safemode 0.0.2

data/LICENCSE

@@ -0,0 +1,22 @@
+Copyright (c) 2008, Sven Fuchs, Peter Cooper
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,71 @@
+## Safemode
+
+A library for safe evaluation of Ruby code based on RubyParser and
+Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
+
+### Word of warning
+
+This library is still highly experimental. Only use it at your own risk for
+anything beyond experiments and playing.
+
+That said, please **do** play with it, read and run the unit tests and provide
+feedback to help make it waterproof and finally suitable for serious purposes.
+
+### Usage
+
+For manual evaluation of Ruby code and ERB templates see demo.rb
+
+You can use the ActionView template handlers by registering them, e.g., in 
+a config/initializer file like this:
+
+    # in config/intializer/safemode_tempate_handlers.rb
+    ActionView::Template.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb
+    ActionView::Template.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml
+
+If you register the ERB template handler for the file extension :erb be aware
+that this most probably will break when your application tries to render an
+error message in development mode (because Rails will try to use the handler
+to render the error message itself).
+
+You will then have to "whitelist" all method calls to the objects that are
+registered as template variables by explicitely allowing access to them. You
+can do that by defining a Safemode::Jail class for your classes, like so:
+
+    class User
+      class Jail < Safemode::Jail
+        allow :name
+      end
+    end  
+  
+This will allow your template users to access the name method on your User 
+objects.
+
+For more details about the concepts behind Safemode please refer to the 
+following blog posts until a more comprehensive writeup is available:
+
+* Initial reasoning: [http://www.artweb-design.de/2008/2/5/sexy-theme-templating-with-haml-safemode-finally](http://www.artweb-design.de/2008/2/5/sexy-theme-templating-with-haml-safemode-finally)
+* Refined concept: [http://www.artweb-design.de/2008/2/17/sending-ruby-to-the-jail-an-attemp-on-a-haml-safemode](http://www.artweb-design.de/2008/2/17/sending-ruby-to-the-jail-an-attemp-on-a-haml-safemode)
+* ActionView ERB handler: [http://www.artweb-design.de/2008/4/22/an-erb-safemode-handler-for-actionview](http://www.artweb-design.de/2008/4/22/an-erb-safemode-handler-for-actionview)
+  
+### Dependencies
+
+Requires the gems:
+
+* RubyParser
+* Ruby2Ruby
+
+As of writing RubyParser alters StringIO and thus breaks usage with Rails.
+See [http://www.zenspider.com/pipermail/parsetree/2008-April/000026.html](http://www.zenspider.com/pipermail/parsetree/2008-April/000026.html)
+
+A patch is included that fixes this issue and can be applied to RubyParser.
+See lib/ruby\_parser\_string\_io\_patch.diff
+
+### Credits
+
+* Sven Fuchs - Maintainer
+* Peter Cooper
+
+This code and all of the Safemode library's code was initially written by 
+Sven Fuchs to allow Haml to have a safe mode. It was then modified and
+re-structured by Peter Cooper and Sven Fuchs to extend the idea to generic
+Ruby eval situations.

data/Rakefile

@@ -0,0 +1,15 @@
+# optional libraries
+%w[ redgreen ].each do |lib|
+  begin
+    require lib
+  rescue LoadError
+  end
+end
+
+task :default => [:test]
+
+task :test do
+  ['test/unit', 'test/test_helper', 'test/test_all'].each do |file|
+    require file
+  end
+end

data/demo.rb

@@ -0,0 +1,23 @@
+require 'safemode'
+require 'erb'
+
+erb_code = %q{<% 10.times do |i| %><%= i %><% end %>}
+
+raw_code = %q{
+  (1..10).to_a.collect do |i|
+    puts i
+    i * 2
+  end.join(', ')
+}
+
+box = Safemode::Box.new
+
+puts "Doing the ERB code in safe mode\n-----"
+puts box.eval(ERB.new(erb_code).src)
+
+puts "\nDoing the regular Ruby code in safe mode\n-----"
+puts box.eval(raw_code)
+
+puts "\nOutput from regular Ruby code\n-----"
+puts box.output
+

data/init.rb

@@ -0,0 +1 @@
+require 'safemode'

