safemode 1.6.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60d02e15fb3d2ae2d1447e72e0c92e7379c826393b64349ce3c2c71ca4d53da5
-  data.tar.gz: 3cb324e0289157a132e5edd0535cc66d6ae351acf737b092d74a68859ebfe887
+  metadata.gz: 31ed45049398953b35fafe5ff837df2332712caa9534c5278e971d9031a61836
+  data.tar.gz: 49b507273a0ef6d03578be21a26f26388fb4cd54d253670a8932ae7891ae40f7
 SHA512:
-  metadata.gz: 364354811cc8928d257da2d095e4aed8301eb5d26a7d2303d8f0be5e9d16a1c9172f04c967c385a31ea24af95dc6c2eb00ef2fd7eb47426872db0064a5035cd0
-  data.tar.gz: 01f78d9d81dffa08d50068177840324c7d54db94249a3714b34d2e2301386836a061c85da2ce4d610c8890f60427b76bb2fa3bb2f7e90a917a6c2316ff58c13b
+  metadata.gz: eefb3d5121ad93910e1468cd635a5d77320dfbd23c341469af7acc1d90c80947ab1f8ec058bf1775b9269566d2503cfec0118bb6143e9d35ee6ba5afbb055caa
+  data.tar.gz: ab5f0385d055999f6a6463381d24494bab377fe12aebec639b3be5fc78faf4355c5485105ba6c73bbc0a0023c2db3dd063bc35abee19d4564748d15a925650d8

data/lib/safemode/parser.rb

@@ -1,7 +1,5 @@
 module Safemode
   class Parser < Ruby2Ruby
-    @@parser = 'RubyParser'
-
     class << self
       def jail(code, allowed_fcalls = [])
         @@allowed_fcalls = allowed_fcalls
@@ -10,16 +8,7 @@ module Safemode
       end
 
       def parse(code)
-        case @@parser
-        when 'RubyParser'
-          RubyParser.new.parse(code)
-        else
-          raise "unknown parser #{@@parser}"
-        end
-      end
-
-      def parser=(parser)
-        @@parser = parser
+        Prism::Translation::RubyParser.parse(code)
       end
     end
 
@@ -86,9 +75,13 @@ module Safemode
                    # :colon2 is used for module constants
                    :colon2,
                    # unnecessarily advanced?
-                   :argscat, :argspush, :splat,
+                   :argscat, :argspush, :splat, :kwsplat,
+                   # NOTE: op_asgn*/safe_op_asgn* do not insert .to_jail on the
+                   # receiver. Setters are called directly on the real object, bypassing Jail.
                    :op_asgn, :op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
-                   :safe_op_asgn,
+                   :safe_op_asgn, :safe_op_asgn2,
+                   # pattern matching (Ruby 3.0+)
+                   :in, :array_pat, :hash_pat, :find_pat, :kwrest,
                    # needed for haml
                    :block ]
 
@@ -96,18 +89,21 @@ module Safemode
                    # see below for :const handling
                    :defn, :defs, :alias, :valias, :undef, :class, :attrset,
                    :module, :sclass, :colon3,
-                   :fbody, :scope, :block_arg, :postexe,
+                   :fbody, :scope, :block_arg, :postexe, :preexe,
                    :redo, :retry, :begin, :rescue, :resbody, :ensure,
                    :defined, :super, :zsuper, :return,
                    :dmethod, :bmethod, :to_ary, :svalue, :match,
-                   :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
+                   :attrasgn, :safe_attrasgn,
+                   :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
                    :xstr, :dxstr,
                    # not sure how secure ruby regexp is, so leave it out for now
                    :dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref,
                    # block_pass represents &:method, which would bypass the whitelist e.g. by array.each(&:destroy)
                    # at this point we don't know the receiver so we rather disable it completely,
                    # use array.each { |item| item.destroy } instead
-                   :block_pass ]
+                   :block_pass,
+                   # lambda creates Proc objects
+                   :lambda ]
 
     # SexpProcessor bails when we overwrite these ... but they are listed as
     # "internal nodes that you can't get to" in sexp_processor.rb
@@ -205,6 +201,49 @@ module Safemode
       end
     end
 
