sandboxed_erb 0.2.0

data/test/test_sandboxed_erb.rb

@@ -0,0 +1,230 @@
+require 'helper'
+
+class TestSandboxedErb < Test::Unit::TestCase
+  should "compile an erb template" do
+    compiled_template = SandboxedErb::Template.new.compile_erb_template("Hello World, 1 + 1 = <%= 1 + 1 %>.")
+    assert_equal '_erbout = \'\'; _erbout.concat "Hello World, 1 + 1 = "; _erbout.concat(( 1 + 1 ).to_s); _erbout.concat "."; _erbout', compiled_template
+  end
+  
+  should "sandbox a basic compiled template" do
+    compiled_template = '_erbout = \'\'; _erbout.concat "Hello World, 1 + 1 = "; _erbout.concat(( 1 + 1 ).to_s); _erbout.concat "."; _erbout'
+    sandboxed_template = SandboxedErb::Template.new.sandbox_code(compiled_template)
+  end
+  
+  should "fully compile a basic template" do
+    template = SandboxedErb::Template.new
+    template.compile("Hello World, 1 + 1 = <%= 1 + 1 %>.")
+  end
+  
+  should "fully compile and run a basic template" do
+    template = SandboxedErb::Template.new
+    template.compile("Hello World, 1 + 1 = <%= 1 + 1 %>.")
+    
+    result = template.run(nil, {})
+    
+    assert_equal "Hello World, 1 + 1 = 2.", result
+  end
+  
+  should "be able to access local variables" do
+    data = { :key1 =>"A", :key2=>"B" }
+    str_template = "the value for key1 is <%=data[:key1] %> and key2 is <%=data[:key2] %>"
+    template = SandboxedErb::Template.new
+    template.compile(str_template)
+    result = template.run(nil, {:data=>data})
+    assert_equal "the value for key1 is A and key2 is B", result
+  end
+  
+  should "be able to sandbox a class" do
+    
+    class TestClass
+      sandboxed_methods :ok_to_call
+      
+      def ok_to_call
+        "A"
+      end
+      
+      def not_ok_to_call
+        "B"
+      end
+    end
+    
+    tc = TestClass.new
+    assert_equal "A", tc._sbm(:ok_to_call)
+    
+    
+    assert_raise(SandboxedErb::MissingMethodError) {
+      tc._sbm(:not_ok_to_call).to_s
+    } 
+    
+  end
+  
+  
+  should "be able to access sandboxed class in template" do
+    
+    class TestClass
+      sandboxed_methods :ok_to_call
+      
+      def ok_to_call
+        "A"
+      end
+      
+      def not_ok_to_call
+        "B"
+      end
+    end
+    
+    str_template = "ok_to_call = <%=tc.ok_to_call %>"
+    template = SandboxedErb::Template.new
+    template.compile(str_template)
+    result = template.run(nil, {:tc=>TestClass.new})
+    
+    assert_equal "ok_to_call = A", result
+  end
+  
+
+  should "report insecure call during run: method" do
+    str_template = "i shoudl not be
+    able to get
+    <%
+    eval('something')
+    %>
+    "
+    template = SandboxedErb::Template.new
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {})
+    
+    assert_equal "Error on line 4: Unknown method: eval", template.get_error
+  end
+  
+  should "not be able to call Object methods: object_id" do
+    str_template = "test=<%=test_object.object_id%>"
+    
+    class TestObject
+      sandboxed_methods :valid_method
+      def valid_method
+        "ABC"  
+      end
+    end
+    
+    template = SandboxedErb::Template.new
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {:test_object=>TestObject.new})
+    
+    assert_equal "Error on line 1: Unknown method 'object_id' on object 'TestSandboxedErb::TestObject'", template.get_error
+  end
+  
+  should "not be able to call Object methods: send" do
+    str_template = "test=<%=test_object.__send__(:valid_method)%>"
+    
+    class TestObject
+      sandboxed_methods :valid_method
+      def valid_method
+        "ABC"  
+      end
+    end
+    
+    template = SandboxedErb::Template.new
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {:test_object=>TestObject.new})
+    
+    assert_equal "Error on line 1: Unknown method '__send__' on object 'TestSandboxedErb::TestObject'", template.get_error
+  end
+  
+  
+  should "not be able to call Object methods on literal values" do
+    str_template = "test=<%=2.__send__(:object_id)%>"
+    
+
+    template = SandboxedErb::Template.new
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {})
+    
+    assert_equal "Error on line 1: Unknown method '__send__' on object 'Fixnum'", template.get_error
+  end
+  
+  should "not be able to set attributes of objects" do
+    str_template = "test <%test_object.valid_method='ABC'%>"
+    
+    class TestObject
+      sandboxed_methods :valid_method
+      def valid_method
+        "ABC"  
+      end
+    end
+    
+    template = SandboxedErb::Template.new
+    assert_equal true, template.compile(str_template)
+    assert_equal nil, template.run(nil, {:test_object=>TestObject.new})
+    assert_equal "Error on line 1: Unknown method 'valid_method=' on object 'TestSandboxedErb::TestObject'", template.get_error
+  end
+  
+  
+  should "allow mixins" do
+    
+    module MixinTest
+      def test_mixin_method(val)
+        "TEST #{val}"  
+      end
+    end
+    
+    str_template = "mixin = <%= test_mixin_method(1) %>"
+    template = SandboxedErb::Template.new([MixinTest])
+    assert_equal true, template.compile(str_template)
+    result = template.run(nil, {})
+    
+    assert_equal "mixin = TEST 1", result
+
+  end
+  
+  should "allow multiple mixins" do
+    
+    module MixinTest1
+      def test_mixin_method1(val)
+        "TEST #{val}"  
+      end
+    end
+    
+    module MixinTest2
+      def test_mixin_method2(val)
+        "TEST #{val}"  
+      end
+    end
+    
+    str_template = "mixin = <%= test_mixin_method1(test_mixin_method2('A')) %>"
+    template = SandboxedErb::Template.new([MixinTest1, MixinTest2])
+    assert_equal true, template.compile(str_template)
+    result = template.run(nil, {})
+    
+    assert_equal "mixin = TEST TEST A", result
+
+  end
+  
+  should "access context objects from mixins" do
+    
+    module MixinTest
+      def test_mixin_method
+        "TEST #{@controller.some_value}"  
+      end
+    end
+    
+    class FauxController
+      def some_value
+        "ABC"  
+      end
+    end
+    
+    faux_controller = FauxController.new
+    
+    str_template = "mixin = <%= test_mixin_method %>"
+    template = SandboxedErb::Template.new([MixinTest])
+    assert_equal true, template.compile(str_template)
+    result = template.run({:controller=>faux_controller}, {})
+    
+    assert_equal "mixin = TEST ABC", result
+
+  end
+  
+  
+  
+  
+end

