safemode 0.0.2

data/lib/safemode/exceptions.rb

@@ -0,0 +1,22 @@
+module Safemode
+  class Error < RuntimeError; end
+  
+  class SecurityError < Error
+    @@types = { :const => 'constant',
+                :xstr  => 'shell command',
+                :fcall => 'method',
+                :vcall => 'method',
+                :gvar  => 'global variable' }
+               
+    def initialize(type, value = nil)
+      type = @@types[type] if @@types.include?(type)
+      super "Safemode doesn't allow to access '#{type}'" + (value ? " on #{value}" : '')
+    end
+  end
+  
+  class NoMethodError < Error
+    def initialize(method, jail, source = nil)
+      super "undefined method '#{method}' for #{jail}" + (source ? " (#{source})" : '')
+    end
+  end
+end

data/lib/safemode/jail.rb

@@ -0,0 +1,28 @@
+module Safemode    
+  class Jail < Blankslate 
+    def initialize(source = nil)
+      @source = source
+    end
+  
+    def to_jail
+      self
+    end
+  
+    def to_s
+      @source.to_s
+    end
+  
+    def method_missing(method, *args, &block)
+      unless self.class.allowed?(method)
+        raise Safemode::NoMethodError.new(method, self.class.name, @source.class.name) 
+      end
+      
+      # As every call to an object in the eval'ed string will be jailed by the
+      # parser we don't need to "proactively" jail arrays and hashes. Likewise we
+      # don't need to jail objects returned from a jail. Doing so would provide
+      # "double" protection, but it also would break using a return value in an if
+      # statement, passing them to a Rails helper etc.
+      @source.send(method, *args, &block)
+    end
+  end
+end

