sandboxed_erb 0.2.0

data/profile/vs_erb.rb

@@ -0,0 +1,77 @@
+require '../test/helper.rb'
+require 'benchmark'
+
+str_template = <<-EOF
+<%
+i = 1
+%>
+<table>
+    <tr><th>Name</th><th>Email</th></tr>
+    <% for user in users %>
+        <tr>
+            <td><%=i%>: <%= user.name %></td><td><%= user.email %></td>
+        </tr>
+        <% i += 1 %>
+        <% end %>
+</table>
+EOF
+
+
+class User
+  
+  attr_accessor :name
+  attr_accessor :email
+  
+  sandboxed_methods :name, :email
+  
+  def initialize()
+    @name = 'xxxxx'
+    @email = 'yyyyy'    
+  end
+  
+  
+
+end
+
+users = []
+for i in 0...100
+  users << User.new
+end
+
+
+
+
+
+erb_compiled_template = SandboxedErb::Template.new.compile_erb_template(str_template)
+
+
+sandbox_compiled_template = SandboxedErb::Template.new
+
+#$DEBUG=true
+if !sandbox_compiled_template.compile(str_template)
+  puts sandbox_compiled_template.get_error
+  exit
+end
+
+#$DEBUG=false
+
+
+erb_result = eval(erb_compiled_template)
+
+sb_result = sandbox_compiled_template.run(nil, {:users=>users})
+
+
+if sb_result.nil?
+  puts sandbox_compiled_template.get_error
+  exit
+end
+      
+if erb_result != sb_result
+  puts erb_result
+  puts sb_result
+end
+
+Benchmark.bmbm do |x|
+  x.report("eval template") { 100.times do eval(erb_compiled_template); end }
+  x.report("sandboxed template")  { 100.times do sandbox_compiled_template.run(nil, {:users=>users}); end }
+end

data/profile/vs_liquid.rb

@@ -0,0 +1,95 @@
+require "rubygems"
+require 'liquid'
+
+
+require '../test/helper.rb'
+require 'benchmark'
+
+
+str_template = <<-EOF
+<table>
+    <tr><th>Name</th><th>Email</th></tr>
+    <% for user in users %>
+        <tr>
+        <td><%= user.name %></td><td><%= user.email %></td>
+        </tr>
+    <% end %>
+</table>
+EOF
+
+ltemplate = <<-EOF
+<table>
+    <tr><th>Name</th><th>Email</th></tr>
+    {% for user in users %}
+        <tr>
+        <td>{{ user.name }}</td><td>{{ user.email }}</td>
+        </tr>
+    {% endfor %}
+</table>
+EOF
+
+
+class User
+  
+  attr_accessor :name
+  attr_accessor :email
+  
+  sandboxed_methods :name, :email
+  liquid_methods :name, :email
+  
+  def initialize()
+    @name = 'xxxxx'
+    @email = 'yyyyy'    
+  end
+  
+  
+
+end
+
+users = []
+for i in 0...100
+  users << User.new
+end
+
+
+
+erb_compiled_template = SandboxedErb::Template.new.compile_erb_template(str_template)
+
+liquid_template = Liquid::Template.parse(ltemplate)
+
+sandbox_compiled_template = SandboxedErb::Template.new
+
+if !sandbox_compiled_template.compile(str_template)
+  puts sandbox_compiled_template.get_error
+  exit
+end
+
+
+
+erb_result = eval(erb_compiled_template)
+
+sb_result = sandbox_compiled_template.run(nil, {:users=>users})
+
+
+if sb_result.nil?
+  puts sandbox_compiled_template.get_error
+  exit
+end
+      
+if erb_result != sb_result
+  puts erb_result
+  puts sb_result
+end
+
+liquid_result = liquid_template.render({'users'=>users})
+
+if liquid_result != sb_result
+  puts liquid_result.inspect
+  puts sb_result.inspect
+end
+
+Benchmark.bmbm do |x|
+  x.report("eval template") { 100.times do eval(erb_compiled_template); end }
+  x.report("sandboxed template")  { 100.times do sandbox_compiled_template.run(nil, {:users=>users}); end }
+  x.report("liquid template") { 100.times do liquid_template.render({'users'=>users}); end }
+end

