Executing code in a variable

Discussion in 'Ruby' started by Zangief Ief, Apr 20, 2008.

  1. Zangief Ief

    Zangief Ief Guest

    Hello,

    I have a Ruby code stocked into a Ruby variable like this:

    buffer = ' puts "Hello World!" '

    Is there a way for execute the current code by using buffer variable ?

    Thanks
    --
    Posted via http://www.ruby-forum.com/.
     
    Zangief Ief, Apr 20, 2008
    #1
    1. Advertising

  2. Zangief Ief wrote:
    > I have a Ruby code stocked into a Ruby variable like this:
    >
    > buffer = ' puts "Hello World!" '
    >
    > Is there a way for execute the current code by using buffer variable ?


    eval buffer


    HTH,
    Sebastian
    --
    NP: Depeche Mode - Strangelove
    Jabber:
    ICQ: 205544826
     
    Sebastian Hungerecker, Apr 20, 2008
    #2
    1. Advertising

  3. Zangief Ief

    Zangief Ief Guest

    Zangief Ief, Apr 20, 2008
    #3
  4. On 20.04.2008 11:43, Zangief Ief wrote:
    > I have a Ruby code stocked into a Ruby variable like this:
    >
    > buffer = ' puts "Hello World!" '
    >
    > Is there a way for execute the current code by using buffer variable ?


    http://ruby-doc.org/core/classes/Kernel.html#M005948

    robert
     
    Robert Klemme, Apr 20, 2008
    #4
  5. Hi --

    On Sun, 20 Apr 2008, wrote:

    > On Apr 20, 11:43 am, Zangief Ief <> wrote:
    >> Hello,
    >>
    >> I have a Ruby code stocked into a Ruby variable like this:
    >>
    >> buffer = ' puts "Hello World!" '
    >>
    >> Is there a way for execute the current code by using buffer variable ?
    >>
    >> Thanks
    >> --
    >> Posted viahttp://www.ruby-forum.com/.

    >
    > Sure, you can use eval, eg.
    >
    > irb(main):002:0> eval 'puts "Hello world"'
    > Hello world
    > => nil
    >
    > However, eval should be usually avoided. Instead Ruby has the methods
    > instance_eval, class_eval and module_eval, which works the same as
    > eval but the argumented is executed in the scope of the current object/
    > class/module.


    The main advantage of instance/class/module_eval over eval, though, is
    that they can take a block and therefore you don't have to evaluate a
    string. If you do this:

    obj.instance_eval(str)

    it's no better or worse, from the point of view of safety, than using
    eval.


    David

    --
    Rails training from David A. Black and Ruby Power and Light:
    INTRO TO RAILS June 9-12 Berlin
    ADVANCING WITH RAILS June 16-19 Berlin
    INTRO TO RAILS June 24-27 London (Skills Matter)
    See http://www.rubypal.com for details and updates!
     
    David A. Black, Apr 20, 2008
    #5
  6. On 20.04.2008 14:50, David A. Black wrote:
    > Hi --
    >
    > On Sun, 20 Apr 2008, wrote:
    >
    >> On Apr 20, 11:43 am, Zangief Ief <> wrote:
    >>> Hello,
    >>>
    >>> I have a Ruby code stocked into a Ruby variable like this:
    >>>
    >>> buffer = ' puts "Hello World!" '
    >>>
    >>> Is there a way for execute the current code by using buffer variable ?
    >>>
    >>> Thanks
    >>> --
    >>> Posted viahttp://www.ruby-forum.com/.

    >> Sure, you can use eval, eg.
    >>
    >> irb(main):002:0> eval 'puts "Hello world"'
    >> Hello world
    >> => nil
    >>
    >> However, eval should be usually avoided. Instead Ruby has the methods
    >> instance_eval, class_eval and module_eval, which works the same as
    >> eval but the argumented is executed in the scope of the current object/
    >> class/module.

    >
    > The main advantage of instance/class/module_eval over eval, though, is
    > that they can take a block and therefore you don't have to evaluate a
    > string. If you do this:
    >
    > obj.instance_eval(str)
    >
    > it's no better or worse, from the point of view of safety, than using
    > eval.


