safemode 1.3.6 → 1.3.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c122fc8f941080a885c335b7356d2e1af7545cec8633ca23571273f069f36e0
-  data.tar.gz: f5555df33c321fbc85bff612c80568c4667e1c17d77aaa74da3311ea659b2574
+  metadata.gz: 8b248c163601057c5120218eed0df015276c212b4e1fba1ae747893a7fc4e7af
+  data.tar.gz: d421e0b976d32ff63dab93132bf8f92976f69d8daa6cba66f9176ef8c46037fb
 SHA512:
-  metadata.gz: 253de818e490f1e03030dfb9600960322ee6ea3c2d1d7ae571ccbc9ad44c99cb58af2d23227d6244a4de4006e0d56716b6b12c5fe83fc2fb8c874bbae5f1aca1
-  data.tar.gz: 2b468cf47ef692c3623daba9b1ea100ab4e74243d701aad3c86e46a04cc09d91470a9a57c5ecd117f26142b223ec33f1169b09bc90756d5dc96104d9b00c341e
+  metadata.gz: 8151b4f86ae25ed540effe2aace8decc6696da3b158ecd692f457b2938f5c20ba29f4d7768cb98214b6edb59f2779e33b0bb12b989c38e7837474d8c3b5fb0b0
+  data.tar.gz: e935c7be37e01a45e69506a8753bb179610366053418d7d346734ea065987ff662e9889d3c6e7df6b8b697de01d0d7a4f908738e5e02284e64982cfab849686d

data/Gemfile

@@ -2,16 +2,4 @@
 
 source 'http://rubygems.org'
 
-gem 'ruby2ruby', '>= 2.4.0'
-gem 'ruby_parser', '>= 3.10.1'
-gem 'sexp_processor', '>= 4.10.0'
-
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
-group :development do
-  gem 'jeweler'
-  gem 'rake'
-  gem 'rdoc', '~> 3.12'
-  gem 'simplecov'
-  gem 'test-unit'
-end
+gemspec

data/README.markdown

@@ -3,8 +3,6 @@
 A library for safe evaluation of Ruby code based on RubyParser and
 Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
 
-[![Build Status](https://travis-ci.org/svenfuchs/safemode.svg?branch=master)](https://travis-ci.org/svenfuchs/safemode)
-
 ### Word of warning
 
 This library is still highly experimental. Only use it at your own risk for

data/Rakefile

@@ -19,27 +19,6 @@ end
 end
 require 'rake'
 
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "safemode"
-  gem.homepage = "http://github.com/svenfuchs/safemode"
-  gem.license = "MIT"
-  gem.summary = %Q{A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby}
-  gem.description = %Q{A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.}
-  gem.email = "ohadlevy@gmail.com"
-  gem.authors = [
-    "Sven Fuchs",
-    "Peter Cooper",
-    "Matthias Viehweger",
-    "Kingsley Hendrickse",
-    "Ohad Levy",
-    "Dmitri Dolguikh",
-  ]
-  # dependencies defined in Gemfile
-end
-Jeweler::RubygemsDotOrgTasks.new
-
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
   test.libs << 'lib' << 'test'
@@ -57,7 +36,7 @@ task :default => :test
 
 require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  version = Gem::Specification.find_by_name('safemode').version
 
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = "safemode #{version}"

data/lib/safemode/blankslate.rb

@@ -1,7 +1,7 @@
 module Safemode
   class Blankslate
     @@allow_instance_methods = ['class', 'methods', 'respond_to?', 'respond_to_missing?', 'to_s', 'instance_variable_get']
-    @@allow_class_methods    = ['methods', 'new', 'name', '<', 'ancestors', '==']  # < needed in Rails Object#subclasses_of
+    @@allow_class_methods    = ['singleton_class?', 'methods', 'new', 'name', '<', 'ancestors', '==']  # < needed in Rails Object#subclasses_of
     if defined?(JRUBY_VERSION)
       # JRuby seems to silently fail to remove method_missing
       # (also see https://github.com/jruby/jruby/blob/9.1.7.0/core/src/main/java/org/jruby/RubyModule.java#L1109)

data/lib/safemode/core_jails.rb

@@ -48,7 +48,7 @@ module Safemode
     'Array'      => %w(any? assoc at blank? collect collect! compact compact!
                     concat delete delete_at delete_if each each_index empty?
                     fetch fill first flatten flatten! hash include? index
-                    indexes indices inject insert join last length map map!
+                    indexes indices inject insert join last length map map! max min
                     nitems pop push present? rassoc reject reject! reverse
                     reverse! reverse_each rindex select shift size slice
                     slice! sort sort! transpose to_sentence uniq uniq! unshift
@@ -70,7 +70,7 @@ module Safemode
                     to_int to_s truncate zero?),
 
