xplenty-jruby_sandbox 0.2.4-java

data/lib/sandbox/safe.rb

@@ -0,0 +1,417 @@
+require "fakefs/safe"
+
+module Sandbox
+  TimeoutError = Class.new(Exception)
+
+  class Safe < Full
+    def activate!
+      activate_fakefs
+
+      keep_singleton_methods(:Kernel, KERNEL_S_METHODS)
+      keep_singleton_methods(:Symbol, SYMBOL_S_METHODS)
+      keep_singleton_methods(:String, STRING_S_METHODS)
+      keep_singleton_methods(:IO, IO_S_METHODS)
+
+      keep_methods(:Kernel, KERNEL_METHODS)
+      keep_methods(:NilClass, NILCLASS_METHODS)
+      keep_methods(:Symbol, SYMBOL_METHODS)
+      keep_methods(:TrueClass, TRUECLASS_METHODS)
+      keep_methods(:FalseClass, FALSECLASS_METHODS)
+      keep_methods(:Enumerable, ENUMERABLE_METHODS)
+      keep_methods(:String, STRING_METHODS)
+
+      # FIXME: Blacklisting Object methods is not a scalable solution.
+      # Whitelisting using #keep_methods is safer.
+      remove_method(:Object, :java_import)
+
+      Kernel.class_eval do
+        def `(*args)
+          raise NoMethodError, "` is unavailable"
+        end
+
+        def system(*args)
+          raise NoMethodError, "system is unavailable"
+        end
+      end
+    end
+
+    def activate_fakefs
+      require "fileutils"
+
+      # unfortunately, the authors of FakeFS used `extend self` in FileUtils, instead of `module_function`.
+      # I fixed it for them
+      (FakeFS::FileUtils.methods - Module.methods - Kernel.methods).each do |module_method_name|
+        FakeFS::FileUtils.send(:module_function, module_method_name)
+      end
+
+      import  FakeFS
+      ref     FakeFS::Dir
+      ref     FakeFS::File
+      ref     FakeFS::FileTest
+      import  FakeFS::FileUtils #import FileUtils because it is a module
+
+      # this is basically what FakeFS.activate! does, but we want to do it in the sandbox
+      # so we have to live with this:
+      eval <<-RUBY
+        Object.class_eval do
+          remove_const(:Dir)
+          remove_const(:File)
+          remove_const(:FileTest)
+          remove_const(:FileUtils)
+
+          const_set(:Dir,       FakeFS::Dir)
+          const_set(:File,      FakeFS::File)
+          const_set(:FileUtils, FakeFS::FileUtils)
+          const_set(:FileTest,  FakeFS::FileTest)
+        end
+
+        class Object
+          def require(*args)
+            true
+          end
+        end
+
+        [Dir, File, FileUtils, FileTest].each do |fake_class|
+          fake_class.class_eval do
+            def self.class_eval
+              raise NoMethodError, "class_eval is unavailable"
+            end
+            def self.instance_eval
+              raise NoMethodError, "instance_eval is unavailable"
+            end
+          end
+        end
+      RUBY
+
+      FakeFS::FileSystem.clear
+    end
+
+    def eval(code, options={})
+      if seconds = options[:timeout]
+        sandbox_timeout(code, seconds) do
+          super code
+        end
+      else
+        super code
+      end
+    end
+
+    private
+
+    def sandbox_timeout(name, seconds)
+      val, exc = nil
+
+      thread = Thread.start(name) do
+        begin
+          val = yield
+        rescue Exception => exc
+        end
+      end
+
+      thread.join(seconds)
+
+      if thread.alive?
+        if thread.respond_to? :kill!
+          thread.kill!
+        else
+          thread.kill
+        end
+
+        timed_out = true
+      end
+
+      if timed_out
+        raise TimeoutError, "#{self.class} timed out"
+      elsif exc
+        raise exc
+      else
+        val
+      end
+    end
+
+    IO_S_METHODS = %w[
+      new
+      foreach
+      open
+    ]
+
+    KERNEL_S_METHODS = %w[
+      Array
+      binding
+      block_given?
+      catch
+      chomp
+      chomp!
+      chop
+      chop!
+      eval
+      fail
+      Float
+      format
+      global_variables
