safemode 1.2.5 → 1.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of safemode might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/README.markdown +4 -0
- data/VERSION +1 -1
- data/lib/safemode.rb +1 -1
- data/lib/safemode/blankslate.rb +27 -10
- data/lib/safemode/core_jails.rb +24 -3
- data/lib/safemode/jail.rb +10 -4
- data/lib/safemode/parser.rb +10 -4
- data/safemode.gemspec +46 -46
- data/test/test_erb_eval.rb +3 -3
- data/test/test_helper.rb +24 -3
- data/test/test_jail.rb +9 -2
- data/test/test_safemode_eval.rb +4 -4
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7a2ae334b96360e57f06053963af98bb3565e1d1
|
4
|
+
data.tar.gz: 4ad12d5c492b17595d6dda6aa8caec4ca154f03f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '0942dbc88ee4246dc414c598555822b58b5ba18f6b7471edcb3e583ed1e42c442b3b0724a927d4150ea705b9eb95f7f33cd947074f83f2326dfecaabc65d880a'
|
7
|
+
data.tar.gz: 9338694a4120ca2190e4dcf6151d2cf8822b155fc887396ae63e0671734075ba325cad4c5a38a44cc7b98540fa0b37ea28b611aed76be50e6d216c5a4a4f7cec
|
data/Gemfile
CHANGED
@@ -12,7 +12,7 @@ group :development do
|
|
12
12
|
gem "bundler", "~> 1.0"
|
13
13
|
gem "jeweler", ">= 0"
|
14
14
|
gem "rcov", :platforms => :ruby_18
|
15
|
-
gem "simplecov", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23]
|
16
|
-
gem "test-unit", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23]
|
15
|
+
gem "simplecov", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
|
16
|
+
gem "test-unit", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
|
17
17
|
gem "rake"
|
18
18
|
end
|
data/README.markdown
CHANGED
@@ -45,6 +45,10 @@ can do that by defining a Safemode::Jail class for your classes, like so:
|
|
45
45
|
This will allow your template users to access the name method on your User
|
46
46
|
objects.
|
47
47
|
|
48
|
+
Class methods can be whitelisted by calling `allow_class_method :foo` from
|
49
|
+
within the Jail. Note that access to raw constants is not permitted, so the
|
50
|
+
class is only accessible when returned by a method or passed into a template.
|
51
|
+
|
48
52
|
For more details about the concepts behind Safemode please refer to the
|
49
53
|
following blog posts until a more comprehensive writeup is available:
|
50
54
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.3.1
|
data/lib/safemode.rb
CHANGED
data/lib/safemode/blankslate.rb
CHANGED
@@ -10,24 +10,41 @@ module Safemode
|
|
10
10
|
def method_added(name) end # ActiveSupport needs this
|
11
11
|
|
12
12
|
def inherited(subclass)
|
13
|
-
subclass.init_allowed_methods(@
|
13
|
+
subclass.init_allowed_methods(@allowed_instance_methods, @allowed_class_methods)
|
14
14
|
end
|
15
15
|
|
16
|
-
def init_allowed_methods(
|
17
|
-
@
|
16
|
+
def init_allowed_methods(allowed_instance_methods, allowed_class_methods)
|
17
|
+
@allowed_instance_methods = allowed_instance_methods
|
18
|
+
@allowed_class_methods = allowed_class_methods
|
18
19
|
end
|
19
20
|
|
20
|
-
def
|
21
|
-
@
|
21
|
+
def allowed_instance_methods
|
22
|
+
@allowed_instance_methods ||= []
|
22
23
|
end
|
24
|
+
alias_method :allowed_methods, :allowed_instance_methods
|
23
25
|
|
24
|
-
def
|
25
|
-
@
|
26
|
-
@allowed_methods.uniq!
|
26
|
+
def allowed_class_methods
|
27
|
+
@allowed_class_methods ||= []
|
27
28
|
end
|
28
29
|
|
29
|
-
def
|
30
|
-
|
30
|
+
def allow_instance_method(*names)
|
31
|
+
@allowed_instance_methods = allowed_instance_methods + names.map{|name| name.to_s}
|
32
|
+
@allowed_instance_methods.uniq!