data/lib/action_view/template_handlers/safe_erb.rb

@@ -0,0 +1,43 @@
+require 'safemode'
+require 'erb'
+
+module ActionView
+  module TemplateHandlers
+    class SafeErb < TemplateHandler
+      include Compilable rescue nil # does not exist prior Rails 2.1
+      extend SafemodeHandler
+
+      def self.line_offset
+        0
+      end
+
+      def compile(template)
+        # Rails 2.0 passes the template source, while Rails 2.1 passes the
+        # template instance
+        src = template.respond_to?(:source) ? template.source : template
+        filename = template.filename rescue nil
+        erb_trim_mode = '-'
+
+        # code = ::ERB.new(src, nil, @view.erb_trim_mode).src
+        code = ::ERB.new("<% __in_erb_template=true %>#{src}", nil, erb_trim_mode, '@output_buffer').src
+        # Ruby 1.9 prepends an encoding to the source. However this is
+        # useless because you can only set an encoding on the first line
+        RUBY_VERSION >= '1.9' ? src.sub(/\A#coding:.*\n/, '') : src
+
+        code.gsub!('\\','\\\\\\') # backslashes would disappear in compile_template/modul_eval, so we escape them
+
+        code = <<-CODE
+          handler = ActionView::TemplateHandlers::SafeHaml
+          assigns = handler.valid_assigns(@template.assigns)
+          methods = handler.delegate_methods(self)
+          code = %Q(#{code});
+
+          box = Safemode::Box.new(self, methods, #{filename.inspect}, 0)
+          box.eval(code, assigns, local_assigns, &lambda{ |*args| yield(*args) })
+        CODE
+        # puts code
+        code
+      end
+    end
+  end
+end

data/lib/action_view/template_handlers/safe_haml.rb

@@ -0,0 +1,27 @@
+require 'safemode'
+require 'haml/safemode'
+
+module ActionView
+  module TemplateHandlers
+    class SafeHaml < TemplateHandler
+      include Compilable rescue nil # does not exist prior Rails 2.1
+      extend SafemodeHandler
+      
+      def self.line_offset
+      3
+      end
+
+      def compile(template)
+        # Rails 2.0 passes the template source, while Rails 2.1 passes the
+        # template instance
+        src = template.respond_to?(:source) ? template.source : template
+        filename = template.filename rescue nil
+
+        options = Haml::Template.options.dup
+        haml = Haml::Engine.new template, options
+        methods = delegate_methods + ActionController::Routing::Routes.named_routes.helpers
+        haml.precompile_for_safemode filename, ignore_assigns, methods
+      end
+    end
+  end
+end

data/lib/action_view/template_handlers/safemode_handler.rb

@@ -0,0 +1,28 @@
+module ActionView
+  module TemplateHandlers
+    module SafemodeHandler
+
+      def valid_assigns(assigns)
+        assigns = assigns.reject{|key, value| skip_assigns.include?(key) }
+      end
+      
+      def delegate_methods(view)
+        [ :render, :params, :flash ] + 
+        helper_methods(view) + 
+        ActionController::Routing::Routes.named_routes.helpers
+      end
+
+      def helper_methods(view)
+        view.class.included_modules.collect {|m| m.instance_methods(false) }.flatten.map(&:to_sym)
+      end
+      
+      def skip_assigns
+        [ "_cookies", "_flash", "_headers", "_params", "_request",
+          "_response", "_session", "before_filter_chain_aborted",
+          "ignore_missing_templates", "logger", "request_origin",
+          "template", "template_class", "url", "variables_added",
+          "view_paths" ]        
+      end
+    end
+  end
+end

data/lib/haml/safemode.rb

@@ -0,0 +1,41 @@
+require 'haml'
+
+module Haml  
+  class Buffer
+    class Jail < Safemode::Jail
+      allow :push_script, :push_text, :_hamlout, :open_tag
+    end
+  end
+end
+
+module Haml  
+  class Engine
+    def precompile_for_safemode(filename, ignore_assigns = [], delegate_methods = [])        
+        @precompiled.gsub!('\\','\\\\\\') # backslashes would disappear in compile_template/modul_eval, so we escape them
+        
+        <<-CODE 
+          buffer = Haml::Buffer.new(#{options_for_buffer.inspect})
+          local_assigns = local_assigns.merge :_hamlout => buffer
+          
+          handler = ActionView::TemplateHandlers::SafeHaml
+          assigns = handler.valid_assigns(@template.assigns)
+          methods = handler.delegate_methods(self)
+          code = %Q(#{code});
+          
+          box = Safemode::Box.new(self, methods, #{filename.inspect}, 0)
+          box.eval(code, assigns, local_assigns, &lambda{ yield })     
+          buffer.buffer   
+        CODE
+
+        # preamble =  "buffer = Haml::Buffer.new(#{options_for_buffer.inspect})
+        #              local_assigns = local_assigns.merge :_hamlout => buffer
+        #              assigns = @template.assigns.reject{|key, value| #{ignore_assigns.inspect}.include?(key) };".gsub("\n", ';')
+        #             
+        # postamble = "box = Safemode::Box.new(self, #{delegate_methods.inspect})
+        #              box.eval(code, assigns, local_assigns, &lambda{ yield })
+        #              buffer.buffer".gsub("\n", ';')
+        # 
+        # preamble + "code = %Q(#{@precompiled});" + postamble
+    end
+  end
+end

