sandboxed_erb 0.2.0

data/lib/sandboxed_erb.rb

@@ -0,0 +1,45 @@
+=begin
+
+This file is part of the sandboxed_erb project, https://github.com/markpent/SandboxedERB
+
+Copyright (c) 2011 Mark Pentland <mark.pent@gmail.com>
+
+sandboxed_erb is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+sandboxed_erb is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with shikashi.  if not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+
+require "erb"
+require "partialruby"
+require "sandboxed_erb/template"
+require "sandboxed_erb/tree_processor"
+require "sandboxed_erb/sandbox_methods"
+require "sandboxed_erb/system_mixins"
+
+
+module SandboxedErb
+  class Error < ::StandardError #:nodoc: all
+  end
+  
+  class CompileError < Error #:nodoc: all
+  end
+  class CompileSecurityError < Error #:nodoc: all
+  end
+  class RuntimeError < Error #:nodoc: all
+  end
+  class RuntimeSecurityError < Error #:nodoc: all
+  end
+  class MissingMethodError < Error #:nodoc: all
+  end
+end

data/lib/sandboxed_erb/sandbox_methods.rb

@@ -0,0 +1,93 @@
+=begin
+
+This file is part of the sandboxed_erb project, https://github.com/markpent/SandboxedERB
+
+Copyright (c) 2011 Mark Pentland <mark.pent@gmail.com>
+
+sandboxed_erb is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+sandboxed_erb is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with shikashi.  if not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+#Adds the sandboxed_methods and not_sandboxed_methods to Module class so it is avialble to all classes.
+class Module
+  
+  #Specify what methods you want to be accessable from the sandbox.
+  #
+  #Example 
+  # class SomeClass
+  #   sandboxed_methods :some_method
+  #   def some_method
+  #     "this is ok to call"
+  #   end
+  # end
+  # 
+  #If the object has a method called set_sandbox_context, it will be passed the sandbox_context, which is a map containing the context passed to SandboxedErb::Template.run, as well as another entry keys to :locals which contains the locals map passed to run.
+  def sandboxed_methods(*allowed_methods)
+    _sb_allowed_methods_map = {}
+    allowed_methods.each { |meth|
+      _sb_allowed_methods_map[meth.to_s.intern] = true
+    }
+
+    define_method :_sbm do |meth, sandbox_context, *args|
+      if _sb_allowed_methods_map[meth]
+        self.set_sandbox_context(sandbox_context) if self.respond_to?(:set_sandbox_context)
+        begin
+          self.__send__(meth, *args)
+        rescue Exception=>e
+          raise "Error calling #{meth}: #{e.message}"
+        end
+      else
+        puts _sb_allowed_methods_map.inspect if $DEBUG
+        raise SandboxedErb::MissingMethodError, "Unknown method '#{meth}' on object '#{self.class.name}'"
+      end
+    end
+  end
+  
+  
+  #Shortcut to allow everything except a few methods
+  #
+  #This will not include any superclass methods unless  include_superclasses = true
+  #
+  #Example 
+  # class SomeClass
+  #   not_sandboxed_methods :unsafe_method
+  #   def some_method
+  #     "this is ok to call"
+  #   end
+  #   def unsafe_method
+  #     "this is NOT ok to call"
+  #   end
+  # end
+  def not_sandboxed_methods(include_superclasses = false, *disallowed_methods)
+
+    __the_methods_to_check = public_instance_methods(false)
+    if include_superclasses
+      clz = self.superclass
+      while !clz.nil?
+        unless clz == Object
+          __the_methods_to_check += clz.public_instance_methods(false)
+        end
+        clz = clz.superclass
+      end
+    end
+    
+    
+    __the_methods_to_check.uniq!
+    
+    sandboxed_methods(*__the_methods_to_check)
+    
+  end
+
+end
+