data/lib/safemode/parser.rb

@@ -0,0 +1,196 @@
+module Safemode
+  class Parser < Ruby2Ruby
+    # @@parser = defined?(RubyParser) ? 'RubyParser' : 'ParseTree'
+    @@parser = 'RubyParser'
+    
+    class << self
+      def jail(code, allowed_fcalls = [])
+        @@allowed_fcalls = allowed_fcalls
+        tree = parse code
+        self.new.process(tree)
+      end
+      
+      def parse(code)
+        case @@parser
+        # when 'ParseTree'
+        #   ParseTree.translate(code)
+        when 'RubyParser'
+          RubyParser.new.parse(code)
+        else
+          raise "unknown parser #{@@parser}"
+        end
+      end
+      
+      def parser=(parser)
+        @@parser = parser
+      end
+    end
+    
+    def jail(str, parentheses = false)
+      str = parentheses ? "(#{str})." : "#{str}." if str
+      "#{str}to_jail"
+    end
+
+    # split up #process_call. see below ...
+    def process_call(exp)
+      receiver = jail process_call_receiver(exp)
+      name = exp.shift
+      args = process_call_args(exp)
+      process_call_code(receiver, name, args)        
+    end
+    
+    def process_fcall(exp)
+      # using haml we probably never arrive here because :lasgn'ed :fcalls
+      # somehow seem to change to :calls somewhere during processing
+      # unless @@allowed_fcalls.include?(exp.first)
+      #   code = Ruby2Ruby.new.process([:fcall, exp[1], exp[2]]) # wtf ...
+      #   raise_security_error(exp.first, code)
+      # end
+      "to_jail.#{super}"
+    end
+
+    def process_vcall(exp)
+      # unless @@allowed_fcalls.include?(exp.first)
+      #   code = Ruby2Ruby.new.process([:fcall, exp[1], exp[2]]) # wtf ...
+      #   raise_security_error(exp.first, code)
+      # end
+      name = exp[1]
+      exp.clear
+      "to_jail.#{name}"
+    end
+
+    def process_iasgn(exp)
+      code = super
+      if code != '@output_buffer = ""'
+        raise_security_error(:iasgn, code)
+      else
+        code
+      end
+    end
+
+    # see http://www.namikilab.tuat.ac.jp/~sasada/prog/rubynodes/nodes.html
+
+    allowed =    [ :call, :vcall, :evstr,
+                   :lvar, :dvar, :ivar, :lasgn, :masgn, :dasgn, :dasgn_curr,
+                   :lit, :str, :dstr, :dsym, :nil, :true, :false,
+                   :array, :zarray, :hash, :dot2, :dot3, :flip2, :flip3,
+                   :if, :case, :when, :while, :until, :iter, :for, :break, :next, :yield,
+                   :and, :or, :not,
+                   :iasgn, # iasgn is sometimes allowed
+                   # not sure about self ...
+                   :self,
+                   # unnecessarily advanced?
+                   :argscat, :argspush, :splat, :block_pass,
+                   :op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
+                   # needed for haml
+                   :block ]
+
+    disallowed = [ # :self,  # self doesn't seem to be needed for vcalls?
+                   :const, :defn, :defs, :alias, :valias, :undef, :class, :attrset,
+                   :module, :sclass, :colon2, :colon3,
+                   :fbody, :scope,  :args, :block_arg, :postexe,
+                   :redo, :retry, :begin, :rescue, :resbody, :ensure,
+                   :defined, :super, :zsuper, :return,
+                   :dmethod, :bmethod, :to_ary, :svalue, :match,
+                   :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
+                   :xstr, :dxstr,
+                   # not sure how secure ruby regexp is, so leave it out for now
+                   :dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref ]
+
+    # SexpProcessor bails when we overwrite these ... but they are listed as 
+    # "internal nodes that you can't get to" in sexp_processor.rb
+    # :ifunc, :method, :last, :opt_n, :cfunc, :newline, :alloca, :memo, :cref
+                   
+    disallowed.each do |name| 
+      define_method "process_#{name}" do
+        code = super
+        raise_security_error(name, code)
+      end
+    end
+    
+    def raise_security_error(type, info)
+      raise Safemode::SecurityError.new(type, info)
+    end
+    
+    # split up Ruby2Ruby#process_call monster method so we can hook into it
+    # in a more readable manner
+
+    def process_call_receiver(exp)
+      receiver_node_type = exp.first.nil? ? nil : exp.first.first
+      receiver = process exp.shift        
+      receiver = "(#{receiver})" if
+        Ruby2Ruby::ASSIGN_NODES.include? receiver_node_type            
+      receiver
+    end
+
+    def process_call_args(exp)
+      args_exp = exp.shift rescue nil
+      if args_exp && args_exp.first == :array # FIX
+        args = "#{process(args_exp)[1..-2]}"
+      else
+        args = process args_exp
+        args = nil if args.empty?
+      end
+      args      
+    end
+
+    def process_call_code(receiver, name, args)
+      case name
+      when :<=>, :==, :<, :>, :<=, :>=, :-, :+, :*, :/, :%, :<<, :>>, :** then
+        "(#{receiver} #{name} #{args})"
+      when :[] then
+        "#{receiver}[#{args}]"
+      when :"-@" then
+        "-#{receiver}"
+      when :"+@" then
+        "+#{receiver}"
+      else
+        unless receiver.nil? then
+          "#{receiver}.#{name}#{args ? "(#{args})" : args}"
+        else
+          "#{name}#{args ? "(#{args})" : args}"
+        end
+      end
+    end
+    
+    # Ruby2Ruby process_if rewrites if and unless statements in a way that
+    # makes the result unusable for evaluation in, e.g. ERB which appends a
+    # call to to_s when using <%= %> tags. We'd need to either enclose the 
+    # result from process_if into parentheses like (1 if true) and
+    # (true ? (1) : (2)) or just use the plain if-then-else-end syntax (so
+    # that ERB can safely append to_s to the resulting block).
+
+    def process_if(exp)
+      expand = Ruby2Ruby::ASSIGN_NODES.include? exp.first.first
+      c = process exp.shift
+      t = process exp.shift
+      f = process exp.shift
+
+      c = "(#{c.chomp})" if c =~ /\n/
+
+      if t then
+        # unless expand then
+        #   if f then
+        #     r = "#{c} ? (#{t}) : (#{f})"
+        #     r = nil if r =~ /return/ # HACK - need contextual awareness or something
+        #   else
+        #     r = "#{t} if #{c}"
+        #   end
+        #   return r if r and (@indent+r).size < LINE_LENGTH and r !~ /\n/
+        # end
+
+        r = "if #{c} then\n#{indent(t)}\n"
+        r << "else\n#{indent(f)}\n" if f
+        r << "end"
+
+        r
+      else
+        # unless expand then
+        #   r = "#{f} unless #{c}"
+        #   return r if (@indent+r).size < LINE_LENGTH and r !~ /\n/
+        # end
+        "unless #{c} then\n#{indent(f)}\nend"
+      end
+    end    
+  end                        
+end

