secure 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +2 -0
- data/README.md +2 -0
- data/lib/secure/child_process.rb +4 -1
- data/lib/secure/version.rb +1 -1
- data/spec/secure/runner_spec.rb +16 -0
- metadata +5 -5
data/.gitignore
CHANGED
data/README.md
CHANGED
@@ -37,6 +37,8 @@ Options:
|
|
37
37
|
* :limit_cpu => This is the limit of how many cpu-seconds your process can use. MUST be an integer. This should be used as a fallback in case :timeout is not honored
|
38
38
|
* :run_before => A block, or array of blocks that is run before your code is sandboxed. Be careful. Remember how lambdas are bound in ruby. Refer to this for more details: http://blog.sidu.in/2007/11/ruby-blocks-gotchas.html
|
39
39
|
* :pipe_stdin, :pipe_stdout, :pipe_stderr => A File to pipe the stdin, out ond stderr to
|
40
|
+
* :safe => An integer that represents the new safe mode (default 3)
|
41
|
+
* :limit_files => Maximum file descriptor the block can open. If you want to say no files, set this to 0
|
40
42
|
|
41
43
|
Errors:
|
42
44
|
=======
|
data/lib/secure/child_process.rb
CHANGED
@@ -12,6 +12,8 @@ module Secure
|
|
12
12
|
@pipe_stderr = opts[:pipe_stderr]
|
13
13
|
@pipe_stdin = opts[:pipe_stdin]
|
14
14
|
@run_before = opts[:run_before]
|
15
|
+
@safe_value = opts[:safe] || 3
|
16
|
+
@limit_files = opts[:limit_files]
|
15
17
|
end
|
16
18
|
|
17
19
|
def guard_threads
|
@@ -21,6 +23,7 @@ module Secure
|
|
21
23
|
def set_resource_limits
|
22
24
|
Process::setrlimit(Process::RLIMIT_AS, @limit_memory) if @limit_memory
|
23
25
|
Process::setrlimit(Process::RLIMIT_CPU, @limit_cpu, 2 + @limit_cpu) if @limit_cpu
|
26
|
+
Process::setrlimit(Process::RLIMIT_NOFILE, @limit_files, @limit_files) if @limit_files
|
24
27
|
end
|
25
28
|
|
26
29
|
def redirect_files
|
@@ -43,7 +46,7 @@ module Secure
|
|
43
46
|
redirect_files
|
44
47
|
thread = Thread.start do
|
45
48
|
run_before_methods
|
46
|
-
$SAFE=
|
49
|
+
$SAFE = @safe_value
|
47
50
|
yield
|
48
51
|
end
|
49
52
|
decorate_with_guard_threads(thread)
|
data/lib/secure/version.rb
CHANGED
data/spec/secure/runner_spec.rb
CHANGED
@@ -57,6 +57,14 @@ module Secure
|
|
57
57
|
response.should be_success
|
58
58
|
$SAFE.should == 0
|
59
59
|
end
|
60
|
+
|
61
|
+
it "can change the safe value if needed" do
|
62
|
+
response = Runner.new(:safe => 0).run do
|
63
|
+
$SAFE
|
64
|
+
end
|
65
|
+
response.should be_success
|
66
|
+
response.value.should == 0
|
67
|
+
end
|
60
68
|
end
|
61
69
|
|
62
70
|
context "security violations" do
|
@@ -104,6 +112,14 @@ module Secure
|
|
104
112
|
response.error.should be_a(Secure::ChildKilledError)
|
105
113
|
end
|
106
114
|
|
115
|
+
it "kills a process running trying to open a file" do
|
116
|
+
response = Runner.new(:safe => 0, :limit_files => 0).run do
|
117
|
+
File.read(__FILE__)
|
118
|
+
end
|
119
|
+
response.should_not be_success
|
120
|
+
response.error.should be_a(Errno::EMFILE)
|
121
|
+
end
|
122
|
+
|
107
123
|
it "should not be able to open a file" do
|
108
124
|
response = Runner.new.run do
|
109
125
|
File.open("/etc/passwd")
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -13,7 +13,7 @@ date: 2011-10-26 00:00:00.000000000Z
|
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rspec
|
16
|
-
requirement: &
|
16
|
+
requirement: &70276562098440 !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ~>
|
@@ -21,10 +21,10 @@ dependencies:
|
|
21
21
|
version: '2.6'
|
22
22
|
type: :development
|
23
23
|
prerelease: false
|
24
|
-
version_requirements: *
|
24
|
+
version_requirements: *70276562098440
|
25
25
|
- !ruby/object:Gem::Dependency
|
26
26
|
name: rake
|
27
|
-
requirement: &
|
27
|
+
requirement: &70276562098020 !ruby/object:Gem::Requirement
|
28
28
|
none: false
|
29
29
|
requirements:
|
30
30
|
- - ! '>='
|
@@ -32,7 +32,7 @@ dependencies:
|
|
32
32
|
version: '0'
|
33
33
|
type: :development
|
34
34
|
prerelease: false
|
35
|
-
version_requirements: *
|
35
|
+
version_requirements: *70276562098020
|
36
36
|
description: see summary
|
37
37
|
email:
|
38
38
|
- tejas@gja.in
|