+      gsub
+      gsub!
+      Integer
+      iterator?
+      lambda
+      local_variables
+      loop
+      method_missing
+      proc
+      raise
+      scan
+      sleep
+      split
+      sprintf
+      String
+      sub
+      sub!
+      throw
+    ].freeze
+
+    SYMBOL_S_METHODS = %w[
+      all_symbols
+    ].freeze
+
+    STRING_S_METHODS = %w[
+      new
+    ].freeze
+
+    KERNEL_METHODS = %w[
+      ==
+      ===
+      =~
+      Array
+      binding
+      block_given?
+      catch
+      chomp
+      chomp!
+      chop
+      chop!
+      class
+      clone
+      dup
+      eql?
+      equal?
+      eval
+      extend
+      fail
+      Float
+      format
+      freeze
+      frozen?
+      global_variables
+      gsub
+      gsub!
+      hash
+      id
+      initialize_clone
+      initialize_copy
+      initialize_dup
+      inspect
+      instance_eval
+      instance_of?
+      instance_variables
+      instance_variable_get
+      instance_variable_set
+      instance_variable_defined?
+      Integer
+      is_a?
+      iterator?
+      kind_of?
+      lambda
+      local_variables
+      loop
+      methods
+      method_missing
+      nil?
+      private_methods
+      print
+      proc
+      protected_methods
+      public_methods
+      raise
+      remove_instance_variable
+      respond_to?
+      respond_to_missing?
+      scan
+      send
+      singleton_methods
+      singleton_method_added
+      singleton_method_removed
+      singleton_method_undefined
+      sleep
+      split
+      sprintf
+      String
+      sub
+      sub!
+      taint
+      tainted?
+      throw
+      to_a
+      to_s
+      type
+      untaint
+      __send__
+    ].freeze
+
+    NILCLASS_METHODS = %w[
+      &
+      inspect
+      nil?
+      to_a
+      to_f
+      to_i
+      to_s
+      ^
+      |
+    ].freeze
+
+    SYMBOL_METHODS = %w[
+      ===
+      id2name
+      inspect
+      to_i
+      to_int
+      to_s
+      to_sym
+    ].freeze
+
+    TRUECLASS_METHODS = %w[
+      &
+      to_s
+      ^
+      |
+    ].freeze
+
+    FALSECLASS_METHODS = %w[
+      &
+      to_s
+      ^
+      |
+    ].freeze
+
+    ENUMERABLE_METHODS = %w[
+      all?
+      any?
+      collect
+      detect
+      each_with_index
+      entries
+      find
+      find_all
+      grep
+      initialize_dup
+      initialize_clone
+      include?
+      inject
+      map
+      max
+      member?
+      min
+      partition
+      reduce
+      reject
+      select
+      sort
+      sort_by
+      sum
+      to_a
+      zip
+    ].freeze
+
+    STRING_METHODS = %w[
+      %
+      *
+      +
+      <<
+      <=>
+      ==
+      =~
+      bytesize
+      capitalize
+      capitalize!
+      casecmp
+      center
+      chars
+      chomp
+      chomp!
+      chop
+      chop!
+      concat
+      count
+      crypt
+      delete
+      delete!
+      downcase
+      downcase!
+      dump
+      each
+      each_byte
+      each_line
+      empty?
+      eql?
+      force_encoding
+      gsub
+      gsub!
+      hash
+      hex
+      include?
+      index
+      initialize
+      initialize_copy
+      insert
+      inspect
+      intern
+      length
+      ljust
+      lines
+      lstrip
+      lstrip!
+      match
+      next
+      next!
+      oct
+      replace
+      reverse
+      reverse!
+      rindex
+      rjust
+      rstrip
+      rstrip!
+      scan
+      size
+      slice
+      slice!
+      split
+      squeeze
+      squeeze!
+      strip
+      strip!
+      start_with?
+      sub
+      sub!
+      succ
+      succ!
+      sum
+      swapcase
+      swapcase!
+      to_f
+      to_i
+      to_s
+      to_str
+      to_sym
+      tr
+      tr!
+      tr_s
+      tr_s!
+      upcase
+      upcase!
+      upto
+      []
+      []=
+    ].freeze
+  end
+end

