Eval, SAFE, and Sandbox

S

Simon Mcbryan

Hello Ruby Forum.

I am working on a personal project that will need people to be able to
submit bits of Ruby code so that my project can run it (eval). I know
there is a lot of danger in this and wonder if there are any solid ways
to avoid malicious attacks.

From what I have read and seen on Google, there is the $SAFE (=4)
variable which is supposed to prevent many vulnerabilities, but at the
same time, there are many sources saying this is not reliable. Also, I
have seen that a year or 2 ago, there was a popular Ruby project called
Sandbox, created by a whytheluckystiff, who has apparently disappeared
off the face of the planet, and thus killing the project.

So I am wondering if I should attempt to work off Sandbox, although I
don't think it is maintained or updated to the newer Ruby versions
(1.8.7+). I am pretty new to the whole metaprogramming world, so I am
not sure if I could handle this either. Or should I try to create my
own system, using $SAFE, disallowing known loopholes, running in a
thread with a kill time and timeout limit, etc. Or is there an
alternative to Sandbox that I should be looking at that my research has
not turned up? Thanks for your time.

- simon
 
C

Caleb Clausen

Hello Ruby Forum.

I am working on a personal project that will need people to be able to
submit bits of Ruby code so that my project can run it (eval). I know
there is a lot of danger in this and wonder if there are any solid ways
to avoid malicious attacks.

From what I have read and seen on Google, there is the $SAFE (=4)
variable which is supposed to prevent many vulnerabilities, but at the
same time, there are many sources saying this is not reliable. Also, I
have seen that a year or 2 ago, there was a popular Ruby project called
Sandbox, created by a whytheluckystiff, who has apparently disappeared
off the face of the planet, and thus killing the project.

So I am wondering if I should attempt to work off Sandbox, although I
don't think it is maintained or updated to the newer Ruby versions
(1.8.7+). I am pretty new to the whole metaprogramming world, so I am
not sure if I could handle this either. Or should I try to create my
own system, using $SAFE, disallowing known loopholes, running in a
thread with a kill time and timeout limit, etc. Or is there an
alternative to Sandbox that I should be looking at that my research has
not turned up? Thanks for your time.

$SAFE is unlikely to be good enough. Even why's sandbox probably has
some vulnerabilities.

Depending on what you're doing, you could try running inside a virtual
machine or freebsd jail. These are general-purpose sandbox facilities,
not ruby specific. That's somewhat difficult to set up, but they
should be very solid choices.

All these ideas could be combined. That is, you run with $SAFE=4, in
why's sandbox, inside a jail in a freebsd installation running in a
virtual machine. That way, you have multiple layers of protection, and
the best of all worlds.

Another idea; if you want to use jruby, you could take advantage of
the jvm's sandboxing capabilities. I believe this would require some
custom java security manager programming.
 
C

Charles Oliver Nutter

$SAFE is unlikely to be good enough. Even why's sandbox probably has
some vulnerabilities.

To be honest, I'm not sure I trust $SAFE because it takes such a
scattered approach to performance. Basically every operation that
mutates needs to check for tainting (and now "untrust" in 1.9) or
there's a hole. That's a lot of code to ensure is always doing the
right thing.

Plus C extensions either need to be disabled or audited as well.

Granted...$SAFE is what's available on MRI, so I don't have another
solution for non-JRuby users.
Another idea; if you want to use jruby, you could take advantage of
the jvm's sandboxing capabilities. I believe this would require some
custom java security manager programming.

Actually it can often just come down to configuration. "Programming" a
security manager isn't generally needed to secure a server or sandbox
an application.

- Charlie
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

No members online now.

Forum statistics

Threads
473,821
Messages
2,569,725
Members
45,511
Latest member
Osiris-Team

Latest Threads

Top