     'Hash'       => %w(any? blank? clear delete delete_if each each_key
-                    each_pair each_value empty? fetch has_key? has_value?
+                    each_pair each_value empty? fetch dig has_key? has_value?
                     include? index invert key? keys length member? merge merge!
                     present? rec_merge! rehash reject reject! select shift
                     size sort store update value? values values_at),

data/lib/safemode/scope.rb

@@ -1,17 +1,17 @@
 module Safemode
   class Scope < Blankslate
-    def initialize(delegate = nil, delegate_methods = [])
+    def initialize(delegate = nil, delegate_methods = [], instance_vars: {}, locals: {}, &block)
       @delegate = delegate        
       @delegate_methods = delegate_methods
-      @locals = {}
-    end
-    
-    def bind(instance_vars = {}, locals = {}, &block)
       @locals = symbolize_keys(locals) # why can't I just pull them to local scope in the same way like instance_vars?
       instance_vars = symbolize_keys(instance_vars)
       instance_vars.each {|key, obj| eval "@#{key} = instance_vars[:#{key}]" }
       @_safemode_output = ''
-      binding
+      @binding = binding
+    end
+
+    def get_binding
+      @binding
     end
   
     def to_jail

data/lib/safemode.rb

@@ -40,19 +40,20 @@ module Safemode
   
   class Box
     def initialize(delegate = nil, delegate_methods = [], filename = nil, line = nil)
-      @scope = Scope.new(delegate, delegate_methods)
+      @delegate = delegate
+      @delegate_methods = delegate_methods
       @filename = filename
       @line = line
     end    
 
     def eval(code, assigns = {}, locals = {}, &block)
       code = Parser.jail(code)
-      binding = @scope.bind(assigns, locals, &block)
-      result = Kernel.eval(code, binding, @filename || __FILE__, @line || __LINE__)
+      @scope = Scope.new(@delegate, @delegate_methods, instance_vars: assigns, locals: locals, &block)
+      Kernel.eval(code, @scope.get_binding, @filename || __FILE__, @line || __LINE__)
     end
-    
+
     def output
       @scope.output
-    end 
+    end
   end
 end

data/safemode.gemspec

@@ -1,29 +1,35 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
-# stub: safemode 1.3.6 ruby lib
+# frozen_string_literal: true
+
+require 'date'
 
 Gem::Specification.new do |s|
   s.name = "safemode".freeze
-  s.version = "1.3.6"
+  s.version = "1.3.8"
+  s.date = Date.today
+
+  s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby"
+  s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml."
+  s.homepage = "https://github.com/svenfuchs/safemode"
+  s.licenses = ["MIT"]
+
+  s.authors = [
+    "Sven Fuchs",
+    "Peter Cooper",
+    "Matthias Viehweger",
+    "Kingsley Hendrickse",
+    "Ohad Levy",
+    "Dmitri Dolguikh",
+  ]
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib".freeze]
-  s.authors = ["Sven Fuchs".freeze, "Peter Cooper".freeze, "Matthias Viehweger".freeze, "Kingsley Hendrickse".freeze, "Ohad Levy".freeze, "Dmitri Dolguikh".freeze]
-  s.date = "2020-08-31"
-  s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.".freeze
-  s.email = "ohadlevy@gmail.com".freeze
   s.extra_rdoc_files = [
+    "LICENSE",
     "README.markdown"
   ]
   s.files = [
-    ".travis.yml",
     "Gemfile",
-    "LICENCSE",
+    "LICENSE",
     "README.markdown",
     "Rakefile",
-    "VERSION",
     "demo.rb",
     "init.rb",
     "lib/action_view/template_handlers/safe_erb.rb",
@@ -47,42 +53,15 @@ Gem::Specification.new do |s|
     "test/test_safemode_eval.rb",
     "test/test_safemode_parser.rb"
   ]
-  s.homepage = "http://github.com/svenfuchs/safemode".freeze
-  s.licenses = ["MIT".freeze]
-  s.rubygems_version = "2.7.6".freeze
-  s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby".freeze
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 4
+  s.required_ruby_version = ">= 2.5", "< 4"
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<ruby2ruby>.freeze, [">= 2.4.0"])
-      s.add_runtime_dependency(%q<ruby_parser>.freeze, [">= 3.10.1"])
-      s.add_runtime_dependency(%q<sexp_processor>.freeze, [">= 4.10.0"])
-      s.add_development_dependency(%q<jeweler>.freeze, [">= 0"])
-      s.add_development_dependency(%q<rake>.freeze, [">= 0"])
-      s.add_development_dependency(%q<rdoc>.freeze, ["~> 3.12"])
-      s.add_development_dependency(%q<simplecov>.freeze, [">= 0"])
-      s.add_development_dependency(%q<test-unit>.freeze, [">= 0"])
-    else
-      s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.4.0"])
-      s.add_dependency(%q<ruby_parser>.freeze, [">= 3.10.1"])
-      s.add_dependency(%q<sexp_processor>.freeze, [">= 4.10.0"])
-      s.add_dependency(%q<jeweler>.freeze, [">= 0"])
-      s.add_dependency(%q<rake>.freeze, [">= 0"])
-      s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
-      s.add_dependency(%q<simplecov>.freeze, [">= 0"])
-      s.add_dependency(%q<test-unit>.freeze, [">= 0"])
-    end
-  else
-    s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.4.0"])
-    s.add_dependency(%q<ruby_parser>.freeze, [">= 3.10.1"])
-    s.add_dependency(%q<sexp_processor>.freeze, [">= 4.10.0"])
-    s.add_dependency(%q<jeweler>.freeze, [">= 0"])
-    s.add_dependency(%q<rake>.freeze, [">= 0"])
-    s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
-    s.add_dependency(%q<simplecov>.freeze, [">= 0"])
-    s.add_dependency(%q<test-unit>.freeze, [">= 0"])
-  end
-end
+  s.add_runtime_dependency "ruby2ruby", ">= 2.4.0"
+  s.add_runtime_dependency "ruby_parser", ">= 3.10.1"
+  s.add_runtime_dependency "sexp_processor", ">= 4.10.0"
 