data/lib/sandbox/version.rb

@@ -0,0 +1,3 @@
+module Sandbox
+  VERSION = "0.2.4"
+end

data/lib/sandbox.rb

@@ -0,0 +1,17 @@
+require "sandbox/sandbox"
+require "sandbox/version"
+require "sandbox/safe"
+
+module Sandbox
+  PRELUDE = File.expand_path("../sandbox/prelude.rb", __FILE__).freeze # :nodoc:
+
+  class << self
+    def new
+      Full.new
+    end
+
+    def safe
+      Safe.new
+    end
+  end
+end

data/spec/exploits_spec.rb

@@ -0,0 +1,196 @@
+require "rspec"
+require "sandbox"
+require "tempfile"
+
+class OutsideFoo
+  def self.bar; "bar"; end
+end
+
+describe "Sandbox exploits" do
+  subject { Sandbox.safe }
+
+  before(:each) do
+    subject.activate!
+  end
+
+  it "should not allow access to the filesystem using backticks" do
+    expect {
+      subject.eval(%|`cat spec/support/foo.txt`|)
+    }.to raise_error(Sandbox::SandboxException)
+  end
+
+  it "should not allow running system commands using system" do
+    expect {
+      subject.eval(%|system("ls")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.class_eval" do
+    expect {
+      subject.eval(%|File.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.class_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.eval" do
+    expect {
+      subject.eval(%|File.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.eval "`echo Hello`"|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running system commands through File.instance_eval" do
+    expect {
+      subject.eval(%|File.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileUtils.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|Dir.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|FileTest.instance_eval { `echo Hello` }|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not allow running any commands or reading files using IO" do
+    expect {
+      subject.eval(%|f=IO.popen("uname"); f.readlines; f.close|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|IO.binread("/etc/passwd")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+
+    expect {
+      subject.eval(%|IO.read("/etc/passwd")|)
+    }.to raise_error(Sandbox::SandboxException, /NoMethodError/)
+  end
+
+  it "should not pass through methods added to Kernel" do
+    k = subject.eval(%|Kernel|)
+    def k.crack
+      open("/etc/passwd")
+    end
+
+    Kernel.should respond_to(:crack)
+    subject.eval(%|Kernel.respond_to?(:crack)|).should == false
+  end
+
+  it "should not allow calling fork on Kernel, even through eval" do
+    subject.eval(%|eval("Kernel").respond_to?(:fork)|).should == false
+  end
+
+  it "should not get access to outside the box objects by using eval and TOPLEVEL_BINDING" do
+    expect {
+      subject.eval(%{eval("OutsideFoo.bar", TOPLEVEL_BINDING)})
+    }.to raise_error(Sandbox::SandboxException, /NameError/)
+  end
+
+  it "should not get access to the outside eval through a ref'd object" do
+    subject.ref(OutsideFoo)
+    subject.eval(%|obj = OutsideFoo.new|)
+    subject.eval(%|(obj.methods.grep /^eval/).empty?|).should == true
+    subject.eval(%|obj.respond_to?(:eval)|).should == false
+  end
+
+  it "should not allow file access, even through a ref hack" do
+    expect {
+      subject.eval(%|File.open("/etc/passwd").read|)
+    }.to raise_error(Sandbox::SandboxException)
+
+    subject.ref(OutsideFoo)
+    subject.eval(%|obj = OutsideFoo.new|)
+
+    # pending "gotta figure out how to lock down ref'd objects eval" do
+    #   expect {
+    #     subject.eval(%|obj.eval("File.open(\\"/etc/passwd\\").read")|)
+    #   }.to raise_error(Sandbox::SandboxException)
+    # end
+  end
+
+  it "should have safe globals" do
+    subject.eval(%|$0|).should == "(sandbox)"
+    /(.)(.)(.)/.match("abc")
+    subject.eval(%|$TEST = "TEST"; $TEST|).should == "TEST"
+    subject.eval(%|/(.)(.)(.)/.match("def"); $2|).should == "e"
+    $2.should == "b"
+    subject.eval(%|$TEST|).should == "TEST"
+    subject.eval(%|$2|).should == "e"
+  end
+
+  it "should not keep Kernel.fork" do
+    expect {
+      subject.eval(%|Kernel.fork|)
+    }.to raise_error(Sandbox::SandboxException)
+
+    expect {
+      subject.eval(%|fork|)
+    }.to raise_error(Sandbox::SandboxException)
+  end
+
+  it "should not allow the sandbox to get back to Kernel through ancestors" do
+    subject.eval(%|$0.class.ancestors[3].respond_to?(:fork)|).should == false
+  end
+
+  it "should not pass through block scope" do
+    1.times do |i|
+      subject.eval(%|local_variables|).should == []
+    end
+  end
+
+  it "should not allow exploits through match data" do
+    subject.eval(%|begin; /(.+)/.match("FreakyFreaky").instance_eval { open("/etc/passwd") }; rescue NameError; :NameError; end|).should == :NameError
+
+    subject.eval(%|begin;(begin;Regexp.new("(");rescue e;e;end).instance_eval{ open("/etc/passwd") }; rescue NameError; :NameError; end|).should == :NameError
+  end
+
+  it "should not be able to access outside box Kernel through exceptions" do
+    exception_code = <<-RUBY
+      begin
+        raise
+      rescue => e
+        obj = e
+      end
+    RUBY
+    subject.eval(exception_code)
+
+    subject.eval(%|obj.class.ancestors[4].respond_to?(:fork)|).should == false
+  end
+
+  it "should not allow access to Java classes" do
+    tempfile = Tempfile.new("sandbox")
+    expect {
+      subject.eval("Object.send(:java_import, 'java.lang.ProcessBuilder')")
+      subject.eval("Java::java.lang.ProcessBuilder.new('sh', '-c', 'echo pwned > #{tempfile.path}').start; nil")
+    }.to raise_error(Sandbox::SandboxException)
+    tempfile.size.should == 0
+    tempfile.close
+  end
+end