data/test/test_valid_templates.rb

@@ -0,0 +1,170 @@
+require 'helper'
+
+class TestValidTemplates < Test::Unit::TestCase
+  
+  should "allow for loop" do
+    str_template = "<%for i in 0..3 do %><%=i%><%end%>"
+    
+    
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "0123", result
+  end
+  
+  should "allow whole loop" do
+    str_template = "<%
+    i=0
+    while i <= 3 do %><%=i%><% i+=1
+    end%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "0123", result
+  end
+  
+  
+  should "allow if statement" do
+    str_template = "<% 
+    i=0
+    if i > 10 %>1<%else%>2<%end%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "2", result
+  end
+  
+  should "allow unless statement" do
+    str_template = "<% 
+    i=0
+    unless i > 10 %>1<%else%>2<%end%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "1", result
+  end
+  
+  should "allow case statement" do
+    str_template = "<% 
+    i=3
+    case i
+    when 0...3: %>1<%
+    when 4..100: %>2<%
+    when 2...4:%>3<%
+    else %>4<%
+    end%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "3", result
+  end
+  
+  should "allow defining array" do
+    str_template = "<% 
+    test = [1,2,3,4]
+    %><%=test[2]%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "3", result
+  end
+  
+  should "allow setting array value" do
+    str_template = "<% 
+    test = [1,2,3,4]
+    test[2] = 8
+    %><%=test[2]%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "8", result
+  end
+  
+  should "allow defining hash" do
+    str_template = "<% 
+    test = {1=>2,2=>3,3=>4,4=>5}
+    %><%=test[2]%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "3", result
+  end
+  
+  should "allow setting hash value" do
+    str_template = "<% 
+    test = {1=>2,2=>3,3=>4,4=>5}
+    test[2] = 8
+    %><%=test[2]%>"
+
+    template = SandboxedErb::Template.new
+    result = template.compile(str_template)
+    assert_equal nil, template.get_error
+    
+    assert_equal true, result
+    
+    result = template.run(nil,{})
+    
+    assert_equal nil, template.get_error
+    assert_equal "8", result
+  end
+  
+  
+end

metadata

@@ -0,0 +1,181 @@
+--- !ruby/object:Gem::Specification 
+name: sandboxed_erb
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
+platform: ruby
+authors: 
+- MarkPent
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-06-05 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 0
+        - 2
+        - 0
+        version: 0.2.0
+  version_requirements: *id001
+  name: partialruby
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        - 6
+        version: 2.0.6
+  version_requirements: *id002
+  name: ruby_parser
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  version_requirements: *id003
+  name: shoulda
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency 
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  version_requirements: *id004
+  name: bundler
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency 
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 1
+        - 6
+        - 1
+        version: 1.6.1
+  version_requirements: *id005
+  name: jeweler
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency 
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  version_requirements: *id006
+  name: rcov
+  prerelease: false
+  type: :development
+description: All your customers to extend your web application by exposing erb templates that can be safely run on your server within a sandbox.
+email: mark.pent@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- Gemfile
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- example/controller.rb
+- example/example.rb
+- example/listing.sbhtml
+- example/note.rb
+- example/users.rb
+- example/view_notes.sbhtml
+- lib/sandboxed_erb.rb
+- lib/sandboxed_erb/sandbox_methods.rb
+- lib/sandboxed_erb/system_mixins.rb
+- lib/sandboxed_erb/template.rb
+- lib/sandboxed_erb/tree_processor.rb
+- profile/vs_erb.rb
+- profile/vs_liquid.rb
+- sandboxed_erb.gemspec
+- test/helper.rb
+- test/test_compile_errors.rb
+- test/test_error_handling.rb
+- test/test_sandboxed_erb.rb
+- test/test_valid_templates.rb
+homepage: http://github.com/markpent/SandboxedERB
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Run an erb template in a sandbox.
+test_files: []
+