.join(root_dir, 'tmp/mruby')
+build_config = File.join(root_dir, 'mruby/config/build_config.rb')
+
+clone_mruby_into(mruby_dir) unless File.exist?(mruby_dir)
+
+Dir.chdir mruby_dir
+build_mruby(config: build_config, args: ARGV)
+
+FileUtils.cp File.join(mruby_dir, 'build/host/bin/mruby'), File.join(bin_dir, 'mruby_sandbox') if build?
+FileUtils.cp File.join(mruby_dir, 'build/host/bin/mirb'), File.join(bin_dir, 'mirb') if test?

data/lib/mruby_sandbox.rb

@@ -0,0 +1,75 @@
+require 'pipe_rpc'
+require 'forwardable'
+require 'logger'
+require_relative 'mruby_sandbox/version'
+require_relative 'mruby_sandbox/server'
+
+class MrubySandbox
+  extend Forwardable
+
+  class << self
+    attr_writer :logger
+
+    def logger
+      @logger ||= Logger.new(STDOUT)
+    end
+  end
+
+  def self.finalize(pid)
+    proc do |id|
+      Process.kill 9, pid
+      Process.wait pid
+      logger.debug "Sandbox(#{id}) garbage collected and process #{pid} killed"
+    end
+  end
+
+  def initialize
+    input, w = IO.pipe
+    r, output  = IO.pipe
+    pid = spawn(executable, in: r, out: w)
+    r.close; w.close
+
+    self.class.logger.debug "Sandbox(#{__id__}) created with process #{pid}"
+    ObjectSpace.define_finalizer(self, self.class.finalize(pid))
+
+    @hub = PipeRpc::Hub.new(input: input, output: output)
+    @data = {}
+
+  rescue Errno::ENOENT => e
+    STDERR.puts "The mruby_sandbox executable is missing. Run `build_mruby_sandbox` first."
+    fail e
+  end
+
+  attr_reader :data
+
+  def client
+    client_for :default
+  end
+
+  delegate [:clear, :eval] => :client
+  delegate [:add_server, :rmv_server, :client_for, :channel, :handle_message, :loop_iteration=,
+    :on_sent, :on_received, :on_incoming_request] => :@hub
+  alias_method :export, :add_server
+
+  def start_logging
+    @hub.logger = proc do |message|
+      self.class.logger.debug "Sandbox(#{__id__}) #{message}"
+    end
+  end
+
+  def reflect_logger_server=(server)
+    client.debug_mode(!!server)
+    if server
+      add_server(reflect_logger: server)
+    else
+      rmv_server(:reflect_logger)
+    end
+  end
+
+  private
+
+  def executable
+    current_dir = File.expand_path(File.dirname(__FILE__))
+    File.join(current_dir, '../bin/mruby_sandbox')
+  end
+end

data/lib/mruby_sandbox/server.rb

@@ -0,0 +1,32 @@
+class MrubySandbox::Server < BasicObject
+  # instance_eval imposes a security vulnerability on the ordinary ruby side of the sandbox: All
+  # server's methods are accessible from the inside. So with instance_eval from the inside the
+  # following is possible: `client.instance_eval '::Kernel.system("rm -rf /")'`
+  undef_method :instance_eval
+  undef_method :instance_exec
+
+  def self.inherited(subclass)
+    subclass.__send__(:define_method, :respond_to?) do |method|
+      subclass.instance_methods.include?(method.to_sym)
+    end
+
+    subclass.__send__(:define_method, :class) do
+      subclass
+    end
+  end
+
+  def self.const_missing(name)
+    ::Object.const_get(name)
+  end
+
+  def inspect
+    "#<#{self.class}:#{'%#016x' % __id__}>"
+  end
+  alias_method :to_s, :inspect
+
+  private
+
+  def raise(*args)
+    Kernel.raise *args
+  end
+end