data/lib/safemode/scope.rb

@@ -0,0 +1,58 @@
+module Safemode
+  class Scope < Blankslate
+    def initialize(delegate = nil, delegate_methods = [])
+      @delegate = delegate        
+      @delegate_methods = delegate_methods
+      @locals = {}
+    end
+    
+    def bind(instance_vars = {}, locals = {}, &block)
+      @locals = symbolize_keys(locals) # why can't I just pull them to local scope in the same way like instance_vars?
+      instance_vars = symbolize_keys(instance_vars)
+      instance_vars.each {|key, obj| eval "@#{key} = instance_vars[:#{key}]" }
+      @_safemode_output = ''
+      binding
+    end
+  
+    def to_jail
+      self
+    end
+    
+    def puts(*args)
+      print args.to_s + "\n"
+    end
+
+    def print(*args)      
+      @_safemode_output += args.to_s
+    end
+    
+    def output
+      @_safemode_output
+    end
+    
+    def method_missing(method, *args, &block)
+      if @locals.has_key?(method)
+        @locals[method] 
+      elsif @delegate_methods.include?(method)
+        @delegate.send method, *unjail_args(args), &block
+      else
+        raise Safemode::SecurityError.new(method, "#<Safemode::ScopeObject>")
+      end
+    end
+    
+    private
+    
+      def symbolize_keys(hash)
+        hash.inject({}) do |hash, (key, value)| 
+          hash[key.to_s.intern] = value
+          hash
+        end
+      end
+    
+      def unjail_args(args)
+        args.collect do |arg|        
+          arg.class.name =~ /::Jail$/ ? arg.instance_variable_get(:@source) : arg
+        end
+      end
+  end 
+end

data/safemode.gemspec

@@ -0,0 +1,14 @@
+Gem::Specification.new do |s|
+  s.name = %q{safemode}
+  s.version = "0.0.2"
+  s.date = %q{2011-12-17}
+  s.authors = ["sven fuchs, peter cooper, kingsley hendrickse"]
+  s.email = %q{kingsley@mindflowsolutions.com}
+  s.summary = %q{Safemode provides a simple sandbox for executing eval ruby code, as well as erb and haml}
+  s.homepage = %q{https://github.com/svenfuchs/safemode}
+  s.description = %q{Safemode provides a simple sandbox for executing eval ruby code, as well as erb and haml. Written by Sven Fuchs and Peter Cooper and packaged into a gem by Kingsley Hendrickse}
+  s.add_dependency('ruby2ruby')
+  s.files = Dir['lib/**/*.rb'] + Dir['*']
+  s.files += Dir['test/**/*.rb']
+  s.rubyforge_project = 'safemode'
+end

data/safemode.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '/lib/safemode.rb'

data/test/test_all.rb

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+Test::Unit.run = false
+
+require File.join(File.dirname(__FILE__), 'test_jail')
+require File.join(File.dirname(__FILE__), 'test_safemode_parser')
+require File.join(File.dirname(__FILE__), 'test_safemode_eval')
+require File.join(File.dirname(__FILE__), 'test_erb_eval')
+
+# ['ParseTree', 'RubyParser'].each do |parser|
+['RubyParser'].each do |parser|
+  Safemode::Parser.parser = parser
+  puts "Running suite with Safemode::Parser using #{parser}"
+  Test::Unit::AutoRunner.run
+end

data/test/test_erb_eval.rb

@@ -0,0 +1,76 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+class TestSafemodeEval < Test::Unit::TestCase
+  include TestHelper
+  
+  def setup
+    @box = Safemode::Box.new
+    @locals = { :article => Article.new }
+    @assigns = { :article => Article.new }
+    @erb_parse = lambda {|code| ERB.new("<%= #{code} %>").src }
+  end
+
+  def test_some_stuff_that_should_work
+    ['"test".upcase', '10.succ', '10.times{}', '[1,2,3].each{|a| a + 1}', 'true ? 1 : 0', 'a = 1'].each do |code|
+      code = ERB.new("<%= #{code} %>").src
+      assert_nothing_raised{ @box.eval code }
+    end
+  end
+  
+  def test_should_turn_assigns_to_jails
+    assert_raise_no_method "@article.system", @assigns, &@erb_parse
+  end
+  
+  def test_should_turn_locals_to_jails
+    code = @erb_parse.call "article.system"
+    assert_raise(Safemode::NoMethodError){ @box.eval code, {}, @locals }
+  end
+  
+  def test_should_allow_method_access_on_assigns
+    code = @erb_parse.call "@article.title"
+    assert_nothing_raised{ @box.eval code, @assigns }
+  end
+  
+  def test_should_allow_method_access_on_locals
+    code = @erb_parse.call "article.title"
+    assert_nothing_raised{ @box.eval code, {}, @locals }
+  end
+  
+  def test_should_not_raise_on_if_using_return_values
+    code = @erb_parse.call "if @article.is_article?\n 1\n end"
+    assert_nothing_raised{ @box.eval code, @assigns }
+  end
+  
+  def test_should_work_with_if_using_return_values
+    code = @erb_parse.call "if @article.is_article? then 1 end"
+    assert_equal @box.eval(code, @assigns), "1" # ERB calls to_s on the result of the if block
+  end
+  
+  def test__FILE__should_not_render_filename
+    code = @erb_parse.call "__FILE__"
+    assert_equal '(string)', @box.eval(code)
+  end
+  
+  def test_interpolated_xstr_should_raise_security
+    assert_raise_security '"#{`ls -a`}"'
+  end  
+        
+  TestHelper.no_method_error_raising_calls.each do |call|
+    call.gsub!('"', '\\\\"')
+    class_eval %Q(
+      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
+        assert_raise_no_method "#{call}"
+      end
+    )
+  end
+  
+  TestHelper.security_error_raising_calls.each do |call|
+    call.gsub!('"', '\\\\"')
+    class_eval %Q(
+      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
+        assert_raise_security "#{call}"
+      end
+    )
+  end  
+
+end