|
33
|
+
end
|
34
|
+
alias_method :allow, :allow_instance_method
|
35
|
+
|
36
|
+
def allow_class_method(*names)
|
37
|
+
@allowed_class_methods = allowed_class_methods + names.map{|name| name.to_s}
|
38
|
+
@allowed_class_methods.uniq!
|
39
|
+
end
|
40
|
+
|
41
|
+
def allowed_instance_method?(name)
|
42
|
+
allowed_instance_methods.include? name.to_s
|
43
|
+
end
|
44
|
+
alias_method :allowed?, :allowed_instance_method?
|
45
|
+
|
46
|
+
def allowed_class_method?(name)
|
47
|
+
allowed_class_methods.include? name.to_s
|
31
48
|
end
|
32
49
|
end
|
33
50
|
end
|
data/lib/safemode/core_jails.rb
CHANGED
@@ -2,7 +2,10 @@ module Safemode
|
|
2
2
|
class << self
|
3
3
|
def define_core_jail_classes
|
4
4
|
core_classes.each do |klass|
|
5
|
-
define_jail_class(klass)
|
5
|
+
jail = define_jail_class(klass)
|
6
|
+
jail.allow_instance_method *core_jail_methods(klass).uniq
|
7
|
+
jail.allow_class_method *core_jail_class_methods(klass).uniq
|
8
|
+
jail
|
6
9
|
end
|
7
10
|
end
|
8
11
|
|
@@ -14,14 +17,24 @@ module Safemode
|
|
14
17
|
end
|
15
18
|
|
16
19
|
def core_classes
|
17
|
-
klasses = [ Array,
|
20
|
+
klasses = [ Array, Float, Hash, Range, String, Symbol, Time, NilClass, FalseClass, TrueClass ]
|
18
21
|
klasses << Date if defined? Date
|
19
22
|
klasses << DateTime if defined? DateTime
|
23
|
+
if RUBY_VERSION >= '2.4.0'
|
24
|
+
klasses << Integer
|
25
|
+
else
|
26
|
+
klasses << Bignum
|
27
|
+
klasses << Fixnum
|
28
|
+
end
|
20
29
|
klasses
|
21
30
|
end
|
22
31
|
|
23
32
|
def core_jail_methods(klass)
|
24
|
-
@@methods_whitelist
|
33
|
+
@@methods_whitelist.fetch(klass.name, []) + (@@default_methods & klass.instance_methods.map(&:to_s))
|
34
|
+
end
|
35
|
+
|
36
|
+
def core_jail_class_methods(klass)
|
37
|
+
@@class_methods_whitelist.fetch(klass.name, []) + (@@default_class_methods & klass.methods.map(&:to_s))
|
25
38
|
end
|
26
39
|
end
|
27
40
|
|
@@ -109,4 +122,12 @@ module Safemode
|
|
109
122
|
|
110
123
|
'TrueClass' => %w(blank? duplicable? present?)
|
111
124
|
}
|
125
|
+
|
126
|
+
# these class methods are allowed on all classes if they are present
|
127
|
+
@@default_class_methods = %w(name to_jail to_s)
|
128
|
+
|
129
|
+
# whitelisted class methods for core classes
|
130
|
+
@@class_methods_whitelist = {
|
131
|
+
'String' => %w(new)
|
132
|
+
}
|
112
133
|
end
|
data/lib/safemode/jail.rb
CHANGED
@@ -13,8 +13,14 @@ module Safemode
|
|
13
13
|
end
|
14
14
|
|
15
15
|
def method_missing(method, *args, &block)
|
16
|
-
|
17
|
-
|
16
|
+
if @source.is_a?(Class)
|
17
|
+
unless self.class.allowed_class_method?(method)
|
18
|
+
raise Safemode::NoMethodError.new(".#{method}", self.class.name, @source.name)
|
19
|
+
end
|
20
|
+
else
|
21
|
+
unless self.class.allowed_instance_method?(method)
|
22
|
+
raise Safemode::NoMethodError.new("##{method}", self.class.name, @source.class.name)
|
23
|
+
end
|
18
24
|
end
|
19
25
|
|
20
26
|
# As every call to an object in the eval'ed string will be jailed by the
|
@@ -31,7 +37,7 @@ module Safemode
|
|
31
37
|
end
|
32
38
|
|
33
39
|
def respond_to_missing?(method_name, include_private = false)
|
34
|
-
self.class.