data/lib/mruby_sandbox/version.rb

@@ -0,0 +1,3 @@
+class MrubySandbox
+  VERSION = "0.3.1"
+end

data/mruby/config/build_config.rb

@@ -0,0 +1,17 @@
+MRuby::Build.new do |conf|
+  # Gets set by the VS command prompts.
+  if ENV['VisualStudioVersion'] || ENV['VSINSTALLDIR']
+    toolchain :visualcpp
+  else
+    toolchain :gcc
+  end
+
+  dir = File.expand_path(File.dirname(__FILE__))
+  root_dir = File.expand_path('..', dir)
+  sandbox_mrbgem = File.join(root_dir, 'sandbox')
+
+  conf.gembox File.join(dir, 'safe-core')
+  conf.gem core: 'mruby-bin-mirb' if ENV['TEST']
+  #conf.gem File.join(root_dir, '../../mruby-pipe_rpc')
+  conf.gem sandbox_mrbgem unless ENV['TEST']
+end

data/mruby/config/safe-core.gembox

@@ -0,0 +1,64 @@
+MRuby::GemBox.new do |conf|
+  # Use standard Kernel#sprintf method
+  conf.gem :core => "mruby-sprintf"
+
+  # Use standard Math module
+  conf.gem :core => "mruby-math"
+
+  # Use standard Time class
+  conf.gem :core => "mruby-time"
+
+  # Use standard Struct class
+  conf.gem :core => "mruby-struct"
+
+  # Use extensional Enumerable module
+  conf.gem :core => "mruby-enum-ext"
+
+  # Use extensional String class
+  conf.gem :core => "mruby-string-ext"
+
+  # Use extensional Numeric class
+  conf.gem :core => "mruby-numeric-ext"
+
+  # Use extensional Array class
+  conf.gem :core => "mruby-array-ext"
+
+  # Use extensional Hash class
+  conf.gem :core => "mruby-hash-ext"
+
+  # Use extensional Range class
+  conf.gem :core => "mruby-range-ext"
+
+  # Use extensional Proc class
+  conf.gem :core => "mruby-proc-ext"
+
+  # Use extensional Symbol class
+  conf.gem :core => "mruby-symbol-ext"
+
+  # Use Random class
+  conf.gem :core => "mruby-random"
+
+  # Use extensional Object class
+  conf.gem :core => "mruby-object-ext"
+
+  # Use ObjectSpace class
+  conf.gem :core => "mruby-objectspace"
+
+  # Use Enumerator class (require mruby-fiber)
+  conf.gem :core => "mruby-enumerator"
+
+  # Use Enumerable::Lazy class (require mruby-enumerator)
+  conf.gem :core => "mruby-enum-lazy"
+
+  # Use extended toplevel object (main) methods
+  conf.gem :core => "mruby-toplevel-ext"
+
+  # Generate mruby command
+  conf.gem :core => "mruby-bin-mruby"
+
+  # Use extensional Kernel module
+  conf.gem :core => "mruby-kernel-ext"
+
+  # Use eval module
+  conf.gem :core => "mruby-eval"
+end

data/mruby/sandbox/mrbgem.rake

@@ -0,0 +1,10 @@
+MRuby::Gem::Specification.new('mruby-sandbox') do |spec|
+  spec.license = 'MIT'
+  spec.version = '0.1.0'
+  spec.summary = "A mruby sandbox whose job is to run untrusted ruby code in a safe environment"
+  spec.authors = ['Christopher Aue']
+  spec.homepage = 'https://github.com/christopheraue/ruby-mruby-sandbox'
+
+  spec.add_dependency 'mruby-pipe_rpc', '~> 0.1', github: 'christopheraue/mruby-pipe_rpc'
+  spec.add_dependency 'mruby-onig-regexp', '>= 0', github: 'mattn/mruby-onig-regexp'
+end

