It is still possible to make system calls using `` and %x, even when no privileges are given

Then system and exec methods are handled correctly.

please see this gist for failing tests

https://gist.github.com/756460

Hello.

I am trying to eval code in shikashi sandbox in some long running process (single threaded). For each eval there is own sandbox + privileges objects. And according to ObjectSpace, none of these sandbox objects are cleared by garbage collector. There is also the same number of EvalhookHandler objects always exists.

Maybe I am just missed some kind of termination for sandbox?

Add execution time for the script INSIDE the sandbox, example

---- inside the sandbox ----

foo 4
sleep 1 # takes 1 second
foo 10

---- outside the sandbox ----
def foo(x)
sleep 6 # takes 6 seconds
end
privileges.allow :foo
sandbox.run code, privileges :timeout => 2 # 2 seconds

The execution of the script take approximatly 13 seconds, but only 1 second of execution corresponds to the code inside the sandbox, then this code should be run without problems due the code outside the sandbox has no restrictions of time, alternatively, should be a "absolute_timeout" parameter to represent the effect of a classical timeout block of ruby

The following code has massive issues when evaluated with shikashi:

(1..10).map{|to_s| "a".to_s}
=> [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]

The correct output should be (obviously):

=> ["a", "a", "a", "a", "a", "a", "a", "a", "a", "a"]

So, from what I'm seeing, instance methods are being incorrectly shadowed by block variables.

This has been tested on the latest patched Ruby versions 1.9.3, 2.0.0, and 2.1.0.

Hi,

could you help me with this example?

If I want to allow all eval on date/time operators, but nothing else. With Rails helpers, such as beginning_of_month.

How would I allow Time.zone.now.beginning_of_month?

With :

        require 'shikashi'
        require 'active_support/all'

        include Shikiashi

        Time.zone ||= 'Melbourne'

        sandbox = Sandbox.new
        priv = Privileges.new

        priv.allow_const_read("Time","Date","DateTime", "ActiveSupport::TimeZone")
        priv.object(Time).allow :zone
        priv.instances_of(ActiveSupport::TimeZone).allow :now, :beginning_of_month

        sandbox.run(priv, 'Time.zone.now.beginning_of_month')

I get error:

NameError: undefined method `beginning_of_month' for class `ActiveSupport::TimeWithZone'
    from /opt/boxen/rbenv/versions/1.9.3-p448/lib/ruby/gems/1.9.1/gems/shikashi-0.5.2/lib/shikashi/sandbox.rb:220:in `instance_method'
    from /opt/boxen/rbenv/versions/1.9.3-p448/lib/ruby/gems/1.9.1/gems/shikashi-0.5.2/lib/shikashi/sandbox.rb:220:in `handle_method'
    from /opt/boxen/rbenv/versions/1.9.3-p448/lib/ruby/gems/1.9.1/gems/evalhook-0.5.2/lib/evalhook.rb:173:in `hooked_variable_method'
    from sandbox-618708:4:in `<module:SandboxBasenamespace98816495>'
    from sandbox-618708:1:in `<top (required)>'

In the same irb session:

?>   Time.zone.now.beginning_of_month
=> Sun, 01 Sep 2013 00:00:00 EST +10:00
>>

What am I missing to join the dots?

Currently, xstr handing directly evaluates the xstr. Would there be a way to evaluate this like any other method in the context of the receiving object?

This would enable people to redefine the backtick method in the context of the receiver, which could be useful. I see that line 156 of sandbox.rb currently evaluates it directly, which ignores any overrides that could be present in the source binding.

I've taken a look through evalhook and it doesn't look like handle_xstr is passed the original receiver. Maybe something like the original_receiver object used in process_call could be used in process_(d)xstr? I'm not familiar with how the s-expressions are laid out, though.

I'm not sure if it is my mistake or bug. When I try to call inherited class method, I get "singleton method bound for a different object" error.

Example:

class A
    def self.foo
        'Foo'
    end
end

class B < A
end

s = Sandbox.new
priv = Privileges.new
priv.object(A).allow_all
priv.object(B).allow_all
s.run('B.foo', priv)

Can't use with external classes (Example 4) ... Error & Sample below...