|
40
|
+
self.class.allowed_instance_method?(method_name)
|
35
41
|
end
|
36
42
|
end
|
37
|
-
end
|
43
|
+
end
|
data/lib/safemode/parser.rb
CHANGED
@@ -114,11 +114,17 @@ module Safemode
|
|
114
114
|
end
|
115
115
|
end
|
116
116
|
|
117
|
-
# handling of Encoding constants in ruby 1.9.
|
118
|
-
# Note: ruby_parser evaluates __ENCODING__ to s(:colon2, s(:const, :Encoding), :UTF_8)
|
119
117
|
def process_const(arg)
|
120
|
-
|
121
|
-
|
118
|
+
if RUBY_VERSION >= "1.9" && arg.sexp_type == :Encoding
|
119
|
+
# handling of Encoding constants in ruby 1.9.
|
120
|
+
# Note: ruby_parser evaluates __ENCODING__ to s(:colon2, s(:const, :Encoding), :UTF_8)
|
121
|
+
"#{super(arg).gsub('-', '_')}"
|
122
|
+
elsif arg.sexp_type == :String
|
123
|
+
# Allow String.new as used in ERB in Ruby 2.4+ to create a string buffer
|
124
|
+
super(arg).to_s
|
125
|
+
else
|
126
|
+
raise_security_error("constant", super(arg))
|
127
|
+
end
|
122
128
|
end
|
123
129
|
|
124
130
|
def raise_security_error(type, info)
|
data/safemode.gemspec
CHANGED
@@ -2,18 +2,18 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: safemode 1.
|
5
|
+
# stub: safemode 1.3.1 ruby lib
|
6
6
|
|
7
7
|
Gem::Specification.new do |s|
|
8
|
-
s.name = "safemode"
|
9
|
-
s.version = "1.
|
8
|
+
s.name = "safemode".freeze
|
9
|
+
s.version = "1.3.1"
|
10
10
|
|
11
|
-
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
|
-
s.require_paths = ["lib"]
|
13
|
-
s.authors = ["Sven Fuchs", "Peter Cooper", "Matthias Viehweger", "Kingsley Hendrickse", "Ohad Levy", "Dmitri Dolguikh"]
|
14
|
-
s.date = "2017-
|
15
|
-
s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml."
|
16
|
-
s.email = "ohadlevy@gmail.com"
|
11
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
|
12
|
+
s.require_paths = ["lib".freeze]
|
13
|
+
s.authors = ["Sven Fuchs".freeze, "Peter Cooper".freeze, "Matthias Viehweger".freeze, "Kingsley Hendrickse".freeze, "Ohad Levy".freeze, "Dmitri Dolguikh".freeze]
|
14
|
+
s.date = "2017-02-13"
|
15
|
+
s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.".freeze
|
16
|
+
s.email = "ohadlevy@gmail.com".freeze
|
17
17
|
s.extra_rdoc_files = [
|
18
18
|
"README.markdown"
|
19
19
|
]
|
@@ -46,51 +46,51 @@ Gem::Specification.new do |s|
|
|
46
46
|
"test/test_safemode_eval.rb",
|
47
47
|
"test/test_safemode_parser.rb"
|
48
48
|
]
|
49
|
-
s.homepage = "http://github.com/svenfuchs/safemode"
|
50
|
-
s.licenses = ["MIT"]
|
51
|
-
s.rubygems_version = "2.