data/mruby/sandbox/mrblib/sandbox.rb

@@ -0,0 +1,77 @@
+class Sandbox < BasicObject
+  def initialize(main)
+    @main = main
+    @main.sandbox = self
+    input = IO.new(0, 'r')  #STDIN
+    output = IO.new(1, 'w') #STDOUT
+    @hub = PipeRpc::Hub.new(input: input, output: output)
+    add_server(default: Controller.new(self))
+    ::Kernel.loop { iteration }
+  end
+
+  def eval(code, file = '', lineno = 0)
+    @main.eval(code, file, lineno)
+  end
+
+  def add_server(args = {})
+    @hub.add_server(args)
+  end
+
+  def client_for(server_name)
+    @hub.client_for(server_name)
+  end
+
+  def debug_mode(debug = true)
+    @hub.logger = debug ? :reflect : false
+  end
+
+  private
+
+  def iteration
+    @hub.handle_message # blocks every iteration
+  rescue ::Exception => e
+    # reflect ALL rescueable errors back to the managing process
+    backtrace = e.backtrace
+    @hub.send_error(code: -32603, data: { message: e.message, backtrace: backtrace })
+    ::Kernel.raise e
+  end
+end
+
+class Sandbox::Controller
+  def initialize(sandbox)
+    @sandbox = sandbox
+  end
+
+  def eval(code, file = '', lineno = 0)
+    @sandbox.eval(code, file, lineno)
+  end
+
+  def debug_mode(debug = true)
+    @sandbox.debug_mode(debug)
+  end
+end
+
+# Interface for untrusted code to communicate with the outside
+class << self
+  attr_writer :sandbox
+
+  def eval(code, file = '', lineno = 0)
+    instance_eval(code, file, lineno)
+  end
+
+  def export(args = {})
+    @sandbox.add_server(args)
+  end
+
+  def client_for(server = :default)
+    @sandbox.client_for(server)
+  end
+  alias_method :client, :client_for
+end
+
+# Remove constants from global namespace so untrusted code cannot mess around with it.
+Sandbox::GC = Object.remove_const(:GC)
+Sandbox::ObjectSpace = Object.remove_const(:ObjectSpace)
+Sandbox::IO = Object.remove_const(:IO)
+Sandbox::PipeRpc = Object.remove_const(:PipeRpc)
+Object.remove_const(:Sandbox).new(self)

data/mruby_sandbox.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mruby_sandbox/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "mruby_sandbox"
+  spec.version       = MrubySandbox::VERSION
+  spec.authors       = ["Christopher Aue"]
+  spec.email         = ["mail@christopheraue.net"]
+
+  spec.summary       = %q{A mruby sandbox for ruby}
+  spec.description   = %q{A mruby sandbox running in its own sub process and having only a single
+                          pipe in and out to communicate with the outside. Provides a rather safe
+                          environment to run untrusted code.}
+  spec.homepage      = "https://github.com/christopheraue/ruby-mruby_sandbox"
+  spec.license       = "MIT"
+  spec.post_install_message = "Run `build_mruby_sandbox` to finish installation."
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.executables   = ["build_mruby_sandbox"]
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "pipe_rpc", "~> 0.2"
+  spec.add_development_dependency "bundler", "~> 1.8"
+  spec.add_development_dependency "rspec", "~> 3.4"
+  spec.add_development_dependency "rspec-its"
+  spec.add_development_dependency "rspec-mocks-matchers-send_message", "~> 0.2"
+end

metadata

@@ -0,0 +1,132 @@
+--- !ruby/object:Gem::Specification
+name: mruby_sandbox
+version: !ruby/object:Gem::Version
+  version: 0.3.1
+platform: ruby
+authors:
+- Christopher Aue
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-12-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pipe_rpc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks-matchers-send_message
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: |-
+  A mruby sandbox running in its own sub process and having only a single
+                            pipe in and out to communicate with the outside. Provides a rather safe
+                            environment to run untrusted code.
+email:
+- mail@christopheraue.net
+executables:
+- build_mruby_sandbox
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Gemfile.lock
+- README.md
+- bin/build_mruby_sandbox
+- lib/mruby_sandbox.rb
+- lib/mruby_sandbox/server.rb
+- lib/mruby_sandbox/version.rb
+- mruby/config/build_config.rb
+- mruby/config/safe-core.gembox
+- mruby/sandbox/mrbgem.rake
+- mruby/sandbox/mrblib/sandbox.rb
+- mruby_sandbox.gemspec
+homepage: https://github.com/christopheraue/ruby-mruby_sandbox
+licenses:
+- MIT
+metadata: {}
+post_install_message: Run `build_mruby_sandbox` to finish installation.
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: A mruby sandbox for ruby
+test_files: []