safemode 0.0.2

data/test/test_jail.rb

@@ -0,0 +1,53 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+class TestJail < Test::Unit::TestCase
+  def setup
+    @article = Article.new.to_jail
+    @comment = @article.comments.first
+  end
+
+  def test_explicitly_allowed_methods_should_be_accessible
+    assert_nothing_raised { @article.title }
+  end
+
+  def test_jail_instance_methods_should_be_accessible
+    assert_nothing_raised { @article.author_name }
+  end
+
+  def test_sending_to_jail_to_an_object_should_return_a_jail
+    assert_equal "Article::Jail", @article.class.name
+  end
+
+  def test_jail_instances_should_have_limited_methods
+    expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "to_jail", "to_s", "instance_variable_get"]
+    objects.each do |object|
+      assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.sort)
+    end
+  end
+
+  def test_jail_classes_should_have_limited_methods
+    expected = ["new", "methods", "name", "inherited", "method_added", "inspect",
+                "allow", "allowed?", "allowed_methods", "init_allowed_methods",
+                "<", # < needed in Rails Object#subclasses_of
+                "ancestors", "==" # ancestors and == needed in Rails::Generator::Spec#lookup_class
+               ]
+    objects.each do |object|
+      assert_equal expected.sort, reject_pretty_methods(object.to_jail.class.methods.sort)
+    end
+  end
+
+  def test_allowed_methods_should_be_propagated_to_subclasses
+    assert_equal Article::Jail.allowed_methods, Article::ExtendedJail.allowed_methods
+  end
+
+  private
+
+  def objects
+    [[], {}, 1..2, "a", :a, Time.now, 1, 1.0, nil, false, true]
+  end
+
+  def reject_pretty_methods(methods)
+    methods.reject{ |method| method =~ /^pretty_/ }
+  end
+
+end

data/test/test_safemode_eval.rb

@@ -0,0 +1,68 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+class TestSafemodeEval < Test::Unit::TestCase
+  include TestHelper
+  
+  def setup
+    @box = Safemode::Box.new
+    @locals = { :article => Article.new }
+    @assigns = { :article => Article.new }
+  end
+
+  def test_some_stuff_that_should_work
+    ['"test".upcase', '10.succ', '10.times{}', '[1,2,3].each{|a| a + 1}', 'true ? 1 : 0', 'a = 1'].each do |code|
+      assert_nothing_raised{ @box.eval code }
+    end
+  end
+  
+  def test_should_turn_assigns_to_jails
+    assert_raise_no_method "@article.system", @assigns
+  end
+  
+  def test_should_turn_locals_to_jails
+    assert_raise(Safemode::NoMethodError){ @box.eval "article.system", {}, @locals }
+  end
+  
+  def test_should_allow_method_access_on_assigns
+    assert_nothing_raised{ @box.eval "@article.title", @assigns }
+  end
+  
+  def test_should_allow_method_access_on_locals
+    assert_nothing_raised{ @box.eval "article.title", {}, @locals }
+  end
+  
+  def test_should_not_raise_on_if_using_return_values
+    assert_nothing_raised{ @box.eval "if @article.is_article? then 1 end", @assigns }
+  end
+  
+  def test_should_work_with_if_using_return_values
+    assert_equal @box.eval("if @article.is_article? then 1 end", @assigns), 1
+  end
+  
+  def test__FILE__should_not_render_filename
+    assert_equal '(string)', @box.eval("__FILE__")
+  end
+  
+  def test_interpolated_xstr_should_raise_security
+    assert_raise_security '"#{`ls -a`}"'
+  end  
+        
+  TestHelper.no_method_error_raising_calls.each do |call|
+    call.gsub!('"', '\\\\"')
+    class_eval %Q(
+      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
+        assert_raise_no_method "#{call}"
+      end
+    )
+  end
+
+  TestHelper.security_error_raising_calls.each do |call|
+    call.gsub!('"', '\\\\"')
+    class_eval %Q(
+      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
+        assert_raise_security "#{call}"
+      end
+    )
+  end  
+
+end

data/test/test_safemode_parser.rb

@@ -0,0 +1,45 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+
+class TestSafemodeParser < Test::Unit::TestCase
+  def test_vcall_should_be_jailed
+    assert_jailed 'to_jail.a.to_jail.class', 'a.class'
+  end
+    
+  def test_call_should_be_jailed
+    assert_jailed '(1.to_jail + 1).to_jail.class', '(1 + 1).class'
+  end
+    
+  def test_estr_should_be_jailed
+    assert_jailed '"#{1.to_jail.class}"', '"#{1.class}"'
+  end
+    
+  def test_if_should_be_usable_for_erb
+    assert_jailed "if true then\n 1\nend", "if true\n 1\n end"
+  end
+    
+  def test_if_else_should_be_usable_for_erb
+    assert_jailed "if true then\n 1\n else\n2\nend", "if true\n 1\n else\n2\n end"
+  end
+    
+  def test_ternary_should_be_usable_for_erb
+    assert_jailed "if true then\n 1\n else\n2\nend", "true ? 1 : 2"
+  end
+
+  def test_output_buffer_should_be_assignable
+    assert_nothing_raised do
+      jail('@output_buffer = ""')
+    end
+  end
+
+private
+  
+  def assert_jailed(expected, code)
+    assert_equal expected.gsub(' ', ''), jail(code).gsub(' ', '')
+  end 
+  
+  def jail(code)
+    Safemode::Parser.jail(code)
+  end
+end
+
+

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification 
+name: safemode
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 2
+  version: 0.0.2
+platform: ruby
+authors: 
+- sven fuchs, peter cooper, kingsley hendrickse
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-12-17 00:00:00 +00:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ruby2ruby
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+description: Safemode provides a simple sandbox for executing eval ruby code, as well as erb and haml. Written by Sven Fuchs and Peter Cooper and packaged into a gem by Kingsley Hendrickse
+email: kingsley@mindflowsolutions.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/action_view/template_handlers/safe_erb.rb
+- lib/action_view/template_handlers/safe_haml.rb
+- lib/action_view/template_handlers/safemode_handler.rb
+- lib/haml/safemode.rb
+- lib/rubyparser_bug.rb
+- lib/safemode/blankslate.rb
+- lib/safemode/core_ext.rb
+- lib/safemode/core_jails.rb
+- lib/safemode/exceptions.rb
+- lib/safemode/jail.rb
+- lib/safemode/parser.rb
+- lib/safemode/scope.rb
+- lib/safemode.rb
+- demo.rb
+- init.rb
+- LICENCSE
+- Rakefile
+- README.markdown
+- safemode.gemspec
+- safemode.rb
+- test/test_all.rb
+- test/test_erb_eval.rb
+- test/test_helper.rb
+- test/test_jail.rb
+- test/test_safemode_eval.rb
+- test/test_safemode_parser.rb
+has_rdoc: true
+homepage: https://github.com/svenfuchs/safemode
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: safemode
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Safemode provides a simple sandbox for executing eval ruby code, as well as erb and haml
+test_files: []
+