web_sandbox_console 0.1.0 → 0.6.0

data/app/views/web_sandbox_console/home/view_file.html.erb

@@ -0,0 +1,39 @@
+<h3>查看文件</h3>
+<div class="view_file">
+  <%= form_tag do_view_file_path, method: :post, remote: true do %>
+    <table>
+      <tr>
+        <td>文件/目录路径</td>
+        <td>
+          <%= text_field_tag :file_or_dir, nil, class: 'file_or_dir', placeholder: '请输入文件路径...'%>
+        </td>
+        <td>起始行数</td>
+        <td><%= text_field_tag :start_line_num, nil, class: 'h30', placeholder: '默认从第1行开始...' %></td>
+        <td>结束行数</td>
+        <td><%= text_field_tag :end_line_num, nil, class: 'h30', placeholder: '默认从第100行结束...' %></td>
+        
+      </tr>
+      <tr>
+        <td>过滤内容</td>
+        <td>
+          <%= text_field_tag :grep_content, nil, class: 'file_or_dir' %>
+        </td>
+        <td>过滤开始时间</td>
+        <td><%= text_field_tag :sed_start_time, nil, class: 'h30', placeholder: Time.current.strftime("%F %T") %></td>
+        
+        <td>过滤结束时间</td>
+        <td><%= text_field_tag :sed_end_time, nil, class: 'h30', placeholder: Time.current.strftime("%F %T") %></td>
+        <td><%= submit_tag '提交', data: { disable_with: "已发送，处理中..." }, class: 'view-file-button' %></td>
+      </tr>
+    </table>
+  <% end %>
+  <span class="tip">注意：过滤时将忽略筛选行数;过滤内容中不能出现单引号</span>
+</div>
+
+<div class="output-content">
+
+</div>
+
+<style type="text/css">
+  
+</style>

data/config/routes.rb

@@ -2,4 +2,16 @@ WebSandboxConsole::Engine.routes.draw do
   root "home#index"
 
   post :eval_code, to: "home#eval_code"
+  get :view_file, to: "home#view_file"
+  post :do_view_file, to: "home#do_view_file"
+
+  # 授权相关
+  get :fetch_token, to: "authorization#fetch_token"
+  get :auth_page, to: "authorization#auth_page"
+  post :auth, to: "authorization#auth"
+
+  # 文件下载
+  get :download_page, to: "home#download_page"
+  get :download, to: "home#download"
 end
+

data/lib/generators/web_sandbox_console/templates/web_sandbox_console.rb

@@ -1,3 +1,8 @@
+require 'yaml'
+
+config_file_path = "#{Rails.root}/config/web_sandbox_console.yml"
+config_hash = File.exists?(config_file_path) ? YAML.load_file(config_file_path).with_indifferent_access[:web_sandbox_console] : {}
+
 # web_sandbox_console 配置文件 
 # 以下配置 都是可选的 缺少的情况下用默认值 或者 不生效
 WebSandboxConsole.setup do |config|
@@ -7,8 +12,10 @@ WebSandboxConsole.setup do |config|
   # 配置 ip 白名单
   # config.ip_whitelist = %w(192.168.23.12 192.145.2.0/24)
 
-  # # 配置 基本认证
-  # config.http_basic_auth = {name: 'dmy', password: '123456'}
+  # 配置 基本认证 在 config/web_sandbox_console.yml中配置
+  # PS: 1. 即使config/web_sandbox_console.yml文件不存在，也不会有任何使用上的影响,效果相当于没有开启
+  #     2. 下面这行不用注释掉，只要不配置yml文件就行
+  config.http_basic_auth = config_hash[:http_basic_auth]
 
   # # 配置 黑名单 类方法
   # config.class_method_blacklist = {File: %i(delete read write),Dir: %i(new delete mkdir)}
@@ -16,7 +23,17 @@ WebSandboxConsole.setup do |config|
   # # 配置 黑名单 实例方法
   # config.instance_method_blacklist = {Kernel: %i(system exec `),File: %i(chmod chown)}
 
