safemode 1.2.0 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of safemode might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/VERSION +1 -1
- data/lib/safemode/blankslate.rb +1 -1
- data/lib/safemode/core_jails.rb +20 -22
- data/lib/safemode/jail.rb +9 -0
- data/safemode.gemspec +1 -1
- data/test/test_jail.rb +6 -1
- data/test/test_safemode_eval.rb +36 -1
- metadata +21 -48
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 29e339575c91027bf2680aa33c98b8f6c13024b5
|
|
4
|
+
data.tar.gz: 135d1097eea7885b5930241401353a3d38376c5d
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: fd43ddc3f3525dc737365792cc34f9521ef54d338f6d2ea3f33aabf8dc1dc6048d9766e02ca9bac04ba200e0ded1b6fa9753ea162257324ebcca29860358a103
|
|
7
|
+
data.tar.gz: 7a44ab0d645b2dc170c27d43880f45c61783a84469892eb5a5c10ea92c0d9b91bdc3ef6c9c56d771315686ae5bc0be8319f05a6b899095ea33d10c2e52932e6a
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.2.
|
|
1
|
+
1.2.1
|
data/lib/safemode/blankslate.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
module Safemode
|
|
2
2
|
class Blankslate
|
|
3
|
-
@@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'to_s', 'instance_variable_get']
|
|
3
|
+
@@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'respond_to_missing?', 'to_s', 'instance_variable_get']
|
|
4
4
|
@@allow_class_methods = ['methods', 'new', 'name', 'inspect', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of
|
|
5
5
|
|
|
6
6
|
silently { undef_methods(*instance_methods.map(&:to_s) - @@allow_instance_methods) }
|
data/lib/safemode/core_jails.rb
CHANGED
|
@@ -1,35 +1,34 @@
|
|
|
1
|
-
module Safemode
|
|
1
|
+
module Safemode
|
|
2
2
|
class << self
|
|
3
|
-
def define_core_jail_classes
|
|
3
|
+
def define_core_jail_classes
|
|
4
4
|
core_classes.each do |klass|
|
|
5
5
|
define_jail_class(klass).allow *core_jail_methods(klass).uniq
|
|
6
6
|
end
|
|
7
7
|
end
|
|
8
|
-
|
|
8
|
+
|
|
9
9
|
def define_jail_class(klass)
|
|
10
10
|
unless klass.const_defined?("Jail")
|
|
11
11
|
klass.const_set("Jail", jail = Class.new(Safemode::Jail))
|
|
12
12
|
end
|
|
13
|
-
klass.const_get('Jail')
|
|
13
|
+
klass.const_get('Jail')
|
|
14
14
|
end
|
|
15
|
-
|
|
15
|
+
|
|
16
16
|
def core_classes
|
|
17
|
-
klasses = [ Array, Bignum, Fixnum, Float, Hash,
|
|
18
|
-
Range, String, Symbol, Time ]
|
|
17
|
+
klasses = [ Array, Bignum, Fixnum, Float, Hash, Range, String, Symbol, Time, NilClass, FalseClass, TrueClass ]
|
|
19
18
|
klasses << Date if defined? Date
|
|
20
19
|
klasses << DateTime if defined? DateTime
|
|
21
20
|
klasses
|
|
22
21
|
end
|
|
23
|
-
|
|
22
|
+
|
|
24
23
|
def core_jail_methods(klass)
|
|
25
24
|
@@methods_whitelist[klass.name] + (@@default_methods & klass.instance_methods.map(&:to_s))
|
|
26
25
|
end
|
|
27
26
|
end
|
|
28
|
-
|
|
27
|
+
|
|
29
28
|
# these methods are allowed in all classes if they are present
|
|
30
|
-
@@default_methods = %w( % & * ** + +@ - -@ / < << <= <=> != == === > >= >> ^ | ~
|
|
29
|
+
@@default_methods = %w( % & * ** + +@ - -@ / < << <= <=> ! != == === > >= >> ^ | ~
|
|
31
30
|
eql? equal? new methods is_a? kind_of? nil?