data/lib/rubyparser_bug.rb

@@ -0,0 +1,8 @@
+require 'rubygems'
+require 'ruby2ruby'
+
+sexp = ParseTree.translate('a')
+puts Ruby2Ruby.new.process(sexp)
+
+# should work, but yields:
+# UnknownNodeError: Bug! Unknown node-type :vcall to Ruby2Ruby

data/lib/safemode.rb

@@ -0,0 +1,58 @@
+require 'rubygems'
+
+require 'ruby2ruby'
+begin
+  require 'ruby_parser' # try to load RubyParser and use it if present
+rescue LoadError => e
+end
+# this doesn't work somehow. Maybe something changed inside
+# ParseTree or sexp_processor or so.
+# (the require itself works, but ParseTree doesn't play nice)
+# begin
+#   require 'parse_tree'
+# rescue LoadError => e
+# end
+
+require 'safemode/core_ext'
+require 'safemode/blankslate'
+require 'safemode/exceptions'
+require 'safemode/jail'
+require 'safemode/core_jails'
+require 'safemode/parser'
+require 'safemode/scope'
+
+module Safemode
+  class << self
+    def jail(obj)
+      find_jail_class(obj.class).new obj
+    end
+    
+    def find_jail_class(klass)
+      while klass != Object
+        return klass.const_get('Jail') if klass.const_defined?('Jail')
+        klass = klass.superclass
+      end
+      Jail
+    end
+  end
+    
+  define_core_jail_classes
+  
+  class Box
+    def initialize(delegate = nil, delegate_methods = [], filename = nil, line = nil)
+      @scope = Scope.new(delegate, delegate_methods)
+      @filename = filename
+      @line = line
+    end    
+
+    def eval(code, assigns = {}, locals = {}, &block)
+      code = Parser.jail(code)
+      binding = @scope.bind(assigns, locals, &block)
+      result = Kernel.eval(code, binding, @filename || __FILE__, @line || __LINE__)
+    end
+    
+    def output
+      @scope.output
+    end 
+  end
+end

data/lib/safemode/blankslate.rb

@@ -0,0 +1,34 @@
+module Safemode
+  class Blankslate
+    @@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'to_s', 'instance_variable_get']
+    @@allow_class_methods    = ['methods', 'new', 'name', 'inspect', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of
+
+    silently { undef_methods(*instance_methods - @@allow_instance_methods) }
+    class << self
+      silently { undef_methods(*instance_methods - @@allow_class_methods) }
+
+      def method_added(name) end # ActiveSupport needs this
+
+      def inherited(subclass)
+        subclass.init_allowed_methods(@allowed_methods)
+      end
+
+      def init_allowed_methods(allowed_methods)
+        @allowed_methods = allowed_methods
+      end
+
+      def allowed_methods
+        @allowed_methods ||= []
+      end
+
+      def allow(*names)
+        @allowed_methods = allowed_methods + names.map{|name| name.to_s}
+        @allowed_methods.uniq!
+      end
+
+      def allowed?(name)
+        allowed_methods.include? name.to_s
+      end
+    end
+  end
+end

data/lib/safemode/core_ext.rb

@@ -0,0 +1,39 @@
+module Kernel  
+  def silently(&blk)
+    old_verbose, $VERBOSE = $VERBOSE, nil
+    yield
+    $VERBOSE = old_verbose
+  end   
+end
+
+class Module  
+  def undef_methods(*methods)
+    methods.each { |name| undef_method(name) }
+  end
+end
+
+class Object
+  def to_jail
+    Safemode.jail self
+  end
+end
+
+# As every call to an object in the eval'ed string will be jailed by the
+# parser we don't need to "proactively" jail arrays and hashes. Likewise we
+# don't need to jail objects returned from a jail. Doing so would provide
+# "double" protection, but it also would break using a return value in an if
+# statement, passing them to a Rails helper etc.
+
+# class Array
+#   def to_jail
+#     Safemode.jail collect{ |obj| obj.to_jail }
+#   end
+# end
+# 
+# class Hash
+#   def to_jail
+#     hash = {}
+#     collect{ |key, obj| hash[key] = obj.to_jail}
+#     Safemode.jail hash
+#   end
+# end