+  # 文件黑名单列表 （如果是目录 则目录下所有文件都不可用）目录以 / 结尾
+  # 默认都是项目路径下的
+  # config.view_file_blacklist = %w(config/secrets.yml vendor/)
+
+  # 配置 文件权限，是否仅能查看log文件,默认开启
+  #config.only_view_log_file = false
+
+  # 通过非对称加密方式 升级权限，授权通过后，可获得执行数据权限（PS: 数据操作不再回滚）
+  # PS：配置同 http_basic_auth
+  config.public_key = config_hash[:public_key]
+
   # # 配置 日志路径 默认路径位于项目下
   # config.console_log_path = "log/web_sandbox_console.log"
 end
-

data/lib/generators/web_sandbox_console/templates/web_sandbox_console.yml

@@ -0,0 +1,5 @@
+web_sandbox_console:
+  http_basic_auth:
+    name: dmy
+    password: 123456
+  public_key: "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMbJOE1vQT1jFpaH1GPYzdRJN/\nLh8VePmzXs5BYOLHB0xIjArL1NlXMbCJ+AS2rv3/oHIOdHhEuZw0tmm9DhG100R8\nRjBpsEKCDI88jl9qRkFmD3CVk8XQXv6c2IkRZCYSTvgDkmnKAlORksfw+p0cR2AQ\nlAtAsNsNviKYBzXKfQIDAQAB\n-----END PUBLIC KEY-----\n"

data/lib/generators/web_sandbox_console/web_sandbox_console_generator.rb

@@ -5,4 +5,9 @@ class WebSandboxConsoleGenerator < Rails::Generators::Base
     # 源文件 目标位置
     copy_file "web_sandbox_console.rb", "config/initializers/web_sandbox_console.rb"
   end
+
+  # 生成配置yaml文件
+  def copy_config_file
+    copy_file "web_sandbox_console.yml", "config/web_sandbox_console.yml.example"
+  end
 end

data/lib/web_sandbox_console.rb

@@ -1,8 +1,12 @@
+require 'fileutils'
 require "web_sandbox_console/engine"
+require "web_sandbox_console/sandbox_error"
 require "web_sandbox_console/configuration"
 require "web_sandbox_console/common.rb"
 require "web_sandbox_console/safe_ruby"
 require "web_sandbox_console/sandbox"
+require "web_sandbox_console/view_file_error"
+require "web_sandbox_console/view_file"
 
 
 module WebSandboxConsole

data/lib/web_sandbox_console/common.rb

@@ -1,17 +1,38 @@
 module WebSandboxConsole
   module Common
-    # uuid 方便取出日志
-    def log_p(msg_or_exce, uuid = nil)
-      @logger ||= Logger.new(log_path)
+    
+    def current_uuid(uuid=nil)
+      @uuid ||= uuid
+    end
+
+    # logger sql语句
+    def logger_sql
+      logger = fetch_logger
+      logger.level = 0
+      logger.formatter = proc {|severity, time, progname, msg|  "#{current_uuid}: #{msg}\n"}
+      ActiveRecord::Base.logger = logger
+    end
 
-      if msg_or_exce.respond_to?(:message)
-        @logger.info "#{uuid}:" + msg_or_exce.message 
-        @logger.info "#{uuid}:" + msg_or_exce.backtrace.join("|||")
-      else
-        @logger.info "#{uuid}:" + msg_or_exce.inspect
+    # uuid 方便取出日志
+    def log_p(msg_or_exce, is_general_text = false)
+      uuid   = current_uuid
+      logger = fetch_logger
+      
+      if msg_or_exce.respond_to?(:message) # 异常
+        logger.info "#{uuid}:" + msg_or_exce.message 
+        logger.info "#{uuid}:" + msg_or_exce.backtrace.join("|||")
+      elsif is_general_text  # 普通文本
+        logger.info "#{uuid}:" + msg_or_exce.inspect
+      else                   # 返回值
+        logger.info "#{uuid}: => " + msg_or_exce.inspect
       end
     end
 