    It is slightly better because with #instance_eval you can control what
    "self" is set to and avoid a certain class of issues:

    irb(main):001:0> class Foo
    irb(main):002:1> attr_accessor :bar
    irb(main):003:1> def work1(s)
    irb(main):004:2> eval s
    irb(main):005:2> end
    irb(main):006:1> def work2(s)
    irb(main):007:2> Object.new.instance_eval(s)
    irb(main):008:2> end
    irb(main):009:1> end
    => nil
    irb(main):010:0> f=Foo.new
    => #<Foo:0x7ff7acf4>
    irb(main):011:0> f.bar="important"
    => "important"
    irb(main):012:0> f.work2 "@bar='messed'"
    => "messed"
    irb(main):013:0> f.bar
    => "important"
    irb(main):014:0> f.work1 "@bar='messed'"
    => "messed"
    irb(main):015:0> f.bar
    => "messed"
    irb(main):016:0>

    But this is just a gradual difference - there is still enough damage
    that can be done by evaluating strings or arbitrary code.

    irb(main):016:0> f.work2 "puts 'ooops!';exit 1"
    ooops!

    robert@fussel ~

    Kind regards

    robert
     
    Robert Klemme, Apr 20, 2008
    #6
  7. Hi --

    On Sun, 20 Apr 2008, Robert Klemme wrote:

    > On 20.04.2008 14:50, David A. Black wrote:
    >> Hi --
    >>
    >> On Sun, 20 Apr 2008, wrote:
    >>
    >>> On Apr 20, 11:43 am, Zangief Ief <> wrote:
    >>>> Hello,
    >>>>
    >>>> I have a Ruby code stocked into a Ruby variable like this:
    >>>>
    >>>> buffer = ' puts "Hello World!" '
    >>>>
    >>>> Is there a way for execute the current code by using buffer variable ?
    >>>>
    >>>> Thanks
    >>>> --
    >>>> Posted viahttp://www.ruby-forum.com/.
    >>> Sure, you can use eval, eg.
    >>>
    >>> irb(main):002:0> eval 'puts "Hello world"'
    >>> Hello world
    >>> => nil
    >>>
    >>> However, eval should be usually avoided. Instead Ruby has the methods
    >>> instance_eval, class_eval and module_eval, which works the same as
    >>> eval but the argumented is executed in the scope of the current object/
    >>> class/module.

    >>
    >> The main advantage of instance/class/module_eval over eval, though, is
    >> that they can take a block and therefore you don't have to evaluate a
    >> string. If you do this:
    >>
    >> obj.instance_eval(str)
    >>
    >> it's no better or worse, from the point of view of safety, than using
    >> eval.

    >
    > It is slightly better because with #instance_eval you can control what "self"
    > is set to and avoid a certain class of issues:
    >
    > irb(main):001:0> class Foo
    > irb(main):002:1> attr_accessor :bar
    > irb(main):003:1> def work1(s)
    > irb(main):004:2> eval s
    > irb(main):005:2> end
    > irb(main):006:1> def work2(s)
    > irb(main):007:2> Object.new.instance_eval(s)
    > irb(main):008:2> end
    > irb(main):009:1> end
    > => nil
    > irb(main):010:0> f=Foo.new
    > => #<Foo:0x7ff7acf4>
    > irb(main):011:0> f.bar="important"
    > => "important"
    > irb(main):012:0> f.work2 "@bar='messed'"
    > => "messed"
    > irb(main):013:0> f.bar
    > => "important"
    > irb(main):014:0> f.work1 "@bar='messed'"
    > => "messed"
    > irb(main):015:0> f.bar
    > => "messed"
    > irb(main):016:0>
    >
    > But this is just a gradual difference - there is still enough damage that can
    > be done by evaluating strings or arbitrary code.
    >
    > irb(main):016:0> f.work2 "puts 'ooops!';exit 1"
    > ooops!


    That's the thing -- I think it's more a string thing, and the dangers
    of untrusted input (which can really do anything), than the question
    of what self is, since the untrusted input problem can always reassert
    itself.


    David

    --
    Rails training from David A. Black and Ruby Power and Light:
    INTRO TO RAILS June 9-12 Berlin
    ADVANCING WITH RAILS June 16-19 Berlin
    INTRO TO RAILS June 24-27 London (Skills Matter)
    See http://www.rubypal.com for details and updates!
     