data/lib/sandboxed_erb/system_mixins.rb

@@ -0,0 +1,37 @@
+=begin
+
+This file is part of the sandboxed_erb project, https://github.com/markpent/SandboxedERB
+
+Copyright (c) 2011 Mark Pentland <mark.pent@gmail.com>
+
+sandboxed_erb is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+sandboxed_erb is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with shikashi.  if not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+
+#add sandboxed method to basic inbuilt objects
+
+String.not_sandboxed_methods true
+Fixnum.not_sandboxed_methods true
+Float.not_sandboxed_methods true
+Range.not_sandboxed_methods true
+Symbol.not_sandboxed_methods true
+Time.not_sandboxed_methods true
+Date.not_sandboxed_methods true
+DateTime.not_sandboxed_methods true
+NilClass.not_sandboxed_methods true
+Array.not_sandboxed_methods true
+Hash.not_sandboxed_methods true
+FalseClass.not_sandboxed_methods true
+TrueClass.not_sandboxed_methods true

data/lib/sandboxed_erb/template.rb

@@ -0,0 +1,224 @@
+=begin
+
+This file is part of the sandboxed_erb project, https://github.com/markpent/SandboxedERB
+
+Copyright (c) 2011 Mark Pentland <mark.pent@gmail.com>
+
+sandboxed_erb is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+sandboxed_erb is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with shikashi.  if not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+require "erb"
+require "partialruby"
+
+module SandboxedErb
+  
+#This class represents a template which can be compiled then run multiple times.
+#
+#When declaring a template, pass an array of Mixin classes to the contructor to allow the template access to the Mixin methods.
+#
+#Example
+# module ExampleHelper
+#   def format_date(date, format)
+#     if format == :short_date
+#       date.strftime("%d %b %Y %H:%M")
+#     else
+#       "unknown format: #{format}"
+#     end
+#   end
+#
+#    def current_time
+#      DateTime.now
+#    end
+# end
+#
+# template = SandboxedErb::Template.new([ExampleHelper])
+# #the template will now have access to the format_date() and current_time() helper function
+# template.compile('the date = <%=format_date(current_time, :short_date)%>')
+
+  class Template
+    
+    #minins is an array of helper classes which expose methods to the template 
+    def initialize(mixins = [])
+      @mixins = mixins.collect { |clz| "include #{clz.name}"}.join("\n")
+    end
+    
+    #compile the template
+    #
+    #if the template does not compile, false is returned and get_error should be called to get the compile error.
+    def compile(str_template)
+      
+      erb_template = compile_erb_template(str_template)
+      return false if erb_template.nil?
+      #we now have a normal compile erb template (which is just ruby code)
+      
+      sandboxed_compiled_template = sandbox_code(erb_template)
+      puts sandboxed_compiled_template if $DEBUG
+      return false if sandboxed_compiled_template.nil?
+      
+      @clazz_name = "SandboxedErb::TClass#{self.object_id}"
+      @file_name = "tclass_#{self.object_id}"
+      
+      clazz_str = <<-EOF
+      class #{@clazz_name} < SandboxedErb::TemplateBase
+        #{@mixins}
+        def run_internal()
+          #{sandboxed_compiled_template}
+        end
+      end
+      #{@clazz_name}.new
+      EOF
+      
+      begin
+        @template_runner = eval(clazz_str, nil, @file_name)
+      rescue Exception=>e
+        @error = "Invalid code generated: #{e.message}"
+        return false
+      end
+      
+      true
+      
+    end
+    
+    #run a compiled template
+    #* context: A map of context objects that will be available to helper functions and instance variables, and available to sandboxed objects through the set_sandbox_context callback.