+    # 获取 logger
+    def fetch_logger
+      @logger ||= Logger.new(log_path, 'daily')
+    end
+
     def log_path
       "#{Rails.root}/#{self.console_log_path || "log/web_sandbox_console.log"}"
     end

data/lib/web_sandbox_console/configuration.rb

@@ -9,13 +9,21 @@ module WebSandboxConsole
   mattr_accessor :class_method_blacklist
   # 实例方法 黑名单 hash
   mattr_accessor :instance_method_blacklist
+  # 文件列表 黑名单
+  mattr_accessor :view_file_blacklist
+  # 仅能查看日志文件
+  mattr_accessor :only_view_log_file
   # 日志路径
   mattr_accessor :console_log_path
   # 挂载 引擎路由位置
   mattr_accessor :mount_engine_route_path
+  # 公钥
+  mattr_accessor :public_key
 
   # 默认 引擎路由位置
   @@mount_engine_route_path = '/web_sandbox_console'
+  # 默认 开启仅可查看日志
+  @@only_view_log_file = true
  
   # 内置 实例方法 黑名单
   INSTANT_METOD_BUILT_IN_BLACKLIST = {
@@ -26,7 +34,7 @@ module WebSandboxConsole
   # 内置 类方法 黑名单
   CLASS_METHOD_BUILT_IN_BLACKLIST = {
     Kernel: %i(system exec `),
-    File: %i(chmod chown new open delete read write),
+    File: %i(chmod chown new delete read write open),
     Dir: %i(new delete mkdir)
   }
 

data/lib/web_sandbox_console/safe_ruby.rb

@@ -5,17 +5,16 @@ module WebSandboxConsole
       sanitize_constants
       sanitize_instance_methods
       sanitize_class_methods
+      sanitize_logger_new
+      sanitize_csv
+      compatible_file_cache
+      compatible_i18n_translate
+      blacklist_method_remind
     end
 
     # 净化 类方法
     def sanitize_class_methods
-      blacklist = if class_method_blacklist
-        merge_method_hash(CLASS_METHOD_BUILT_IN_BLACKLIST, class_method_blacklist)
-      else
-        CLASS_METHOD_BUILT_IN_BLACKLIST
-      end
-
-      blacklist.each do |klass, methods|
+      class_method_blacklists.each do |klass, methods|
         klass = Object.const_get(klass)
         methods.each do |method|
           next if klass.singleton_methods.exclude?(method)
@@ -26,13 +25,7 @@ module WebSandboxConsole
 
     # 净化 实例方法
     def sanitize_instance_methods
-      blacklist = if instance_method_blacklist
-        merge_method_hash(INSTANT_METOD_BUILT_IN_BLACKLIST,instance_method_blacklist)
-      else
-        INSTANT_METOD_BUILT_IN_BLACKLIST
-      end
-
-      blacklist.each do |klass, methods|
+      instance_method_blacklists.each do |klass, methods|
         klass = Object.const_get(klass)
         methods.each do |method|
           next if (klass != Kernel) && klass.instance_methods.exclude?(method)
@@ -41,6 +34,24 @@ module WebSandboxConsole
       end
     end
 
+    # 类方法黑名单列表
+    def class_method_blacklists
+      blacklist = if class_method_blacklist
+        merge_method_hash(CLASS_METHOD_BUILT_IN_BLACKLIST, class_method_blacklist)
+      else
+        CLASS_METHOD_BUILT_IN_BLACKLIST
+      end
+    end
+
+    # 实例方法黑名单列表
+    def instance_method_blacklists
+      blacklist = if instance_method_blacklist
+        merge_method_hash(INSTANT_METOD_BUILT_IN_BLACKLIST,instance_method_blacklist)
+      else
+        INSTANT_METOD_BUILT_IN_BLACKLIST
+      end
+    end
+
     # 净化 常量
     def sanitize_constants
       return unless constant_blacklist
@@ -52,13 +63,13 @@ module WebSandboxConsole
     # 将两个hash 内部数组也同时合并，并去重
     def merge_method_hash(hash1, hash2)
       # 格式统一
-      hash2.transform_keys!(&:to_sym).transform_values!{|val_arr| val_arr.map{|val| val.to_sym}}
+      hash2.transform_keys!(&:to_sym).transform_keys!(&:to_sym).transform_values!{|i| i.map(&:to_sym)}
       # 共有的key 
       common_keys = hash2.keys & hash1.keys
       # hash2 特有keys
       hash2_special_keys = hash2.keys - hash1.keys
       # 特有keys 直接合到 hash1
-      hash1.merge!(hash2.slice(hash2_special_keys))
+      hash1.merge!(hash2.slice(*hash2_special_keys))
       # 共用keys 数组去重
       common_keys.each do |key|
         hash1[key] = (hash1[key] | hash2[key]).uniq
@@ -66,5 +77,94 @@ module WebSandboxConsole
       hash1
     end
 