|
52
|
-
s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby"
|
49
|
+
s.homepage = "http://github.com/svenfuchs/safemode".freeze
|
50
|
+
s.licenses = ["MIT".freeze]
|
51
|
+
s.rubygems_version = "2.6.10".freeze
|
52
|
+
s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby".freeze
|
53
53
|
|
54
54
|
if s.respond_to? :specification_version then
|
55
55
|
s.specification_version = 4
|
56
56
|
|
57
57
|
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
|
58
|
-
s.add_runtime_dependency(%q<sexp_processor
|
59
|
-
s.add_runtime_dependency(%q<ruby2ruby
|
60
|
-
s.add_runtime_dependency(%q<ruby_parser
|
61
|
-
s.add_development_dependency(%q<shoulda
|
62
|
-
s.add_development_dependency(%q<rdoc
|
63
|
-
s.add_development_dependency(%q<bundler
|
64
|
-
s.add_development_dependency(%q<jeweler
|
65
|
-
s.add_development_dependency(%q<rcov
|
66
|
-
s.add_development_dependency(%q<simplecov
|
67
|
-
s.add_development_dependency(%q<test-unit
|
68
|
-
s.add_development_dependency(%q<rake
|
58
|
+
s.add_runtime_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
|
59
|
+
s.add_runtime_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
|
60
|
+
s.add_runtime_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
|
61
|
+
s.add_development_dependency(%q<shoulda>.freeze, [">= 0"])
|
62
|
+
s.add_development_dependency(%q<rdoc>.freeze, ["~> 3.12"])
|
63
|
+
s.add_development_dependency(%q<bundler>.freeze, ["~> 1.0"])
|
64
|
+
s.add_development_dependency(%q<jeweler>.freeze, [">= 0"])
|
65
|
+
s.add_development_dependency(%q<rcov>.freeze, [">= 0"])
|
66
|
+
s.add_development_dependency(%q<simplecov>.freeze, [">= 0"])
|
67
|
+
s.add_development_dependency(%q<test-unit>.freeze, [">= 0"])
|
68
|
+
s.add_development_dependency(%q<rake>.freeze, [">= 0"])
|
69
69
|
else
|
70
|
-
s.add_dependency(%q<sexp_processor
|
71
|
-
s.add_dependency(%q<ruby2ruby
|
72
|
-
s.add_dependency(%q<ruby_parser
|
73
|
-
s.add_dependency(%q<shoulda
|
74
|
-
s.add_dependency(%q<rdoc
|
75
|
-
s.add_dependency(%q<bundler
|
76
|
-
s.add_dependency(%q<jeweler
|
77
|
-
s.add_dependency(%q<rcov
|
78
|
-
s.add_dependency(%q<simplecov
|
79
|
-
s.add_dependency(%q<test-unit
|
80
|
-
s.add_dependency(%q<rake
|
70
|
+
s.add_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
|
71
|
+
s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
|
72
|
+
s.add_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
|
73
|
+
s.add_dependency(%q<shoulda>.freeze, [">= 0"])
|
74
|
+
s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
|
75
|
+
s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
|
76
|
+
s.add_dependency(%q<jeweler>.freeze, [">= 0"])
|
77
|
+
s.add_dependency(%q<rcov>.freeze, [">= 0"])
|
78
|
+
s.add_dependency(%q<simplecov>.freeze, [">= 0"])
|
79
|
+
s.add_dependency(%q<test-unit>.freeze, [">= 0"])
|
80
|
+
s.add_dependency(%q<rake>.freeze, [">= 0"])
|
81
81
|
end
|
82
82
|
else
|
83
|
-
s.add_dependency(%q<sexp_processor
|
84
|
-
s.add_dependency(%q<ruby2ruby
|
85
|
-
s.add_dependency(%q<ruby_parser
|
86
|
-
s.add_dependency(%q<shoulda
|
87
|
-
s.add_dependency(%q<rdoc
|
88
|
-
s.add_dependency(%q<bundler
|
89
|
-
s.add_dependency(%q<jeweler
|
90
|
-
s.add_dependency(%q<rcov
|
91
|
-
s.add_dependency(%q<simplecov
|
92
|
-
s.add_dependency(%q<test-unit
|
93
|
-
s.add_dependency(%q<rake
|
83
|
+
s.add_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
|
84
|
+
s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
|
85
|
+
s.add_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
|
86
|
+