+  s.add_development_dependency "rake"
+  s.add_development_dependency "rdoc"
+  s.add_development_dependency "simplecov"
+  s.add_development_dependency "test-unit"
+end

data/test/test_helper.rb

@@ -155,6 +155,21 @@ class Article::ExtendedJail < Article::Jail
 end
 
 class Comment::Jail < Safemode::Jail
-  allow :article, :text
+  allow :article, :text, :object_id
   allow_class_method :all
 end
+
+class ExtendedComment < Comment
+  def extended_text
+    "extended comment #{object_id}"
+  end
+
+  def to_jail
+    ExtendedComment::Jail.new self
+  end
+
+  class Jail < Comment::Jail
+    allow :extended_text
+  end
+end
+

data/test/test_jail.rb

@@ -5,6 +5,7 @@ class TestJail < Test::Unit::TestCase
     @article = Article.new.to_jail
     @comment = @article.comments.first
     @comment_class = Comment.to_jail
+    @extended_comment = ExtendedComment.new(@article).to_jail
   end
 
   def test_explicitly_allowed_instance_methods_should_be_accessible
@@ -36,7 +37,8 @@ class TestJail < Test::Unit::TestCase
                 "allow_instance_method", "allow_class_method", "allowed_instance_method?",
                 "allowed_class_method?", "allowed_instance_methods", "allowed_class_methods",
                 "<", # < needed in Rails Object#subclasses_of
-                "ancestors", "=="] # ancestors and == needed in Rails::Generator::Spec#lookup_class
+                "ancestors", "==", # ancestors and == needed in Rails::Generator::Spec#lookup_class
+                "singleton_class?" ]
 
     if defined?(JRUBY_VERSION)
       (expected << ['method_missing', 'singleton_method_undefined', 'singleton_method_added']).flatten!  # needed for running under jruby
@@ -56,6 +58,14 @@ class TestJail < Test::Unit::TestCase
     assert !@article.respond_to?(:bogus)
   end
 
+  def test_methodcall_comment
+    assert_equal "comment #{@comment.object_id}", @comment.text
+  end
+
+  def test_methodcall_extended_comment
+    assert_equal "extended comment #{@extended_comment.object_id}", @extended_comment.extended_text
+  end
+
   private
 
   def objects

data/test/test_safemode_eval.rb

@@ -80,6 +80,10 @@ class TestSafemodeEval < Test::Unit::TestCase
     assert_raise_security '"#{`ls -a`}"'
   end
 
+  def test_should_not_allow_access_to_bind
+    assert_raise_security "self.bind('an arg')"
+  end
+
   TestHelper.no_method_error_raising_calls.each do |call|
     call.gsub!('"', '\\\\"')
     class_eval %Q(

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safemode
 version: !ruby/object:Gem::Version
-  version: 1.3.6
+  version: 1.3.8
 platform: ruby
 authors:
 - Sven Fuchs
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-31 00:00:00.000000000 Z
+date: 2023-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
@@ -58,7 +58,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 4.10.0
 - !ruby/object:Gem::Dependency
-  name: jeweler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -72,7 +72,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -85,20 +85,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -129,18 +115,17 @@ dependencies:
         version: '0'
 description: A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby.
   Provides Rails ActionView template handlers for ERB and Haml.
-email: ohadlevy@gmail.com
+email: 
 executables: []
 extensions: []
 extra_rdoc_files:
+- LICENSE
 - README.markdown
 files:
-- ".travis.yml"
 - Gemfile
-- LICENCSE
+- LICENSE
 - README.markdown
 - Rakefile
-- VERSION
 - demo.rb
 - init.rb
 - lib/action_view/template_handlers/safe_erb.rb
@@ -163,7 +148,7 @@ files:
 - test/test_jail.rb
 - test/test_safemode_eval.rb
 - test/test_safemode_parser.rb
-homepage: http://github.com/svenfuchs/safemode
+homepage: https://github.com/svenfuchs/safemode
 licenses:
 - MIT
 metadata: {}
@@ -175,15 +160,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: A library for safe evaluation of Ruby code based on ParseTree/RubyParser

data/.travis.yml

@@ -1,16 +0,0 @@
----
-os: linux
-dist: xenial
-language: ruby
-rvm:
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - 2.7
-  - jruby-9
-matrix:
-  allow_failures:
-    - rvm: jruby-9
-before_install: gem install bundler --version 1.17.3

data/VERSION

@@ -1 +0,0 @@
-1.3.6