+    #* locals: A map of local objects that will be available to the template, and available to sandboxed objects through the set_sandbox_context callback as the :locals entry.
+    #If the template runs successfully, the geneated content is returned. If an error occures, nil is returned and get_error should be called to get the error information.
+    def run(context, locals)
+      begin
+        @template_runner.run(context, locals)
+      rescue Exception=>e
+        @error = e.message
+        nil
+      end
+    end
+    
+    def compile_erb_template(str_template) #:nodoc:
+      ecompiler = ERB::Compiler.new(nil)
+      
+      ecompiler.put_cmd = "_erbout.concat"
+      ecompiler.insert_cmd = "_erbout.concat"
+  
+      cmd = []
+      cmd.push "_erbout = ''"
+      
+      ecompiler.pre_cmd = cmd
+  
+      cmd = []
+      cmd.push('_erbout')
+  
+      ecompiler.post_cmd = cmd
+      ecompiler.compile(str_template)
+    end
+    
+    def sandbox_code(erb_template) #:nodoc:
+      @error = nil
+      tree = nil
+      begin
+        tree = RubyParser.new.parse erb_template
+      rescue Exception=>e
+        #the message is pretty useless.. lets eval the code (it wont get executed because of the compile error)
+        begin
+          #extra bit of caution.. run in $SAFE=4
+          t = Thread.new {
+              $SAFE = 4
+              eval(erb_template, nil, "line")
+          }
+          t.join
+        rescue Exception=>e2
+          @error = e2.message
+          return nil
+        end
+        #if we got here then somehow code that would not compile using RubyParser eval'ed ok...
+        throw "SYSTEM ERROR: you may be owned! Code that should not be able to compile has run!"
+      end
+      begin
+        context = PartialRuby::PureRubyContext.new
+        tree_processor = SandboxedErb::TreeProcessor.new()
+        
+        tree = tree_processor.process(tree)
+        emulationcode = context.emul tree
+      rescue Exception=>e
+        @error = e.message
+        return nil
+      end
+      emulationcode
+    end
+    
+    def get_error
+      @error
+    end
+  end
+  
+  class TemplateBase #:nodoc: all
+    def initialize
+      @_allowed_methods = {}
+      self.class.included_modules.each { |mod|
+        unless mod == Kernel
+          mod.public_instance_methods.each { |m|
+            @_allowed_methods[m.intern] = true
+          }
+        end
+      }
+    end
+    
+    def run(context, locals)
+      context = {} if context.nil?
+      context[:locals] = locals
+      unless context.nil?
+        for k in context.keys
+          eval("@#{k} = context[k]")
+        end
+      end
+      @_sb_context = context
+      @_locals = locals
+      @_line = 1
+      begin
+        run_internal
+      rescue Exception=>e
+        raise "Error on line #{@_line}: #{e.message}"
+      ensure
+        #cleanup the context
+        unless context.nil?
+          for k in context.keys
+            eval("@#{k} = nil")
+          end
+        end
+         @_sb_context = nil
+         @_locals = nil
+      end
+    end
+    
+    def _get_local(*args)
+      target = args.shift
+      #check if the target is in the context
+      if @_locals[target]
+        @_locals[target]
+      elsif @_allowed_methods[target] #check if the target is defined in one of the mixin helper functions
+        begin
+          self.send(target, *args)
+        rescue Exception=>e
+          raise "Error calling #{target}: #{e.message}"
+        end
+      else
+        raise "Unknown method: #{target}"
+      end
+    end
+    
+    def _sln(line_no)
+      @_line = line_no
+    end
+  end
+
+end