/.rvm/gems/ruby-1.9.2-p180/gems/shikashi-0.5.0/lib/shikashi/sandbox.rb:185:in `handle_const': cannot access constant X (SecurityError)

require "rubygems"
require "shikashi"

include Shikashi

s = Sandbox.new
priv = Privileges.new

# allow execution of print
priv.allow_method :print

class X
    def foo
        print "X#foo\n"
    end

    def bar
        system("echo hello world") # accepted, called from privileged context
    end

    def privileged_operation( out )
        # write to file specified in out
        system("echo privileged operation > " + out)
    end
end
# allow method new of class X
priv.object(X).allow :new

# allow instance methods of X. Note that the method privileged_operations is not allowed
priv.instances_of(X).allow :foo, :bar

priv.allow_method :=== # for exception handling
#inside the sandbox, only can use method foo on main and method times on instances of Fixnum
s.run(priv, '
x = X.new
x.foo
x.bar
')

privileges = Privileges.new
privileges.instances_of(Hash).allow_all
Sandbox.new.run(privileges, "arguments=Hash.new;")

Why do I get the Security Error
"cannot access constant Hash"
in this scenario?

Thank you!

This is probably more of an "understanding" problem:

I want to pass an ActiveRecord instance (eg: user = User.find(1)) to sandbox.run()
From the Rdocs I figured I'd run the sandbox with a binding:

# taken/adjusted from official ruby docs 
class Context

  def initialize(n)
    @user = User.find(n)
  end

  def get_binding
    return binding()
  end

end

# .... some code ....

sandbox.run(code, privileges, Context.new(1).get_binding())

This (obviously?) doesn't work. I'm still trying to wrap my head around ruby meta programming (eval etc) so
a pointer on how to implement that in shikashi would be much appreciated :)

Thanks

Hi,

Thanks for this awesome gem. I have been using your gem for 2 years without any issue. But lately when I upgraded my ruby to version 2.2.0, I encountered the following issue:

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

/Users/josisusan/.rvm/rubies/ruby-2.2.0/bin/ruby -r ./siteconf20150303-99229-59ezm5.rb extconf.rb
*** extconf.rb failed ***
 Could not create Makefile due to some reason, probably lack of necessary libraries and/or headers.  Check the mkmf.log file for more details.  You may need configuration options.

Provided configuration options:
--with-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/Users/josisusan/.rvm/rubies/ruby-2.2.0/bin/$(RUBY_BASE_NAME)
--with-getsource_base-dir
--without-getsource_base-dir
--with-getsource_base-include
--without-getsource_base-include=${getsource_base-dir}/include
--with-getsource_base-lib
--without-getsource_base-lib=${getsource_base-dir}/lib
extconf.rb:5:in `<main>': uninitialized constant Config (NameError)

extconf failed, exit code 1

Gem files will remain installed in /Users/josisusan/.rvm/gems/ruby-2.2.0/gems/getsource-0.2.1 for inspection.
Results logged to /Users/josisusan/.rvm/gems/ruby-2.2.0/extensions/x86_64-darwin-14/2.2.0/getsource-0.2.1/gem_make.out
An error occurred while installing getsource (0.2.1), and Bundler cannot continue. 

I've noticed that recent version of ruby2ruby (2.0.1) breaks shikashi sandbox. No erros, but it returns always nil.

Resolved with this line added to my Gemfile

gem 'ruby2ruby', '~> 1.3'

Trying to run some user inputed code that requires some methods on a class. Is there a way to run the code in the context of another class?

def sandbox
  sandbox = Shikashi::Sandbox.new
  priv    = Shikashi::Privileges.new
  # Trying to include self into the sandbox. This is the class I need the code to eval with.
  priv.object(self).allow(:configure)
  priv.allow_method(:method_missing)
  sandbox.run(code: @signature, privileges: priv, timeout: 30)
end

def configure
  raise Metascrape::DSLArgumentError, 'Missing required block' unless block_given?
  yield config
end

This is the error I get.
NoMethodError: undefined method 'configure' for Shikashi::Sandbox::SandboxBasenamespace15267337:Module

Hello, and such good code you have here!