s.add_dependency(%q<shoulda>.freeze, [">= 0"])
|
87
|
+
s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
|
88
|
+
s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
|
89
|
+
s.add_dependency(%q<jeweler>.freeze, [">= 0"])
|
90
|
+
s.add_dependency(%q<rcov>.freeze, [">= 0"])
|
91
|
+
s.add_dependency(%q<simplecov>.freeze, [">= 0"])
|
92
|
+
s.add_dependency(%q<test-unit>.freeze, [">= 0"])
|
93
|
+
s.add_dependency(%q<rake>.freeze, [">= 0"])
|
94
94
|
end
|
95
95
|
end
|
96
96
|
|
data/test/test_erb_eval.rb
CHANGED
@@ -13,7 +13,7 @@ class TestERBEval < Test::Unit::TestCase
|
|
13
13
|
def test_some_stuff_that_should_work
|
14
14
|
['"test".upcase', '10.succ', '10.times{}', '[1,2,3].each{|a| a + 1}',
|
15
15
|
'true ? 1 : 0', 'a = 1', 'unless "a" == "b"; "false"; end',
|
16
|
-
'if "a" != "b"; "true"; end'].each do |code|
|
16
|
+
'if "a" != "b"; "true"; end', 'String.new'].each do |code|
|
17
17
|
code = ERB.new("<%= #{code} %>").src
|
18
18
|
assert_nothing_raised{ @box.eval code }
|
19
19
|
end
|
@@ -61,7 +61,7 @@ class TestERBEval < Test::Unit::TestCase
|
|
61
61
|
call.gsub!('"', '\\\\"')
|
62
62
|
class_eval %Q(
|
63
63
|
def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
|
64
|
-
assert_raise_no_method "#{call}"
|
64
|
+
assert_raise_no_method "#{call}", @assigns, @locals
|
65
65
|
end
|
66
66
|
)
|
67
67
|
end
|
@@ -70,7 +70,7 @@ class TestERBEval < Test::Unit::TestCase
|
|
70
70
|
call.gsub!('"', '\\\\"')
|
71
71
|
class_eval %Q(
|
72
72
|
def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
|
73
|
-
assert_raise_security "#{call}"
|
73
|
+
assert_raise_security "#{call}", @assigns, @locals
|
74
74
|
end
|
75
75
|
)
|
76
76
|
end
|
data/test/test_helper.rb
CHANGED
@@ -17,7 +17,10 @@ module TestHelper
|
|
17
17
|
'true.eval("a = 1")',
|
18
18
|
'false.eval("a = 1")',
|
19
19
|
'@article.is_article?.eval("a = 1")',
|
20
|
-
'@article.comments.map{|c| c.eval("a = 1")}'
|
20
|
+
'@article.comments.map{|c| c.eval("a = 1")}',
|
21
|
+
'@article.comment_class.destroy_all',
|
22
|
+
'@article.comment_class.new',
|
23
|
+
'String.instance_variable_set :@a, :a' ]
|
21
24
|
end
|
22
25
|
|
23
26
|
def security_error_raising_calls
|
@@ -62,7 +65,8 @@ module TestHelper
|
|
62
65
|
"sleep", "sleep(0)",
|
63
66
|
"test(1, a, b)",
|
64
67
|
"Signal.trap(0, proc { puts 'Terminating: #{$$}' })",
|
65
|
-
"warn 'warning'"
|
68
|
+
"warn 'warning'",
|
69
|
+
'Array.new' ]
|
66
70
|
end
|
67
71
|
end
|
68
72
|
|
@@ -102,6 +106,10 @@ class Article
|
|
102
106
|
[Comment.new(self), Comment.new(self)]
|
103
107
|
end
|
104
108
|
|
109
|
+
def comment_class
|
110
|
+
Comment
|
111
|
+
end
|
112
|
+
|
105
113
|
def method_missing(method, *args, &block)
|
106
114
|
super(method, *args, &block)
|
107
115
|
end
|
@@ -121,10 +129,22 @@ class Comment
|
|
121
129
|
def to_jail
|
122
130
|
Comment::Jail.new self
|
123
131
|
end
|
132
|
+
|
133
|
+
def self.to_jail
|
134
|
+
Comment::Jail.new self
|
135
|
+
end
|
136
|
+
|
137
|
+
def self.all(article)
|
138
|
+
[Comment.new(article), Comment.new(article)]
|
139
|
+
end
|
140
|
+
|
141
|
+
def self.destroy_all
|
142
|
+
raise 'Destroyed all comments'
|
143
|
+
end
|
124
144
|
end
|
125
145
|
|
126
146
|
class Article::Jail < Safemode::Jail
|
127
|
-
allow :title, :comments, :is_article
|
147
|
+
allow :title, :comments, :is_article?, :comment_class
|
128
148
|
|
129
149
|
def author_name
|
130
150
|
"this article's author name"
|
@@ -136,4 +156,5 @@ end
|
|
136
156
|
|
137
157
|
class Comment::Jail < Safemode::Jail
|
138
158
|
allow :article, :text
|