+    # 发现代码 中有 Logger.new(Rails.root.join('log', 'hubar')) 写法, 会 触发 File.open方法
+    # 封装后避免调用 File.open(禁用)
+    def sanitize_logger_new
+      Logger.instance_eval do
+        def new(logdev, shift_age = 0, shift_size = 1048576)
+          instance = allocate
+          instance.send(:initialize, logdev.to_s, shift_age, shift_size)
+          instance
+        end
+      end
+    end
+
+    # 净化 csv
+    def sanitize_csv
+      require 'csv' unless defined? CSV
+
+      CSV.instance_eval do
+        # 重写方法 以写日志方式 写数据
+        def open(filename, mode="r", **options)
+          # 无论输入什么路径 都只会在log下创建文件
+          basename = File.basename(filename, ".*")
+          file_path = "#{Rails.root}/log/#{basename}.csv"
+          logger = Logger.new(file_path)
+          logger.formatter = proc {|severity, datetime, progname, msg| msg}
+
+          logger.instance_exec do
+            # 支持类型 csv 数据写入方式
+            def << (data_arr)
+              self.info data_arr.join(",") + "\n"
+            end
+          end
+
+          yield(logger)
+        end
+      end
+    end
+
+    # 兼容文件缓存
+    def compatible_file_cache
+      ActiveSupport::Cache::FileStore.class_exec do
+        def write_entry(key, entry, options)
+          true
+        end
+
+        def delete_entry(key, options)
+          true
+        end
+      end
+    end
+
+    # 兼容翻译
+    def compatible_i18n_translate
+      I18n.instance_exec do
+        def translate(*args)
+          "ActiveRecord::RecordInvalid: 校验失败"
+        end
+        alias :t :translate
+      end
+    end
+
+    # 当拦截黑名单方法时提醒
+    def blacklist_method_remind
+      Kernel.class_exec do
+        # 发现此处method_missing Array 没有flatten方法
+        def flatten_arr(arr)
+          new_arr = []
+          arr.each do |e|
+            if e.is_a?(Array)
+              new_arr.concat(flatten_arr(e))
+            else
+              new_arr << e
+            end
+          end
+          new_arr
+        end
+
+        def method_missing(name,*params)
+          class_methods    = WebSandboxConsole.class_method_blacklists.values
+          instance_methods = WebSandboxConsole.instance_method_blacklists.values
+          
+          if flatten_arr([class_methods, instance_methods]).include?(name.to_sym)
+            msg = "PS：当前代码执行过程中可能调用了黑名单方法，若代码正常返回，请忽略此条提醒"
+            WebSandboxConsole.log_p(msg, true)
+          end
+          super
+        end
+      end
+    end
+
   end
 end

data/lib/web_sandbox_console/sandbox.rb

@@ -1,47 +1,146 @@
 module WebSandboxConsole
   class Sandbox
-    attr_accessor :code
-    attr_accessor :uuid
+    attr_accessor :code           # 代码
+    attr_accessor :uuid           # 唯一标识
+    attr_accessor :pass_auth      # 是否通过授权
+    attr_accessor :exe_tmp_file   # 执行临时文件（由code 组成的运行代码）
 
-    def initialize(code = nil)
-      @code   = escape_single_quote_mark(code)
-      @uuid   = SecureRandom.uuid
+    def initialize(code = nil, pass_auth = false)
+      @code         = code
+      @uuid         = SecureRandom.uuid
+      @pass_auth    = pass_auth.presence || false
+      @exe_tmp_file = "#{Rails.root}/tmp/sandbox/#{uuid}.rb"
     end
 