I have a small problem with some code I am playing with, copied and pasted from your examples, but with an intentional typo:

begin
  s.run(priv, 'puts "here we go"
  x = X.new
  x.foo
  x.bar

  x.xprivileged_operation # FAIL
  ', source: '<user code>')
rescue SecurityError => e  
  puts "privileged_operation failed due security error:\n#{e.to_s}\n"
rescue Exception => e
  puts "backtrace:\n#{e.to_s}\n"
  e.backtrace.each { |l| puts l }
end

Seems to me like the offending line number there is line 6, but it gets reported as 12:

undefined method `xprivileged_operation' for class `X'
...
<user code>:12:in `<module:SandboxBasenamespace96278636>'
<user code>:1:in `<top (required)>'

I see a pattern on my tests: the line counter gets the lines double and inits at 2, not at zero. And then it ignores blank lines and comments lines...

Hello,

I was wondering if it was possible to use refinements within the sandbox.

For example, given this module:

module FooRefinement
  refine String do
    def to_s
      return "bar" if self == "foo"
      super
    end
  end
end

Would it be possible to somehow inject that into the sandboxed code so that when I run this:

s = Sandbox.new
priv = Privileges.new
priv.instances_of(String).allow :to_s
priv.allow_method :puts

s.run(priv, 'puts "foo".to_s')

It outputs "bar" instead of "foo"?

Greetings !

I've been trying to share variables between a Shikashi sandbox and my own code.
I was familiar with the binding method since I used it with ERB, so I expected Shikashi's equivalent to behave in a similar way.

sandbox    = Sandbox.new
privileges = Privileges.new

privileges.allow_method :push

@shared_var = 'foo'

code     = <<RUBY
    puts @shared_var
RUBY

html = sandbox.run code: code, privileges: privileges, binding: binding

This code should show that @shared_var isn't accessible in the sandboxed code.
Whereas it should be, am I right ?

I'm building some code that creates methods in a Sandbox, and then runs those methods. I'm finding that only the first line of a Sandbox method is executed.

include Shikashi

to_run = <<-END
def puts_one_two_three()
  print "one " "two "
  print "three "
end
END
s = Sandbox.new
priv = Privileges.new
priv.allow_method :print

puts "Running block: #{to_run}"
s.run(priv, to_run, :no_base_namespace => true)

# Expect "one two three" but is "one two "
self.method("puts_one_two_three").call()

Is this a bug?

privileges = Privileges.new
privileges.allow_const_read(Hash)
privileges.object(Hash).allow(:new)
privileges.instances_of(Hash).allow_all # this is NOT recomendd
Sandbox.new.run(privileges, "Hash.new.system('ls -l')")

Expected: NoMethodError: private method `system' called for {}:Hash
Got: directory listing via ls -l system command :(

May be this is an issue with the compatibility

:~/shikashi/examples/basic$ ruby1.9 example2.rb
/var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/privileges.rb:95:in handle_redirection': undefined methodid2name' for 11600:Fixnum (NoMethodError)
from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/privileges.rb:200:in handle_redirection' from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:256:inhandle_method'
from sandbox-843866:1:in block (2 levels) in <top (required)>' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:222:inblock in call_with_rehook'
from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:187:in block in call' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:203:inblock (2 levels) in original_call'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:202:in times' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:202:incall'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:202:in block in original_call' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:173:inblock in rehook'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:172:in rehook' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:172:inrehook'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:201:in original_call' from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:186:incall'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:221:in call_with_rehook' from sandbox-843866:1:in<top (required)>'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:208:in eval' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:208:incall'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:208:in block in original_call' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:173:inblock in rehook'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:172:in rehook' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:172:inrehook'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:207:in original_call' from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:190:incall'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:225:in call_with_rehook' from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:350:inblock in run'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:281:in block in hook' from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:280:inhook'
from /var/lib/gems/1.9.0/gems/rallhook-0.7.4/lib/rallhook.rb:280:in hook' from /var/lib/gems/1.9.0/gems/shikashi-0.1.0/lib/shikashi/sandbox.rb:349:inrun'
from example2.rb:23:in `

If I run one of your example, I get the following error:

$ ruby test/dsl_test.rb 
/Users/xxx/.rvm/gems/ruby-1.9.2-p180@xxx/gems/getsource-0.2.0/lib/getsource.rb:50:in `body': undefined method `[]' for nil:NilClass (NoMethodError)
    from /Users/xxx/.rvm/gems/ruby-1.9.2-p180@xxx/gems/shikashi-0.4.0/lib/shikashi/sandbox.rb:183:in `handle_method'
    from /Users/xxx/.rvm/gems/ruby-1.9.2-p180@xxx/gems/evalhook-0.4.0/lib/evalhook.rb:85:in `call'
    from sandbox-650417:3:in `inside_foo'
    from test/dsl_test.rb:28:in `<main>'

Any ideas?

include Shikashi

privileges = Privileges.new        
privileges.allow_const_read "Kernel"
privileges.object(Kernel).allow_all
privileges.instances_of(Kernel).allow_all  

Sandbox.new.run(privileges, "Kernel.sprintf('%d', 123)")

I been having problems with ArgumentErrors when invoking methods with multiple arguments. They above gives me: ArgumentError: too few arguments

In a different scenario, I created they above for pure testing, im calling this method in class Chat

def self.send_property user_name, name, value

like this

Chat.send_property "a","b","c"

and I am seeing this

ArgumentError: wrong number of arguments (1 for 3)

but when I call it like this

Chat.send_property "a","b"

I am seeing

ArgumentError: wrong number of arguments (2 for 3)

If I call the methods outside of the Sandbox all is fine.

Does this ring a bell? I am using 'ruby-1.9.3-p194'

When i run sandbox.run(priv, code_block) in test environment it works fine but the same code doesn't work(too slow/get hang ) in development environment .

Hello!

I tried to use shikashi for sandboxing my experimental dsl and got lost.
I'm trying to do sandbox for user input text that is then processed by DSL.

class DSL
  include Shikashi
  attr_accessor :text, :sandbox, :priveleges

  def initialize(text)
    @text = text
  end

  def result
    @sandbox = Sandbox.new
    @priveleges = Privileges.new
    @priveleges.object(self).allow :fill
    @store = []
    sandbox.run(priveleges, text)
    @store
  end

  def fill(start_point, end_point, block_id, rotation = [0, 0, 0])
    @store << {
      start: start_point,
      end: end_point,
      block_id: block_id,
      rotation: rotation
    }
  end
end

and test DSL for it

fill [0,400,0], [7800,8200,200], '100x200x200'
fill [800,0,0], [3800,400,200], '100x200x200'

I always get

NameError:
       method `method_missing' for class `Module' is  private

It looks like it cant find fill method somehow.
What is the proper way to use shikashi to secure user input of dsl commands?

----------------example.rb-----------------
require "rubygems"
require "shikashi"

include Shikashi

s = Sandbox.new
priv = Privileges.new

allow execution of print

priv.allow_method :print

priv.allow_method "core#define_method".to_sym
priv.allow_method :instance_method

allow definition of classes

priv.allow_class_definitions

inside the sandbox, only can use method foo on main and method times on instances of Fixnum

s.run(priv, '
class X
def foo
print "X#foo\n"
end

end
')

print X.shadow.instance_method(:foo),"\n"

$ ruby1.8 example6.rb

<UnboundMethod: #Class:0x7fa4e82e80d0#foo>

$ ruby1.9 example6.rb
example6.rb:28:in instance_method': undefined methodfoo' for class X' (NameError) from example6.rb:28:in

trying to get cyrillic string, using UTF. Outside the sandbox everything works ok.

[6] pry(main)> s=Shikashi::Sandbox.new
[7] pry(main)> p=Shikashi::Privileges.new
[8] pry(main)> s.run "'кириллица'"
=> "киÑ\u0080иллиÑ\u0086а"
[9] pry(main)> s.run("'кириллица'")=='кириллица'
=> false

the example

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_method :print
  priv.allow_const_read "Object::A"

  A = 8
  s.run(priv, '
  print "assigned Object::A:", A,"\n"
  ')

Is not working since allow_const_read should use "A" (Object namespace is implicit)

http://tario.github.com/shikashi/doc/classes/Shikashi/Privileges.html#M000021