159
|
+
allow_class_method :all
|
139
160
|
end
|
data/test/test_jail.rb
CHANGED
@@ -4,12 +4,17 @@ class TestJail < Test::Unit::TestCase
|
|
4
4
|
def setup
|
5
5
|
@article = Article.new.to_jail
|
6
6
|
@comment = @article.comments.first
|
7
|
+
@comment_class = Comment.to_jail
|
7
8
|
end
|
8
9
|
|
9
|
-
def
|
10
|
+
def test_explicitly_allowed_instance_methods_should_be_accessible
|
10
11
|
assert_nothing_raised { @article.title }
|
11
12
|
end
|
12
13
|
|
14
|
+
def test_explicitly_allowed_class_methods_should_be_accessible
|
15
|
+
assert_nothing_raised { @comment_class.all(1) }
|
16
|
+
end
|
17
|
+
|
13
18
|
def test_jail_instance_methods_should_be_accessible
|
14
19
|
assert_nothing_raised { @article.author_name }
|
15
20
|
end
|
@@ -29,6 +34,8 @@ class TestJail < Test::Unit::TestCase
|
|
29
34
|
def test_jail_classes_should_have_limited_methods
|
30
35
|
expected = ["new", "methods", "name", "inherited", "method_added",
|
31
36
|
"allow", "allowed?", "allowed_methods", "init_allowed_methods",
|
37
|
+
"allow_instance_method", "allow_class_method", "allowed_instance_method?",
|
38
|
+
"allowed_class_method?", "allowed_instance_methods", "allowed_class_methods",
|
32
39
|
"<", # < needed in Rails Object#subclasses_of
|
33
40
|
"ancestors", "==" # ancestors and == needed in Rails::Generator::Spec#lookup_class
|
34
41
|
]
|
@@ -49,7 +56,7 @@ class TestJail < Test::Unit::TestCase
|
|
49
56
|
private
|
50
57
|
|
51
58
|
def objects
|
52
|
-
[[], {}, 1..2, "a", :a, Time.now, 1, 1.0, nil, false, true]
|
59
|
+
[[], {}, 1..2, "a", :a, Time.now, 1, 1.0, nil, false, true, Comment]
|
53
60
|
end
|
54
61
|
|
55
62
|
def reject_pretty_methods(methods)
|
data/test/test_safemode_eval.rb
CHANGED
@@ -12,7 +12,7 @@ class TestSafemodeEval < Test::Unit::TestCase
|
|
12
12
|
def test_some_stuff_that_should_work
|
13
13
|
['"test".upcase', '10.succ', '10.times{}', '[1,2,3].each{|a| a + 1}',
|
14
14
|
'true ? 1 : 0', 'a = 1', 'if "a" != "b"; "true"; end',
|
15
|
-
'if "a" == "b"; "true"; end'].each do |code|
|
15
|
+
'if "a" == "b"; "true"; end', 'String.new'].each do |code|
|
16
16
|
assert_nothing_raised{ @box.eval code }
|
17
17
|
end
|
18
18
|
end
|
@@ -88,7 +88,7 @@ class TestSafemodeEval < Test::Unit::TestCase
|
|
88
88
|
call.gsub!('"', '\\\\"')
|
89
89
|
class_eval %Q(
|
90
90
|
def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
|
91
|
-
assert_raise_no_method "#{call}"
|
91
|
+
assert_raise_no_method "#{call}", @assigns, @locals
|
92
92
|
end
|
93
93
|
)
|
94
94
|
end
|
@@ -97,9 +97,9 @@ class TestSafemodeEval < Test::Unit::TestCase
|
|
97
97
|
call.gsub!('"', '\\\\"')
|
98
98
|
class_eval %Q(
|
99
99
|
def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
|
100
|
-
assert_raise_security "#{call}"
|
100
|
+
assert_raise_security "#{call}", @assigns, @locals
|
101
101
|
end
|
102
102
|
)
|
103
103
|
end
|
104
104
|
|
105
|
-
end
|
105
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safemode
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sven Fuchs
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
|
-
date: 2017-
|
16
|
+
date: 2017-02-13 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: sexp_processor
|
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
224
224
|
version: '0'
|
225
225
|
requirements: []
|
226
226
|
rubyforge_project:
|
227
|
-
rubygems_version: 2.
|
227
|
+
rubygems_version: 2.6.10
|
228
228
|
signing_key:
|
229
229
|
specification_version: 4
|
230
230
|
summary: A library for safe evaluation of Ruby code based on ParseTree/RubyParser
|