data/sandboxed_erb.gemspec

@@ -0,0 +1,79 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{sandboxed_erb}
+  s.version = "0.2.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["MarkPent"]
+  s.date = %q{2011-06-05}
+  s.description = %q{All your customers to extend your web application by exposing erb templates that can be safely run on your server within a sandbox.}
+  s.email = %q{mark.pent@gmail.com}
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "example/controller.rb",
+    "example/example.rb",
+    "example/listing.sbhtml",
+    "example/note.rb",
+    "example/users.rb",
+    "example/view_notes.sbhtml",
+    "lib/sandboxed_erb.rb",
+    "lib/sandboxed_erb/sandbox_methods.rb",
+    "lib/sandboxed_erb/system_mixins.rb",
+    "lib/sandboxed_erb/template.rb",
+    "lib/sandboxed_erb/tree_processor.rb",
+    "profile/vs_erb.rb",
+    "profile/vs_liquid.rb",
+    "sandboxed_erb.gemspec",
+    "test/helper.rb",
+    "test/test_compile_errors.rb",
+    "test/test_error_handling.rb",
+    "test/test_sandboxed_erb.rb",
+    "test/test_valid_templates.rb"
+  ]
+  s.homepage = %q{http://github.com/markpent/SandboxedERB}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.7.2}
+  s.summary = %q{Run an erb template in a sandbox.}
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<partialruby>, [">= 0.2.0"])
+      s.add_runtime_dependency(%q<ruby_parser>, [">= 2.0.6"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.6.1"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+    else
+      s.add_dependency(%q<partialruby>, [">= 0.2.0"])
+      s.add_dependency(%q<ruby_parser>, [">= 2.0.6"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.6.1"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<partialruby>, [">= 0.2.0"])
+    s.add_dependency(%q<ruby_parser>, [">= 2.0.6"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.6.1"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+  end
+end
+

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'sandboxed_erb'
+
+class Test::Unit::TestCase
+end

data/test/test_compile_errors.rb

@@ -0,0 +1,142 @@
+require 'helper'
+
+class TestCompileErrors < Test::Unit::TestCase
+  should "report insecure call during compile: global" do
+    str_template = "i shoudl not be
+    able to get
+    global: <%= $some_global_value %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot access global variables in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: global asign" do
+    str_template = "i shoudl not be
+    able to get
+    global: <%= $some_global_value = 10 %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot assign global variables in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: const" do
+    str_template = "i shoudl not be
+    able to get
+    global: <%= SOME_CONST %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot access a constant in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: const assign" do
+    str_template = "i shoudl not be
+    able to get
+    global: <%= SOME_CONST = 10 %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot define a constant in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: def" do
+    str_template = "i shoudl not be
+    able to get
+    <%
+    def invalid_func
+      
+    end
+    %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    assert_equal "Line 4: You cannot define a method in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: module def" do
+    str_template = "i shoudl not be
+    able to get
+    <%
+    module Not
+      def invalid_func
+        
+      end
+    end
+    %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 4: You cannot define a module in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: class def" do
+    str_template = "i shoudl not be
+    able to get
+    <%
+    class Not
+      def invalid_func
+        
+      end
+    end
+    %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 4: You cannot define a class in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: member vars" do
+    str_template = "i shoudl not be
+    able to get
+    <%= @test %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot access instance members in a template", template.get_error
+  end
+  
+  should "report insecure call during compile: member var assign" do
+    str_template = "i shoudl not be
+    able to get
+    <% @test = 2 %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_equal "Line 3: You cannot assign instance members in a template", template.get_error
+  end
+  
+  
+  should "report insecure call during compile: cvar assign" do
+    str_template = "i shoudl not be
+    able to get
+    <% SomeClass.some_attr = 2 %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    assert_equal "Line 3: You cannot access a constant in a template", template.get_error
+  end
+  
+  
+  should "report compile errors" do
+    str_template = "i shoudl not be
+    able to get
+    <%
+    for x out of not
+    %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal false, template.compile(str_template)
+    
+    assert_match /compile error\nline:4: syntax error/, template.get_error
+  end
+end

data/test/test_error_handling.rb

@@ -0,0 +1,59 @@
+require 'helper'
+
+class TestErrorHandling < Test::Unit::TestCase
+  should "handle missing function of object" do
+    
+    class TestClass
+      sandboxed_methods :ok_to_call
+      
+      def ok_to_call
+        "A"
+      end
+      
+      def not_ok_to_call
+        "B"
+      end
+    end
+    
+    str_template = "not_ok_to_call = <%=tc.not_ok_to_call.some_other_thingo.and_this %>"
+    template = SandboxedErb::Template.new
+    template.compile(str_template)
+    assert_equal nil,template.run(nil, {:tc=>TestClass.new})
+
+    assert_equal "Error on line 1: Unknown method 'not_ok_to_call' on object 'TestErrorHandling::TestClass'", template.get_error
+
+  end
+  
+  should "handle missing functions" do
+    
+
+    str_template = "some method = <%=some_method_that_does_not_exist(1) %>"
+    template = SandboxedErb::Template.new
+    template.compile(str_template)
+    assert_equal nil,template.run(nil, {:tc=>TestClass.new})
+    
+    assert_equal "Error on line 1: Unknown method: some_method_that_does_not_exist", template.get_error
+
+  end
+  
+
+  should "report exceptions in mixins" do
+    
+    module MixinTest1
+      def test_mixin_method1(val)
+        raise "mixin exception"  
+      end
+    end
+
+    
+    str_template = "mixin = 
+    <%= test_mixin_method1('A') %>"
+    template = SandboxedErb::Template.new([MixinTest1])
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {})
+    
+    assert_equal "Error on line 2: Error calling test_mixin_method1: mixin exception", template.get_error
+
+  end
+
+end