+    # Ruby2Ruby bug: __var adds ^ (pin) to all lvars inside :in context,
+    # including the body after "then" where ^ is invalid syntax.
+    # Fix: process body outside the :in context.
+    def process_in(exp)
+      _, pattern, *body = exp
+
+      guard = extract_guard(pattern)
+      cond = process pattern
+      body = body.compact.map { |sexp|
+        in_context :in_body do
+          indent process sexp
+        end
+      }
+
+      body << indent("# do nothing") if body.empty?
+      body = body.join "\n"
+
+      header = "in #{cond}"
+      header << " #{guard}" if guard
+      "#{header} then\n#{body.chomp}"
+    end
+
+    # Prism translates guard clauses (in pattern if cond / in pattern unless cond)
+    # as s(:if, guard, pattern, nil) / s(:if, guard, nil, pattern). We detect this
+    # and rewrite the sexp in-place so process_if renders only the pattern, then
+    # return the guard string for process_in to append.
+    def extract_guard(pattern)
+      return unless pattern.sexp_type == :if
+
+      _, guard_sexp, if_body, else_body = pattern
+      if if_body && !else_body
+        guard_str = in_context(:in_body) { "if #{process guard_sexp.deep_clone}" }
+        pattern.clear
+        if_body.each { |node| pattern << node }
+      elsif else_body && !if_body
+        guard_str = in_context(:in_body) { "unless #{process guard_sexp.deep_clone}" }
+        pattern.clear
+        else_body.each { |node| pattern << node }
+      end
+
+      guard_str
+    end
+
     # Ruby2Ruby process_if rewrites if and unless statements in a way that
     # makes the result unusable for evaluation in, e.g. ERB which appends a
     # call to to_s when using <%= %> tags. We'd need to either enclose the

data/lib/safemode.rb

@@ -1,10 +1,8 @@
 require 'rubygems'
 
 require 'ruby2ruby'
-begin
-  require 'ruby_parser' # try to load RubyParser and use it if present
-rescue LoadError => e
-end
+require 'prism'
+require 'prism/translation/ruby_parser'
 
 require 'safemode/core_ext'
 require 'safemode/blankslate'

data/safemode.gemspec

@@ -4,10 +4,10 @@ require 'date'
 
 Gem::Specification.new do |s|
   s.name = "safemode".freeze
-  s.version = "1.6.0"
+  s.version = "2.0.0"
   s.date = Date.today
 
-  s.summary = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby"
+  s.summary = "A library for safe evaluation of Ruby code based on Prism and Ruby2Ruby"
   s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml."
   s.homepage = "https://github.com/svenfuchs/safemode"
   s.licenses = ["MIT"]
@@ -52,10 +52,10 @@ Gem::Specification.new do |s|
     "test/test_safemode_parser.rb"
   ]
 
-  s.required_ruby_version = ">= 2.7", "< 3.2"
+  s.required_ruby_version = ">= 3.0", "< 3.4"
 
   s.add_runtime_dependency "ruby2ruby", "~> 2.4"
-  s.add_runtime_dependency "ruby_parser", "~> 3.10"
+  s.add_runtime_dependency "prism", "~> 1.0"
   s.add_runtime_dependency "sexp_processor", "~> 4.10"
 
   s.add_development_dependency "rake", "~> 13.4"

data/test/test_helper.rb

@@ -112,6 +112,8 @@ class Article
     Comment
   end
 
+  attr_accessor :status
+
   def method_with_kwargs(a_keyword: false)
     a_keyword
   end
@@ -150,7 +152,7 @@ class Comment
 end
 
 class Article::Jail < Safemode::Jail
-  allow :title, :comments, :is_article?, :comment_class, :method_with_kwargs
+  allow :title, :comments, :is_article?, :comment_class, :method_with_kwargs, :status
 
   def author_name
     "this article's author name"

data/test/test_safemode_eval.rb

@@ -94,6 +94,111 @@ class TestSafemodeEval < Test::Unit::TestCase
     assert @box.eval("@article.method_with_kwargs(a_keyword: true)", @assigns)
   end
 