|
|
32
|
-
[] []= to_a to_jail to_s inspect to_param )
|
|
31
|
+
[] []= to_a to_jail to_s inspect to_param not)
|
|
33
32
|
|
|
34
33
|
# whitelisted methods for core classes ... kind of arbitrary selection
|
|
35
34
|
@@methods_whitelist = {
|
|
@@ -55,16 +54,16 @@ module Safemode
|
|
|
55
54
|
infinite? integer? modulo nan? nonzero? quo remainder
|
|
56
55
|
round singleton_method_added step to_f to_i to_int to_s
|
|
57
56
|
truncate zero?),
|
|
58
|
-
|
|
57
|
+
|
|
59
58
|
'Hash' => %w(blank? clear delete delete_if each each_key each_pair
|
|
60
59
|
each_value empty? fetch has_key? has_value? include? index
|
|
61
60
|
invert key? keys length member? merge merge! rec_merge! rehash
|
|
62
61
|
reject reject! select shift size sort store
|
|
63
62
|
update value? values values_at),
|
|
64
|
-
|
|
63
|
+
|
|
65
64
|
'Range' => %w(begin each end exclude_end? first hash include?
|
|
66
65
|
include_without_range? last member? step),
|
|
67
|
-
|
|
66
|
+
|
|
68
67
|
'String' => %w(blank? capitalize capitalize! casecmp center chomp chomp!
|
|
69
68
|
chop chop! concat count crypt delete delete! downcase
|
|
70
69
|
downcase! dump each_byte each_line empty? end_with? force_encoding gsub
|
|
@@ -77,14 +76,14 @@ module Safemode
|
|
|
77
76
|
upcase upcase! upto),
|
|
78
77
|
|
|
79
78
|
'Symbol' => %w(to_i to_int),
|
|
80
|
-
|
|
79
|
+
|
|
81
80
|
'Time' => %w(_dump asctime ctime day dst? getgm getlocal getutc gmt?
|
|
82
81
|
gmt_offset gmtime gmtoff hash hour httpdate isdst iso8601
|
|
83
82
|
localtime mday min minus_without_duration mon month
|
|
84
83
|
plus_without_duration rfc2822 rfc822 sec strftime succ to_date
|
|
85
84
|
to_datetime to_f to_i tv_sec tv_usec usec utc utc? utc_offset
|
|
86
85
|
wday xmlschema yday year zone to_formatted_s),
|
|
87
|
-
|
|
86
|
+
|
|
88
87
|
'Date' => %w(ajd amjd asctime ctime cwday cweek cwyear day day_fraction
|
|
89
88
|
default_inspect downto england gregorian gregorian? hash italy
|
|
90
89
|
jd julian julian? ld leap? mday minus_without_duration mjd mon
|
|
@@ -93,12 +92,11 @@ module Safemode
|
|
|
93
92
|
|
|
94
93
|
'DateTime' => %w(hour, min, new_offset, newof, of, offset, sec,
|
|
95
94
|
sec_fraction, strftime, to_datetime_default_s, to_json, zone),
|
|
96
|
-
|
|
95
|
+
|
|
97
96
|
'NilClass' => %w(blank? duplicable? to_f to_i),
|
|
98
|
-
|
|
97
|
+
|
|
99
98
|
'FalseClass' => %w(blank? duplicable?),
|
|
100
|
-
|
|
101
|
-
'TrueClass' => %w(blank? duplicable?)
|
|
102
|
-
|
|
103
|
-
}
|
|
99
|
+
|
|
100
|
+
'TrueClass' => %w(blank? duplicable?)
|
|
101
|
+
}
|
|
104
102
|
end
|
data/lib/safemode/jail.rb
CHANGED
|
@@ -24,5 +24,14 @@ module Safemode
|
|
|
24
24
|
# statement, passing them to a Rails helper etc.
|
|
25
25
|
@source.send(method, *args, &block)
|
|
26
26
|
end
|
|
27
|
+
|
|
28
|
+
# needed for compatibility with 1.8.7; remove this method once 1.8.7 support has been dropped
|
|
29
|
+
def respond_to?(method, *)
|
|
30
|
+
respond_to_missing?(method)
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def respond_to_missing?(method_name, include_private = false)
|
|
34
|
+
self.class.allowed?(method_name)
|
|
35
|
+
end
|
|
27
36
|
end
|
|
28
37
|
end
|
data/safemode.gemspec
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "safemode"
|
|
8
|
-
s.version = "1.2.