data/test/test_helper.rb

@@ -0,0 +1,130 @@
+$LOAD_PATH << File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'rubygems'
+require 'test/unit'
+require 'safemode'
+require 'erb'
+
+module TestHelper
+  class << self
+    def no_method_error_raising_calls
+      [ 'nil.eval("a = 1")',
+        'true.eval("a = 1")',
+        'false.eval("a = 1")',
+        '@article.is_article?.eval("a = 1")',
+        '@article.comments.map{|c| c.eval("a = 1")}' ]
+    end
+    
+    def security_error_raising_calls
+      [ "class A\n end",
+        'File.open("/etc/passwd")',
+        '::File.open("/etc/passwd")',
+        'defined? a',
+        # '"#{`ls -a`}"', # hu? testing this separately, see testcase
+        'alias b instance_eval',
+        '@@a',
+        '@@a = 1',
+        '$LOAD_PATH',
+        '$LOAD_PATH = 1',
+        '@a = 1',
+        '$1',
+        'public to_s',
+        'protected to_s',
+        'private to_s',
+        "attr_reader :a",
+        'URI("http://google.com")',
+        "`ls -a`", "exec('echo *')", "syscall 4, 1, 'hello', 5", "system('touch /tmp/helloworld')",
+        "abort", 
+        "exit(0)", "exit!(0)", "at_exit{'goodbye'}",
+        "autoload(::MyModule, 'my_module.rb')",
+        "binding",                                    
+        "callcc{|cont| cont.call}",
+        'eval %Q(send(:system, "ls -a"))',
+        "fork",
+        "gets", "readline", "readlines",
+        "global_variables", "local_variables",
+        "proc{}",
+        "lambda{}",
+        "load('/path/to/file')", "require 'something'",
+        "loop{}",
+        "open('/etc/passwd'){|f| f.read}",
+        "p 'text'", "pretty_inspect",
+        # "print 'text'", "puts 'text'", allowed and buffered these (see ScopeObject)
+        "printf 'text'", "putc 'a'", 
+        "raise RuntimeError, 'should not happen'",
+        "rand(0)", "srand(0)",                           
+        "set_trace_func proc{|event| puts event}", "trace_var :$_, proc {|v| puts v }", "untrace_var :$_",
+        "sleep", "sleep(0)",                           
+        "test(1, a, b)",                           
+        "Signal.trap(0, proc { puts 'Terminating: #{$$}' })",
+        "warn 'warning'" ]
+    end
+  end
+
+  def assert_raise_no_method(code = nil, assigns = {}, locals = {}, &block)
+    assert_raise_safemode_error(Safemode::NoMethodError, code, assigns, locals, &block)
+  end
+
+  def assert_raise_security(code = nil, assigns = {}, locals = {}, &block)
+    assert_raise_safemode_error(Safemode::SecurityError, code, assigns, locals, &block)
+  end
+  
+  def assert_raise_safemode_error(error, code, assigns = {}, locals = {})
+    code = yield(code) if block_given?
+    assert_raise(error, code) { safebox_eval(code, assigns, locals) }
+  end
+  
+  def safebox_eval(code, assigns = {}, locals = {})
+    # puts Safemode::Parser.jail(code)
+    Safemode::Box.new.eval code, assigns, locals
+  end  
+end
+
+class Article
+  def is_article?
+    true
+  end
+  
+  def title
+    'an article title'
+  end
+  
+  def to_jail
+    Article::Jail.new self
+  end
+  
+  def comments
+    [Comment.new(self), Comment.new(self)]
+  end
+end
+
+class Comment
+  attr_reader :article
+  
+  def initialize(article)
+    @article = article
+  end
+  
+  def text
+    "comment #{object_id}"
+  end
+  
+  def to_jail
+    Comment::Jail.new self
+  end
+end
+
+class Article::Jail < Safemode::Jail
+  allow :title, :comments, :is_article?
+  
+  def author_name
+    "this article's author name"
+  end
+end
+
+class Article::ExtendedJail < Article::Jail
+end
+
+class Comment::Jail < Safemode::Jail
+  allow :article, :text
+end