+  def test_pattern_matching_with_literal
+    assert_equal "matched", @box.eval('case 1; in 1; "matched"; in 2; "nope"; end')
+  end
+
+  def test_pattern_matching_with_array_destructuring
+    assert_equal 1, @box.eval('case [1, 2, 3]; in [a, b, c]; a; end')
+  end
+
+  def test_pattern_matching_with_hash_destructuring
+    assert_equal 1, @box.eval('case({a: 1, b: 2}); in {a:}; a; end')
+  end
+
+  def test_pattern_matching_with_assign
+    assert_equal "two", @box.eval('case @val; in 1; "one"; in 2; "two"; end', { val: 2 })
+  end
+
+  def test_pattern_matching_with_find_pattern
+    assert_equal "found", @box.eval('case [1, 2, 3]; in [*, 2, *]; "found"; end')
+  end
+
+  def test_pattern_matching_with_pin_operator
+    assert_equal "matched", @box.eval('y = 1; case 1; in ^y; "matched"; end')
+  end
+
+  def test_pattern_matching_with_multiple_clauses
+    assert_equal "second", @box.eval('case [3, 4]; in [1, 2]; "first"; in [3, 4]; "second"; end')
+  end
+
+  def test_pattern_matching_no_match_returns_nil
+    assert_nil @box.eval('case 3; in 1; "one"; in 2; "two"; else; nil; end')
+  end
+
+  def test_pattern_matching_with_if_guard
+    assert_equal "positive", @box.eval('case 1; in x if x > 0; "positive"; end')
+  end
+
+  def test_pattern_matching_with_unless_guard
+    assert_equal "not negative", @box.eval('case 1; in x unless x < 0; "not negative"; end')
+  end
+
+  def test_pattern_matching_guard_no_match
+    assert_nil @box.eval('case 1; in x if x < 0; "negative"; else; nil; end')
+  end
+
+  def test_pattern_matching_guard_with_array_pattern
+    assert_equal "yes", @box.eval('case [1, 2]; in [a, b] if a > 0; "yes"; end')
+  end
+
+  def test_pattern_matching_guard_with_hash_pattern
+    assert_equal "alice", @box.eval('case({name: "alice"}); in {name:} if name.start_with?("a"); name; end')
+  end
+
+  def test_rightward_assignment
+    assert_equal 1, @box.eval('[1, 2] => [a, b]; a')
+  end
+
+  def test_pattern_matching_with_jailed_hash
+    assert_equal "an article title", @box.eval('case @data; in {title:}; title; end', { data: { title: "an article title" } })
+  end
+
+  def test_hash_shorthand
+    # TODO: Remove the check once Ruby 3.1 is the minimum
+    if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.1')
+      assert_equal({ a: 1, b: 2 }, @box.eval('a = 1; b = 2; { a:, b: }'))
+    end
+  end
+
+  def test_endless_range
+    assert_equal [3, 4, 5], @box.eval('[1,2,3,4,5][2..]')
+  end
+
+  def test_beginless_range
+    assert_equal [1, 2, 3], @box.eval('[1,2,3,4,5][..2]')
+  end
+
+  # attrasgn (@article.status = val) is blocked at parse time
+  def test_attrasgn_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('@article.status = "new_value"', @assigns) }
+  end
+
+  def test_safe_attrasgn_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('@article&.status = "new_value"', @assigns) }
+  end
+
+  # op_asgn2 (@article.status ||= val) is NOT blocked at parse time.
+  # NOTE: .to_jail is not inserted on the receiver, so the setter is called
+  # directly on the real object, bypassing the Jail whitelist.
+  def test_op_asgn2_bypasses_jail
+    article = Article.new
+    assert_nil article.status
+    @box.eval('@article.status ||= "new_value"', { article: article })
+    assert_equal "new_value", article.status
+  end
+
+  def test_safe_op_asgn2_bypasses_jail
+    article = Article.new
+    assert_nil article.status
+    @box.eval('@article&.status ||= "new_value"', { article: article })
+    assert_equal "new_value", article.status
+  end
+
+  def test_lambda_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('-> { 1 }') }
+  end
+
   def test_sending_to_method_missing
     assert_raise_with_message(Safemode::NoMethodError, /#no_such_method/) do
       @box.eval("@article.no_such_method('arg', key: 'value')", @assigns)

data/test/test_safemode_parser.rb

@@ -67,6 +67,107 @@ class TestSafemodeParser < Test::Unit::TestCase
     end
   end
 