|
|
8
|
+
s.version = "1.2.1"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Sven Fuchs", "Peter Cooper", "Matthias Viehweger", "Kingsley Hendrickse", "Ohad Levy", "Dmitri Dolguikh"]
|
data/test/test_jail.rb
CHANGED
|
@@ -19,7 +19,7 @@ class TestJail < Test::Unit::TestCase
|
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
def test_jail_instances_should_have_limited_methods
|
|
22
|
-
expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "to_jail", "to_s", "instance_variable_get"]
|
|
22
|
+
expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", "instance_variable_get"]
|
|
23
23
|
objects.each do |object|
|
|
24
24
|
assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.map(&:to_s).sort)
|
|
25
25
|
end
|
|
@@ -40,6 +40,11 @@ class TestJail < Test::Unit::TestCase
|
|
|
40
40
|
assert_equal Article::Jail.allowed_methods, Article::ExtendedJail.allowed_methods
|
|
41
41
|
end
|
|
42
42
|
|
|
43
|
+
def test_respond_to_works_correctly
|
|
44
|
+
assert @article.respond_to?(:title)
|
|
45
|
+
assert !@article.respond_to?(:bogus)
|
|
46
|
+
end
|
|
47
|
+
|
|
43
48
|
private
|
|
44
49
|
|
|
45
50
|
def objects
|
data/test/test_safemode_eval.rb
CHANGED
|
@@ -16,7 +16,42 @@ class TestSafemodeEval < Test::Unit::TestCase
|
|
|
16
16
|
assert_nothing_raised{ @box.eval code }
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
|
-
|
|
19
|
+
|
|
20
|
+
def test_unary_operators_on_instances_of_boolean_vars
|
|
21
|
+
if RUBY_VERSION != "1.8.7"
|
|
22
|
+
assert @box.eval('not false')
|
|
23
|
+
assert @box.eval('!false')
|
|
24
|
+
assert !@box.eval('not true')
|
|
25
|
+
assert !@box.eval('!true')
|
|
26
|
+
else
|
|
27
|
+
p "no unary ops under 1.8.7!"
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def test_false_class_ops
|
|
32
|
+
assert !@box.eval('false ^ false')
|
|
33
|
+
assert !@box.eval('false & false')
|
|
34
|
+
assert !@box.eval('false && false')
|
|
35
|
+
assert !@box.eval('false and false')
|
|
36
|
+
assert !@box.eval('false | false')
|
|
37
|
+
assert !@box.eval('false || false')
|
|
38
|
+
assert !@box.eval('false or false')
|
|
39
|
+
assert @box.eval('false == false')
|
|
40
|
+
assert @box.eval('false != true')
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def test_true_class_ops
|
|
44
|
+
assert !@box.eval('true ^ true')
|
|
45
|
+
assert @box.eval('true & true')
|
|
46
|
+
assert @box.eval('true && true')
|
|
47
|
+
assert @box.eval('true and true')
|
|
48
|
+
assert @box.eval('true | true')
|
|
49
|
+
assert @box.eval('true || true')
|
|
50
|
+
assert @box.eval('true or true')
|
|
51
|
+
assert @box.eval('true == true')
|
|
52
|
+
assert @box.eval('true != false')
|
|
53
|
+
end
|
|
54
|
+
|
|
20
55
|
def test_should_turn_assigns_to_jails
|
|
21
56
|
assert_raise_no_method "@article.system", @assigns
|
|
22
57
|
end
|
metadata
CHANGED
|
@@ -1,8 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safemode
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.2.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.2.1
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Sven Fuchs
|
|
@@ -19,71 +18,62 @@ dependencies:
|
|
|
19
18
|
- !ruby/object:Gem::Dependency
|
|
20
19
|
name: sexp_processor
|
|
21
20
|
requirement: !ruby/object:Gem::Requirement
|
|
22
|
-
none: false
|
|
23
21
|
requirements:
|
|
24
|
-
- -
|
|
22
|
+
- - '>='
|
|
25
23
|
- !ruby/object:Gem::Version
|
|
26
24
|
version: 4.1.2
|
|
27
25
|
type: :runtime
|
|
28
26
|
prerelease: false
|
|
29
27
|