data/lib/safemode/core_jails.rb

@@ -0,0 +1,104 @@
+module Safemode      
+  class << self
+    def define_core_jail_classes        
+      core_classes.each do |klass|
+        define_jail_class(klass).allow *core_jail_methods(klass).uniq
+      end
+    end
+  
+    def define_jail_class(klass)
+      unless klass.const_defined?("Jail")
+        klass.const_set("Jail", jail = Class.new(Safemode::Jail))
+      end
+      klass.const_get('Jail')          
+    end
+    
+    def core_classes
+      klasses = [ Array, Bignum, Fixnum, Float, Hash, 
+                  Range, String, Symbol, Time ]
+      klasses << Date if defined? Date
+      klasses << DateTime if defined? DateTime
+      klasses
+    end
+    
+    def core_jail_methods(klass)
+      @@methods_whitelist[klass.name] + (@@default_methods & klass.instance_methods)
+    end
+  end
+  
+  # these methods are allowed in all classes if they are present
+  @@default_methods = %w( % & * ** + +@ - -@ / < << <= <=> == === > >= >> ^ | ~
+                          eql? equal? new methods is_a? kind_of? nil? 
+                          [] []= to_a to_jail to_s inspect to_param )
+
+  # whitelisted methods for core classes ... kind of arbitrary selection
+  @@methods_whitelist = {
+    'Array'      => %w(assoc at blank? collect collect! compact compact! concat
+                    delete delete_at delete_if each each_index empty? fetch
+                    fill first flatten flatten! hash include? index indexes
+                    indices inject insert join last length map map! nitems pop
+                    push rassoc reject reject! reverse reverse! reverse_each
+                    rindex select shift size slice slice! sort sort! transpose
+                    uniq uniq! unshift values_at zip),
+
+    'Bignum'     => %w(abs ceil chr coerce div divmod downto floor hash
+                    integer? modulo next nonzero? quo remainder round
+                    singleton_method_added size step succ times to_f to_i
+                    to_int to_s truncate upto zero?),
+
+    'Fixnum'     => %w(abs ceil chr coerce div divmod downto floor id2name
+                    integer? modulo modulo next nonzero? quo remainder round
+                    singleton_method_added size step succ times to_f to_i
+                    to_int to_s to_sym truncate upto zero?),
+
+    'Float'      => %w(abs ceil coerce div divmod finite? floor hash
+                    infinite? integer? modulo nan? nonzero? quo remainder
+                    round singleton_method_added step to_f to_i to_int to_s
+                    truncate zero?),
+                    
+    'Hash'       => %w(blank? clear delete delete_if each each_key each_pair
+                    each_value empty? fetch has_key? has_value? include? index
+                    invert key? keys length member? merge merge! rec_merge! rehash
+                    reject reject! select shift size sort store
+                    update value? values values_at),
+           
+    'Range'      => %w(begin each end exclude_end? first hash include?
+                    include_without_range? last member? step),
+           
+    'String'     => %w(blank? capitalize capitalize! casecmp center chomp chomp!
+                    chop chop! concat count crypt delete delete! downcase
+                    downcase! dump each each_byte each_line empty? end_with? gsub
+                    gsub! hash hex include? index insert intern iseuc issjis
+                    isutf8 kconv length ljust lstrip lstrip! match next next! oct
+                    reverse reverse! rindex rjust rstrip rstrip! scan size slice
+                    slice! split squeeze squeeze! start_with? strip strip! sub
+                    sub! succ succ! sum swapcase swapcase! to_f to_i to_str to_sym
+                    to_xs toeuc tojis tosjis toutf16 toutf8 tr tr! tr_s tr_s!
+                    upcase upcase! upto),
+           
+    'Symbol'     => %w(to_i to_int),
+           
+    'Time'       => %w(_dump asctime ctime day dst? getgm getlocal getutc gmt?
+                    gmt_offset gmtime gmtoff hash hour httpdate isdst iso8601
+                    localtime mday min minus_without_duration mon month
+                    plus_without_duration rfc2822 rfc822 sec strftime succ to_date
+                    to_datetime to_f to_i tv_sec tv_usec usec utc utc? utc_offset
+                    wday xmlschema yday year zone to_formatted_s),
+           
+    'Date'       => %w(ajd amjd asctime ctime cwday cweek cwyear day day_fraction
+                    default_inspect downto england gregorian gregorian? hash italy
+                    jd julian julian? ld leap? mday minus_without_duration mjd mon
+                    month new_start newsg next ns? os? plus_without_duration sg
+                    start step strftime succ upto wday yday year),
+
+    'DateTime'   => %w(hour, min, new_offset, newof, of, offset, sec, 
+                    sec_fraction, strftime, to_datetime_default_s, to_json, zone),
+    
+    'NilClass'   => %w(blank? duplicable? to_f to_i),
+           
+    'FalseClass' => %w(blank? duplicable?),
+    
+    'TrueClass'  => %w(blank? duplicable?)
+           
+  }    
+end