+  def test_safe_attrasgn_is_disabled
+    assert_raise Safemode::SecurityError do
+      jail('@article&.title = "new_value"')
+    end
+  end
+
+  def test_safe_op_asgn2_is_allowed
+    assert_nothing_raised do
+      jail('@article&.title ||= "new_value"')
+    end
+  end
+
+  def test_lambda_is_disabled
+    assert_raise Safemode::SecurityError do
+      jail('-> { 1 }')
+    end
+  end
+
+  def test_case_in_with_literal
+    jailed = jail("case x; in 1; \"one\"; in 2; \"two\"; end")
+    assert_match(/in 1 then/, jailed)
+    assert_match(/in 2 then/, jailed)
+    assert_match(/to_jail\.x/, jailed)
+  end
+
+  def test_case_in_with_array_pattern
+    jailed = jail("case x; in [a, b]; a; end")
+    assert_match(/in \[a, b\] then/, jailed)
+    assert_no_match(/\^a/, jailed)
+  end
+
+  def test_case_in_with_hash_pattern
+    jailed = jail("case x; in {name:}; name; end")
+    assert_match(/in \{ name: \} then/, jailed)
+    assert_no_match(/\^name/, jailed)
+  end
+
+  def test_case_in_with_find_pattern
+    jailed = jail("case x; in [*, 2, *]; \"found\"; end")
+    assert_match(/in \[\*, 2, \*\] then/, jailed)
+  end
+
+  def test_case_in_pin_operator
+    jailed = jail("y = 1; case x; in ^y; true; end")
+    assert_match(/in \^y then/, jailed)
+  end
+
+  def test_case_in_body_does_not_pin_variables
+    jailed = jail("case x; in [a, b]; a; end")
+    lines = jailed.lines
+    body_start = lines.index { |l| l.match?(/^in \[/) } + 1
+    lines[body_start..].each { |line| assert_no_match(/\^[a-z]/, line) }
+  end
+
+  def test_case_in_multiple_clauses
+    jailed = jail("case x; in [a, b]; a; in {c:}; c; end")
+    assert_match(/in \[a, b\] then/, jailed)
+    assert_match(/in \{ c: \} then/, jailed)
+  end
+
+  def test_case_in_with_if_guard
+    jailed = jail("case x; in 1 if true; \"matched\"; end")
+    assert_match(/in 1 if true then/, jailed)
+  end
+
+  def test_case_in_with_unless_guard
+    jailed = jail("case x; in 1 unless false; \"matched\"; end")
+    assert_match(/in 1 unless false then/, jailed)
+  end
+
+  def test_case_in_guard_does_not_pin_variables
+    jailed = jail("case x; in [a, b] if a; a; end")
+    guard_line = jailed.lines.find { |l| l.match?(/^in \[/) }
+    assert_match(/if a then/, guard_line)
+    assert_no_match(/\^a/, guard_line)
+  end
+
+  def test_case_in_guard_jails_method_calls
+    jailed = jail('case x; in {name: n} if n.start_with?("a"); n; end')
+    assert_match(/if n\.to_jail\.start_with\?/, jailed)
+  end
+
+  def test_rightward_assignment
+    jailed = jail("x => a")
+    assert_match(/case to_jail\.x/, jailed)
+    assert_match(/in a then/, jailed)
+  end
+
+  def test_hash_shorthand_in_literal
+    jailed = jail("a = 1; b = 2; { a:, b: }")
+    assert_match(/a:,/, jailed)
+  end
+
+  def test_endless_range
+    assert_jailed "(1..)", "(1..)"
+  end
+
+  def test_beginless_range
+    assert_jailed "(..5)", "(..5)"
+  end
+
 private
 
   def assert_jailed(expected, code)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safemode
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Sven Fuchs
@@ -10,7 +10,6 @@ authors:
 - Kingsley Hendrickse
 - Ohad Levy
 - Dmitri Dolguikh
-autorequire:
 bindir: bin
 cert_chain: []
 date: 2026-05-21 00:00:00.000000000 Z
@@ -30,19 +29,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.4'
 - !ruby/object:Gem::Dependency
-  name: ruby_parser
+  name: prism
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -115,7 +114,6 @@ dependencies:
         version: '3.7'
 description: A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby.
   Provides Rails ActionView template handlers for ERB and Haml.
-email:
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -150,7 +148,6 @@ homepage: https://github.com/svenfuchs/safemode
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -158,18 +155,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.0'
   - - "<"
     - !ruby/object:Gem::Version
-      version: '3.2'
+      version: '3.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
-summary: A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby
+summary: A library for safe evaluation of Ruby code based on Prism and Ruby2Ruby
 test_files: []