    David A. Black, Apr 20, 2008
    #7
  8. Zangief Ief

    Robert Dober Guest

    On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <> wrote:

    As David I am not sure that instance_eval is safer than eval. As the
    following example shows a save eval can be done by deleting all
    dangerous methods before evalling:

    module Kernel
    class << self
    methods.each do |m|
    next if /^__/ === m
    Object::send :remove_method, m
    end
    end
    instance_methods.each do |m|
    next if /^__/ === m
    Object::send :remove_method, m
    remove_method m
    end
    end


    eval %<system "ls -l">

    Now this might not often be very useful though as we do not have a
    sandbox or to put it better, it is much work to get out
    of the sandbox again as we have to redefine all methods again (well I
    did not safe them in the first place here). Furthermore my sandbox is
    empty!!!

    Is there an easy way to do this?

    Cheers
    Robert
    --
    http://ruby-smalltalk.blogspot.com/

    ---
    Whereof one cannot speak, thereof one must be silent.
    Ludwig Wittgenstein
     
    Robert Dober, Apr 20, 2008
    #8
  9. On Sun, Apr 20, 2008 at 7:31 AM, Robert Dober <> wrote:
    > On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <> wrote:
    >
    > As David I am not sure that instance_eval is safer than eval. As the
    > following example shows a save eval can be done by deleting all
    > dangerous methods before evalling:
    >
    > module Kernel
    > class << self
    > methods.each do |m|
    > next if /^__/ === m
    > Object::send :remove_method, m
    > end
    > end
    > instance_methods.each do |m|
    > next if /^__/ === m
    > Object::send :remove_method, m
    > remove_method m
    > end
    > end
    >
    >
    > eval %<system "ls -l">
    >
    > Now this might not often be very useful though as we do not have a
    > sandbox or to put it better, it is much work to get out
    > of the sandbox again as we have to redefine all methods again (well I
    > did not safe them in the first place here). Furthermore my sandbox is
    > empty!!!
    >
    > Is there an easy way to do this?


    Well, we could use _why's Freaky Freaky Sandbox:
    http://code.whytheluckystiff.net/sandbox/
     
    Christopher Dicely, Apr 20, 2008
    #9
  10. Zangief Ief

    Robert Dober Guest

    On Sun, Apr 20, 2008 at 6:53 PM, Christopher Dicely <> wrote:
    >
    > On Sun, Apr 20, 2008 at 7:31 AM, Robert Dober <> wrote:
    > > On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <> wrote:
    > >
    > > As David I am not sure that instance_eval is safer than eval. As the
    > > following example shows a save eval can be done by deleting all
    > > dangerous methods before evalling:
    > >
    > > module Kernel
    > > class << self
    > > methods.each do |m|
    > > next if /^__/ === m
    > > Object::send :remove_method, m
    > > end
    > > end
    > > instance_methods.each do |m|
    > > next if /^__/ === m
    > > Object::send :remove_method, m
    > > remove_method m
    > > end
    > > end
    > >
    > >
    > > eval %<system "ls -l">
    > >
    > > Now this might not often be very useful though as we do not have a
    > > sandbox or to put it better, it is much work to get out
    > > of the sandbox again as we have to redefine all methods again (well I
    > > did not safe them in the first place here). Furthermore my sandbox is
    > > empty!!!
    > >
    > > Is there an easy way to do this?

    >
    > Well, we could use _why's Freaky Freaky Sandbox:
    > http://code.whytheluckystiff.net/sandbox/
    >

    Seems to be perfect, now for eval to make sense in the sandbox one has
    to build the castles by onself of course :(.
    R.




    --
    http://ruby-smalltalk.blogspot.com/

    ---
    Whereof one cannot speak, thereof one must be silent.
    Ludwig Wittgenstein
     
    Robert Dober, Apr 20, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QXNoYQ==?=

    executing client side code from code behind.

    =?Utf-8?B?QXNoYQ==?=, Aug 12, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    596
    =?Utf-8?B?QWJL?=
    Aug 12, 2004
  2. mfglinux
    Replies:
    11
    Views:
    708
    Roberto Bonvallet
    Sep 12, 2007
  3. Yves
    Replies:
    4
    Views:
    285
    Terry Reedy
    Oct 17, 2009
  4. David Filmer
    Replies:
    19
    Views:
    248
    Kevin Collins
    May 21, 2004
  5. Avnesh Shakya
    Replies:
    6
    Views:
    156
    Chris Angelico
    Jun 6, 2013
Loading...

Share This Page