data/lib/sandboxed_erb/tree_processor.rb

@@ -0,0 +1,215 @@
+=begin
+
+This file is part of the sandboxed_erb project, https://github.com/markpent/SandboxedERB
+
+Copyright (c) 2011 Mark Pentland <mark.pent@gmail.com>
+
+sandboxed_erb is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+sandboxed_erb is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with shikashi.  if not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+require "ruby_parser"
+require "partialruby"
+require "sexp_processor"
+
+module SandboxedErb
+  class TreeProcessor < SexpProcessor #:nodoc: all
+    
+    def initialize
+      super()
+      self.default_method = :fallback_process
+      self.require_empty = false
+      self.warn_on_default = false
+      
+      @hook_handler_name = "@_hook_handler".intern
+      @last_line_number = 0
+    end
+    
+    #we treat this same as a call
+    def process_attrasgn(tree)
+      process_call(tree)
+    end
+    
+    def process_call(tree)
+      puts tree.inspect if $DEBUG
+      if [:_sbm].include?(tree[2]) 
+        raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: #{tree[2].to_s} is a reserved method"
+      elsif tree[1] && tree[1][0] == :lvar && tree[1][1] == :_erbout && tree[2] == :concat #optimisation:call concat on _erbout is safe... dont need to route through _sbm
+        add_line_number(tree, s(tree[0], tree[1], tree[2], process(tree[3])))
+      elsif tree[1] && tree[2] == :to_s && tree[3][0] == :arglist && tree[3].length == 1 #optimisation:call to_s on an object is safe... dont need to route through _sbm
+        add_line_number(tree, s(tree[0], process(tree[1]), tree[2], tree[3]))
+      elsif tree[1] 
+        #rewrite obj.call(arg1, arg2, argN) to obj._invoke_sbm(:call, arg1, arg2, argN)
+        args = [:arglist]
+        args << s(:lit, tree[2])
+        args << s(:ivar, "@_sb_context".intern)
+        for i in 1...tree[3].length
+          args << process(tree[3][i])
+        end
+        add_line_number(tree, s(:call, process(tree[1]), :_sbm, args))
+      else
+        #call on mixed in method or passed in variable 
+        receiver = s(:self)
+        #rewrite local_call(arg1, arg2, argN) to self._get_local(:local_call, arg1, arg2, argN)
+        args = [:arglist]
+        args << s(:lit, tree[2])
+        for i in 1...tree[3].length
+          args << tree[3][i]
+        end
+        add_line_number(tree, s(:call, s(:self), :_get_local, process(args)))
+      end
+    end
+    
+    #disallowed
+    
+    def process_iasgn(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot assign instance members in a template"
+    end
+    
+    def process_ivar(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot access instance members in a template"
+    end
+    
+    def process_cvasgn(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot assign class members in a template"
+    end
+    
+    def process_cvdecl(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot declare class members in a template"
+    end
+    
+    def process_cdecl(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot define a constant in a template"
+    end
+    
+    def process_const(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot access a constant in a template"
+    end
+     
+    def process_class(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot define a class in a template"
+    end
+    
+    def process_module(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot define a module in a template"
+    end
+    
+    def process_defn(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot define a method in a template"
+    end
+    
+    def process_defs(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot define a method in a template"
+    end
+    
+    def process_super(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot call super in a template"
+    end
+    
+    def process_gvar(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot access global variables in a template"
+    end
+    
+    def process_gasgn(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot assign global variables in a template"
+    end
+    
+    def process_xstr(tree)
+      puts tree.inspect if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: You cannot make a system call in a template"
+    end
+    
+    def fallback_process(tree)
+      puts tree.inspect if $DEBUG
+      puts "Fallback called" if $DEBUG
+      raise SandboxedErb::CompileSecurityError, "Line #{tree.line}: Invalid call used: #{tree[0]}"
+    end
+    
+    
+    #allowed
+    
+    [[:block, true],[:lasgn, true],[:arglist, true],[:str, true],[:dstr, true],[:evstr, true],[:lit, true],[:lvar, true],[:for, true], [:while, true], [:do, true], [:if, true], [:case, true], [:when, true], [:array, true], [:hash, true]].each { |action, add_line_number|
+      if add_line_number
+        define_method "process_#{action}".intern do |tree|
+          puts tree.inspect if $DEBUG
+          add_line_number(tree, passthrough(tree))
+        end
+      else
+        define_method "process_#{action}".intern do |tree|
+          puts tree.inspect if $DEBUG
+          passthrough tree
+        end
+      end
+    }
+    
+    
+    
+  private
+  #taken from SexpProcessor: just process the tag by processing all nested tags, leaving current tag untouched...
+    def passthrough(exp)
+      result = self.expected.new
+      type = exp.first
+      exp_orig = nil
+
+      in_context type do
+        until exp.empty? do
+          sub_exp = exp.shift
+          sub_result = nil
+          if Array === sub_exp then
+            sub_result = error_handler(type, exp_orig) do
+              process(sub_exp)
+            end
+            raise "Result is a bad type" unless Array === sub_exp
+            raise "Result does not have a type in front: #{sub_exp.inspect}" unless Symbol === sub_exp.first unless sub_exp.empty?
+          else
+            sub_result = sub_exp
+          end
+          result << sub_result
+        end
+  
+        begin
+          result.sexp_type = exp.sexp_type
+        rescue Exception
+          # nothing to do, on purpose
+        end
+      end
+      result
+    end
+    
+    def add_line_number(original_tree, processed_tree)
+      if original_tree.respond_to?(:line) &&  @last_line_number != original_tree.line && !original_tree.line.nil?
+        puts "@last_line_number (#{@last_line_number}) != original_tree.line (#{original_tree.line})" if $DEBUG
+        @last_line_number = original_tree.line
+        s(:block, s(:call, nil, :_sln, s(:arglist, s(:lit, original_tree.line))), processed_tree)
+      else
+        processed_tree
+      end
+    end
+    
+  end
+end
+