Class: Ruote::TreeChecker

Inherits:
Object
  • Object
show all
Defined in:
lib/ruote/svc/treechecker.rb

Overview

The TreeChecker service is used to check incoming external ruby code and raise a security error if it contains potentially evil code.

Instance Method Summary collapse

Constructor Details

#initialize(context) ⇒ TreeChecker

Returns a new instance of TreeChecker.


38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/ruote/svc/treechecker.rb', line 38

def initialize(context)

  return if context['use_ruby_treechecker'] == false

  checker = Rufus::TreeChecker.new do

    exclude_fvccall :abort, :exit, :exit!
    exclude_fvccall :system, :fork, :syscall, :trap, :require, :load
    exclude_fvccall :at_exit

    #exclude_call_to :class
    exclude_fvcall :private, :public, :protected

    #exclude_raise             # no raise or throw

    exclude_eval              # no eval, module_eval or instance_eval
    exclude_backquotes        # no `rm -fR the/kitchen/sink`
    exclude_alias             # no alias or aliast_method
    exclude_global_vars       # $vars are off limits
    exclude_module_tinkering  # no module opening

    exclude_rebinding Kernel # no 'k = Kernel'

    exclude_access_to(
      IO, File, FileUtils, Process, Signal, Thread, ThreadGroup)

    #exclude_class_tinkering :except => Ruote::ProcessDefinition
      #
      # excludes defining/opening any class except
      # Ruote::ProcessDefinition

    exclude_call_to :instance_variable_get, :instance_variable_set
  end

  stricter_checker = checker.clone
  stricter_checker.add_rules do
    exclude_def    # no method definition
    exclude_raise  # no raise or throw
  end

  # the checker used when reading process definitions

  @def_checker = stricter_checker.clone # and not dup
  @def_checker.freeze

  ## the checker used when dealing with conditionals
  #
  #@con_checker = checker.clone # and not dup
  #@con_checker.add_rules do
  #  exclude_raise # no raise or throw
  #  at_root do
  #    exclude_head [ :block ] # preventing 'a < b; do_sthing_evil()'
  #    exclude_head [ :lasgn ] # preventing 'a = 3'
  #  end
  #end
  #@con_checker.freeze
    #
    # lib/ruote/exp/condition.rb doesn't use this treechecker
    # kept (commented out) for 'documentation'

  # the checker used when dealing with code in $(ruby:xxx}

  @dol_checker = stricter_checker.clone # and not dup
  @dol_checker.freeze

  # the checker used when dealing with BlockParticipant code

  @blo_checker = checker.clone # and not dup
  @blo_checker.add_rules do
    exclude_def    # no method definition
  end
  @blo_checker.freeze

  # the checker used for CodeParticipant

  @cod_checker = checker.clone # and not dup
  @cod_checker.freeze

  freeze    # preventing further modifications

end

Instance Method Details

#block_check(ruby_code) ⇒ Object


125
126
127
128
# File 'lib/ruote/svc/treechecker.rb', line 125

def block_check(ruby_code)

  @blo_checker.check(ruby_code) if @blo_checker
end

#code_check(ruby_code) ⇒ Object


135
136
137
138
# File 'lib/ruote/svc/treechecker.rb', line 135

def code_check(ruby_code)

  @cod_checker.check(ruby_code) if @cod_checker
end

#definition_check(ruby_code) ⇒ Object


120
121
122
123
# File 'lib/ruote/svc/treechecker.rb', line 120

def definition_check(ruby_code)

  @def_checker.check(ruby_code) if @def_checker
end

#dollar_check(ruby_code) ⇒ Object


130
131
132
133
# File 'lib/ruote/svc/treechecker.rb', line 130

def dollar_check(ruby_code)

  @dol_checker.check(ruby_code) if @dol_checker
end