+    # 同步执行
     def evalotor
-      `bundle exec rails runner '#{runner_code}'`
-      get_result
+      evalotor_block do
+        exec_rails_runner
+        get_result
+      end
+    end
+
+    # 异步后台执行
+    def asyn_evalotor
+      evalotor_block do
+        Thread.new {exec_rails_runner}
+        ["已在后台执行，请耐心等待😊"]
+      end
+    end
+    
+    # 执行结构块
+    def evalotor_block
+      begin
+        check_syntax
+        write_exe_tmp_file
+        yield
+      rescue SandboxError => e
+        [e.message]
+      rescue Exception => e
+        ["发生未知错误: #{e.inspect};#{e.backtrace[0..2].join('\r\n')}"]
+      end
     end
 
     def runner_code
       str =<<-CODE
-        WebSandboxConsole.init_safe_env
         result = nil
         begin
-          ActiveRecord::Base.transaction(requires_new: true) do
-            result = eval(#{self.code.inspect})
-            raise ActiveRecord::Rollback
-          end
+          WebSandboxConsole.current_uuid("#{self.uuid}")
+          WebSandboxConsole.init_safe_env
+          WebSandboxConsole.logger_sql
+          #{self.pass_auth ? no_rollback_code : rollback_code}
         rescue Exception => e
-          WebSandboxConsole.log_p(e, "#{self.uuid}")
+          WebSandboxConsole.log_p(e)
         rescue SyntaxError => e
-          WebSandboxConsole.log_p(e, "#{self.uuid}")
+          WebSandboxConsole.log_p(e)
         end
-        WebSandboxConsole.log_p(result, "#{self.uuid}")
+        WebSandboxConsole.log_p(result)
       CODE
     end
 
-    def get_result
-      last_10_lines = `tail -n 10 #{WebSandboxConsole.log_path} | grep #{self.uuid}`
+    # 回滚code
+    def rollback_code
+      <<-EOF
+        ActiveRecord::Base.transaction(requires_new: true) do
+          result = eval(#{self.code.inspect})
+          raise ActiveRecord::Rollback
+        end
+      EOF
+    end
+
+    # 不回滚code
+    def no_rollback_code
+      <<-EOF
+        result = eval(#{self.code.inspect})
+      EOF
+    end
+    
+    # 临时文件目录
+    def tmp_file_dir
+      File.dirname(self.exe_tmp_file)
+    end
+
+    # 添加临时文件目录
+    def add_tmp_file_dir
+      FileUtils.mkdir_p(tmp_file_dir)  unless File.directory?(tmp_file_dir)
+    end
+
+    # 临时文件 需要清理？
+    def tmp_file_need_clean?
+      Dir["#{tmp_file_dir}/*"].count > 6
+    end
+
+    # 自动删除临时文件
+    def auto_clean_tmp_file
+      FileUtils.rm_rf(Dir["#{tmp_file_dir}/*"]) if tmp_file_need_clean?
+    end
+
+    # 写入 执行临时文件
+    def write_exe_tmp_file
+      add_tmp_file_dir
+      auto_clean_tmp_file
+      File.open(self.exe_tmp_file, 'w'){|f| f << runner_code}
+    end
+
+    # 准备检查语法
+    def prepare_check_syntax
+      add_tmp_file_dir
+      File.open(self.exe_tmp_file, 'w'){|f| f << self.code}
+    end
+
+    # 检查 语法
+    def check_syntax
+      prepare_check_syntax
+      unless `ruby -c #{self.exe_tmp_file}`.include?('Syntax OK')
+        raise SandboxError, "存在语法错误"
+      end
+    end
+
+    # 运行rails runner
+    def exec_rails_runner
+      @stdout = `RAILS_ENV=#{Rails.env} bundle exec rails runner #{self.exe_tmp_file}`
+    end
+
+    # 返回结果
+    def return_result_arr
+      last_10_lines = `tail -n 100 #{WebSandboxConsole.log_path} | grep #{self.uuid}`
       
       last_10_lines.split("\n").map do |line|
         line.split("#{self.uuid}:").last.split("|||")
       end.flatten
     end
 
-    # 转义单引号
-    def escape_single_quote_mark(code)
-      code.gsub(/'/,'"')
+    # 最终结果
+    def get_result
+      if @stdout.present?
+        stdout_arr = ['------------ 打印值 ----------']
+        stdout_arr.concat(@stdout.to_s.split("\n"))
+        stdout_arr << '------------ 返回值 ----------'
+        stdout_arr.concat(return_result_arr)
+      else
+        return_result_arr
+      end
     end
+
   end
 end