version_requirements: !ruby/object:Gem::Requirement
|
|
30
|
-
none: false
|
|
31
28
|
requirements:
|
|
32
|
-
- -
|
|
29
|
+
- - '>='
|
|
33
30
|
- !ruby/object:Gem::Version
|
|
34
31
|
version: 4.1.2
|
|
35
32
|
- !ruby/object:Gem::Dependency
|
|
36
33
|
name: ruby2ruby
|
|
37
34
|
requirement: !ruby/object:Gem::Requirement
|
|
38
|
-
none: false
|
|
39
35
|
requirements:
|
|
40
|
-
- -
|
|
36
|
+
- - '>='
|
|
41
37
|
- !ruby/object:Gem::Version
|
|
42
38
|
version: 2.0.1
|
|
43
39
|
type: :runtime
|
|
44
40
|
prerelease: false
|
|
45
41
|
version_requirements: !ruby/object:Gem::Requirement
|
|
46
|
-
none: false
|
|
47
42
|
requirements:
|
|
48
|
-
- -
|
|
43
|
+
- - '>='
|
|
49
44
|
- !ruby/object:Gem::Version
|
|
50
45
|
version: 2.0.1
|
|
51
46
|
- !ruby/object:Gem::Dependency
|
|
52
47
|
name: ruby_parser
|
|
53
48
|
requirement: !ruby/object:Gem::Requirement
|
|
54
|
-
none: false
|
|
55
49
|
requirements:
|
|
56
|
-
- -
|
|
50
|
+
- - '>='
|
|
57
51
|
- !ruby/object:Gem::Version
|
|
58
52
|
version: 3.0.1
|
|
59
53
|
type: :runtime
|
|
60
54
|
prerelease: false
|
|
61
55
|
version_requirements: !ruby/object:Gem::Requirement
|
|
62
|
-
none: false
|
|
63
56
|
requirements:
|
|
64
|
-
- -
|
|
57
|
+
- - '>='
|
|
65
58
|
- !ruby/object:Gem::Version
|
|
66
59
|
version: 3.0.1
|
|
67
60
|
- !ruby/object:Gem::Dependency
|
|
68
61
|
name: shoulda
|
|
69
62
|
requirement: !ruby/object:Gem::Requirement
|
|
70
|
-
none: false
|
|
71
63
|
requirements:
|
|
72
|
-
- -
|
|
64
|
+
- - '>='
|
|
73
65
|
- !ruby/object:Gem::Version
|
|
74
66
|
version: '0'
|
|
75
67
|
type: :development
|
|
76
68
|
prerelease: false
|
|
77
69
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
|
-
none: false
|
|
79
70
|
requirements:
|
|
80
|
-
- -
|
|
71
|
+
- - '>='
|
|
81
72
|
- !ruby/object:Gem::Version
|
|
82
73
|
version: '0'
|
|
83
74
|
- !ruby/object:Gem::Dependency
|
|
84
75
|
name: rdoc
|
|
85
76
|
requirement: !ruby/object:Gem::Requirement
|
|
86
|
-
none: false
|
|
87
77
|
requirements:
|
|
88
78
|
- - ~>
|
|
89
79
|
- !ruby/object:Gem::Version
|
|
@@ -91,7 +81,6 @@ dependencies:
|
|
|
91
81
|
type: :development
|
|
92
82
|
prerelease: false
|
|
93
83
|
version_requirements: !ruby/object:Gem::Requirement
|
|
94
|
-
none: false
|
|
95
84
|
requirements:
|
|
96
85
|
- - ~>
|
|
97
86
|
- !ruby/object:Gem::Version
|
|
@@ -99,7 +88,6 @@ dependencies:
|
|
|
99
88
|
- !ruby/object:Gem::Dependency
|
|
100
89
|
name: bundler
|
|
101
90
|
requirement: !ruby/object:Gem::Requirement
|
|
102
|
-
none: false
|
|
103
91
|
requirements:
|
|
104
92
|
- - ~>
|
|
105
93
|
- !ruby/object:Gem::Version
|
|
@@ -107,7 +95,6 @@ dependencies:
|
|
|
107
95
|
type: :development
|
|
108
96
|
prerelease: false
|
|
109
97
|
version_requirements: !ruby/object:Gem::Requirement
|
|
110
|
-
none: false
|
|
111
98
|
requirements:
|
|
112
99
|
- - ~>
|
|
113
100
|
- !ruby/object:Gem::Version
|
|
@@ -115,7 +102,6 @@ dependencies:
|
|
|
115
102
|
- !ruby/object:Gem::Dependency
|
|
116
103
|
name: jeweler
|
|
117
104
|
requirement: !ruby/object:Gem::Requirement
|
|
118
|
-
none: false
|
|
119
105
|
requirements:
|
|
120
106
|
- - ~>
|
|
121
107
|
- !ruby/object:Gem::Version
|
|
@@ -123,7 +109,6 @@ dependencies:
|
|
|
123
109
|
type: :development
|
|
124
110
|
prerelease: false
|
|
125
111
|
version_requirements: !ruby/object:Gem::Requirement
|
|
126
|
-
none: false
|
|
127
112
|
requirements:
|
|
128
113
|
- - ~>
|
|
129
114
|
- !ruby/object:Gem::Version
|
|
@@ -131,65 +116,57 @@ dependencies:
|
|
|
131
116
|
- !ruby/object:Gem::Dependency
|
|
132
117
|
name: rcov
|
|
133
118
|
requirement: !ruby/object:Gem::Requirement
|
|
134
|
-
none: false
|
|
135
119
|
requirements:
|
|
136
|
-
- -
|
|
120
|
+
- - '>='
|
|
137
121
|
- !ruby/object:Gem::Version
|
|
138
122
|
version: '0'
|
|
139
123
|
type: :development
|
|
140
124
|
prerelease: false
|
|
141
125
|
version_requirements: !ruby/object:Gem::Requirement
|
|
142
|
-
none: false
|
|
143
126
|
requirements:
|
|
144
|
-
- -
|
|
127
|
+
- - '>='
|
|
145
128
|
- !ruby/object:Gem::Version
|
|
146
129
|
version: '0'
|
|
147
130
|
- !ruby/object:Gem::Dependency
|
|
148
131
|
name: simplecov
|
|
149
132
|
requirement: !ruby/object:Gem::Requirement
|
|
150
|
-
none: false
|
|
151
133
|
requirements:
|
|
152
|
-
- -
|
|
134
|
+
- - '>='
|
|
153
135
|
- !ruby/object:Gem::Version
|
|
154
136
|
version: '0'
|
|
155
137
|
type: :development
|
|
156
138
|
prerelease: false
|
|
157
139
|
version_requirements: !ruby/object:Gem::Requirement
|
|
158
|
-
none: false
|
|
159
140
|
requirements:
|
|
160
|
-
- -
|
|
141
|
+
- - '>='
|
|
161
142
|
- !ruby/object:Gem::Version
|
|
162
143
|
version: '0'
|
|
163
144
|
- !ruby/object:Gem::Dependency
|
|
164
145
|
name: test-unit
|
|
165
146
|
requirement: !ruby/object:Gem::Requirement
|
|
166
|
-
none: false
|
|
167
147
|
requirements:
|
|
168
|
-
- -
|
|
148
|
+
- - '>='
|
|
169
149
|
- !ruby/object:Gem::Version
|
|
170
150
|
version: '0'
|
|
171
151
|
type: :development
|
|
172
152
|
prerelease: false
|
|
173
153
|
version_requirements: !ruby/object:Gem::Requirement
|
|
174
|
-
none: false
|
|
175
154
|
requirements:
|
|
176
|
-
- -
|
|
155
|
+
- - '>='
|
|
177
156
|
- !ruby/object:Gem::Version
|
|
178
157
|
version: '0'
|
|
179
158
|
- !ruby/object:Gem::Dependency
|
|
180
159
|
name: rake
|
|
181
160
|
requirement: !ruby/object:Gem::Requirement
|
|
182
|
-
none: false
|
|
183
161
|
requirements:
|
|
184
|
-
- -
|
|
162
|
+
- - '>='
|
|
185
163
|
- !ruby/object:Gem::Version
|
|
186
164
|
version: '0'
|
|
187
165
|
type: :development
|
|
188
166
|
prerelease: false
|
|
189
167
|
version_requirements: !ruby/object:Gem::Requirement
|
|
190
|
-
none: false
|
|
191
168
|
requirements:
|
|
192
|
-
- -
|
|
169
|
+
- - '>='
|
|
193
170
|
- !ruby/object:Gem::Version
|
|
194
171
|
version: '0'
|
|
195
172
|
description: A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby.
|
|
@@ -232,28 +209,24 @@ files:
|
|
|
232
209
|
homepage: http://github.com/svenfuchs/safemode
|
|
233
210
|
licenses:
|
|
234
211
|
- MIT
|
|
212
|
+
metadata: {}
|
|
235
213
|
post_install_message:
|
|
236
214
|
rdoc_options: []
|
|
237
215
|
require_paths:
|
|
238
216
|
- lib
|
|
239
217
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
240
|
-
none: false
|
|
241
218
|
requirements:
|
|
242
|
-
- -
|
|
219
|
+
- - '>='
|
|
243
220
|
- !ruby/object:Gem::Version
|
|
244
221
|
version: '0'
|
|
245
|
-
segments:
|
|
246
|
-
- 0
|
|
247
|
-
hash: -3228505214304288424
|
|
248
222
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
249
|
-
none: false
|
|
250
223
|
requirements:
|
|
251
|
-
- -
|
|
224
|
+
- - '>='
|
|
252
225
|
- !ruby/object:Gem::Version
|
|
253
226
|
version: '0'
|
|
254
227
|
requirements: []
|
|
255
228
|
rubyforge_project:
|
|
256
|
-
rubygems_version:
|
|
229
|
+
rubygems_version: 2.2.2
|
|
257
230
|
signing_key:
|
|
258
231
|
specification_version: 3
|
|
259
232
|
summary: A library for safe evaluation of Ruby code based on ParseTree/RubyParser
|